Success-Plan ServicesSecurity Monitoring
Use RTI Connext Observability Framework to monitor applications by sending DDS-Security™ logs through OpenTelemetry
Introduction
Security monitoring is crucial for today’s interconnected, complex systems. It provides the advantage of continuous visibility into your system and applications, allowing for the timely detection of suspicious activities or potential security breaches. While encrypting data helps protect its confidentiality, it does not prevent unauthorized access or malicious actions within the encrypted environment. Security monitoring complements encryption by actively monitoring for anomalies, malicious behavior, and insider threats, providing comprehensive protection against evolving cyber threats and ensuring the integrity and availability of sensitive information.
RTI Connext® Security Plugins automatically generate logs for security events, such as when invalid certificates are detected, or a participant tries to violate its authorized permissions. Based on these logs, it is possible to continually monitor the security of your Connext system. With the Connext Observability Framework in Connext 7.3 LTS, it is possible to feed these logs into cloud-based security information and event management (SIEM) tools.
-
What this Example Does
This Case + Code demonstrates how you can use Security Plugins alongside the Connext Observability Framework in order to better monitor the cybersecurity of your Connext system using the recent Connext 7.3 LTS release. Connext is able to automatically generate security logs through built-in logging of all security events.
The Connext Observability Framework installation includes the OpenTelemetry Collector, which contains various exporters for different observability tools such as Splunk®, AWS, Azure®, Google Cloud™, among many others. For the example in this Case + Code, we will be using Datadog®, but you can use any exporter supported by the Collector. For more information about the various exporters, please refer to each platform’s documentation.
-
Building the Example
This guide assumes some familiarity with RTI Security Plugins and the Connext Observability Framework, in a situation where both products are installed in your Connext environment. If you’re still getting started, here are some resources:
- Security Plugins Installation Guide
- Security Plugins Getting Started
- Observability Framework Installation Guide
- Observability Framework Getting Started
This example expands on the example provided with the Connext Observability Framework and used in its Getting Started Guide, so you do not need to download any additional resources. You can refer to its build instructions here.
-
Running the Example
- We’re going to use this configuration from the Connext Observability Framework Getting Started Guide. This example configures Connext Observability Framework with hostname “localhost”, default ports, and security enabled. Observability Collector Service will use a LAN configuration and the OpenTelemetry exporter. The OpenTelemetry Collector routes telemetry data from the Observability Collector Service OpenTelemetry exporter.
- Run rtiobservability -c config.json to apply this configuration.
- In your rti_workspace, navigate to the rti_workspace/7.3.0/examples/observability/c++ directory. We will modify the USER_QOS_PROFILES.xml file to ensure that security logs are produced, and that they are forwarded by RTI Monitoring Library 2.0.
(a) First, modify the Secure_User_Data QoS profile. On line 138, add the following XML snippet along with the other security elements:
<element>
<name>com.rti.serv.secure.logging.mode_mask</name>
<value>BUILTIN</value>
</element>
<element>
<name>com.rti.serv.secure.logging.verbosity</name>
<value>DEBUG</value>
</element>
This enables built-in logging at the Debug level. For more information on Security logging, please review the User Manual.
(b) Modify the Enable_Monitoring2 QoS profile on line 219 to ensure that these security logs are forwarded. This is done by the security_event_forwarding_level QoS policy.
<qos_profile name="Enable_Monitoring2">
<?rti-qos_snippet?>
<base_name>
<element>BuiltinQosSnippetLib::Feature.Monitoring2.Enable</element>
</base_name>
<participant_factory_qos>
<monitoring>
<application_name>$(APPLICATION_NAME)</application_name>
<distribution_settings>
<dedicated_participant>
<domain_id>$(OBSERVABILITY_DOMAIN)</domain_id>
<collector_initial_peers>
<element>$(COLLECTOR_PEER)</element>
</collector_initial_peers>
</dedicated_participant>
</distribution_settings>
<telemetry_data>
<logs>
<security_event_forwarding_level>DEBUG</security_event_forwarding_level>
</logs>
</telemetry_data>
</monitoring>
</participant_factory_qos>
</qos_profile> - Modify the OTel Collector configuration so it exports logs to Datadog instead of Prometheus & Grafana. If you’re using a different tool, you can see all exporters supported by the collector and how to configure them here. Navigate to rti_workspace/7.3.0/user_config/observability/otel_collector and modify config.yaml. The receivers configuration will remain the same, but we will now use the Datadog exporter in the exporters section. The pipelines section also needs to be modified to use the Datadog exporter. This example also uses a batch processor.
receivers:
otlp:
protocols:
http:
# we are secure behind nginx proxy so bind to hard-coded internal port
endpoint: 0.0.0.0:14318
exporters:
datadog:
api:
site: datadoghq.com
key: <your api key goes here>
processors:
batch:
send_batch_max_size: 100
send_batch_size: 10
timeout: 10s
service:
pipelines:
logs:
receivers: [otlp]
processors: [batch]
exporters: [datadog] - Launch Observability Framework with rtiobservability -i
- Launch the provided example applications in rti_workspace/7.3.0/examples/observability/c++ just like in the Getting Started Guide. Ensure you use security with the -p command-line argument, like so:
./objs/x64Linux4gcc7.3.0/Temperature_publisher -n SensorPublisher_1 -d 57 -i 0 -s 2 -p -v 2
./objs/x64Linux4gcc7.3.0/Temperature_subscriber -n SensorSubscriber -d 57 -p -v 2 - The applications should immediately start printing out security logs, and you should see them appear on the platform you’ve configured your exporter for. Here are some screenshots from Datadog:
- You can now configure your dashboards to monitor logs from Security Plugins. The full list of security logs produced can be found here. For example, you may want to configure alerts when a remote participant fails to authenticate, or if a participant tries to violate its permissions.
- We’re going to use this configuration from the Connext Observability Framework Getting Started Guide. This example configures Connext Observability Framework with hostname “localhost”, default ports, and security enabled. Observability Collector Service will use a LAN configuration and the OpenTelemetry exporter. The OpenTelemetry Collector routes telemetry data from the Observability Collector Service OpenTelemetry exporter.
-
Summary
This Case + Code explains how to configure your Connext Security Plugins applications and RTI Observability Framework to use the OpenTelemetry collector to forward DDS Security logs into your monitoring platform of choice. With these logs, you can now configure your SIEM to monitor the security of your system.
-
Next Steps
Post questions on the RTI Community Forum.
Check out more of the Connext product suite and learn how Connext can help you build your distributed system. If you haven't already, download the free trial.