This section covers the setup of the yarngate application
This section assumes that that Yarngate access has been configured and the user can login to Yarngate using LDAP credentials
This section assumes that Customers/Clusters/Interfaces have been added either manually via the administration application or via Bulk import of Customers/Cluster/Interfaces
Yarngate Access Profiles and Access rules
Access to the yarngate application and the various roles is controlled by the Authentication policy that matches LDAP groups to Yarnman Role
Once a user has access to Yarngate their system access is determined by
Entitlement Group
The entitlement profile defines what systems can be accessed. To access Entitlements Group setup - from Yarngate menu, select Access Rules->Entitlements Group, then select New Entitlement Group. Access can be added using Customers, Clusters or specific interfaces.
Note that the add Customer/Cluster/Interface button needs to be pressed for each entry
Entitlement Group bulk Import
There is an option to bulk import using excel
Download the template and setup as necessary and upload
Matching Group
The match group defines match of LDAP groups or users for access
For access testing you can also add a unique username that can be used with the test access function
Access Profile
The access profile defines the configuration of the access - note that screenshot below show screen after General Settings first saved
CUCM - there is additional template configuration required
UCXN - there is additional template configuration required
CUCM Template
CUCM Roles (Custom)
If custom CUCM roles are required they can be created, Go Access Profiles->CUCM Templates->Roles then select New Role Template
The roles will need to be imported from a test CUCM use the latest version of CUCM in scope to import the latest roles - Yarngate handles backward compatibility for roles
Select the interface to import the role
Select the required Roles
CUCM Credential Policy
Create the credential policy with the required settings - Go System Templates → CUCM Templates → Credential Policies, then select New Credential Policy
CUCM Access Control Group
Create the Access Control profile - Go System Templates → CUCM Templates → Access Control Groups, then select New Access Control Group Template
CUCM default Roles
To view the list of system default roles refer to CUCM System Default roles or via SSH run the following command
run sql select name from functionrole where isstandard ="t"
Custom role template
Refer to Cisco documentation for the capabilities of the various role resource privileges
Note that Yarngate will assert the role resource privileges to check if that resource privilege exists in the target system, if it does not exist that resource privilege will not be used, this permits backwards compatibility with the custom role templates
Its recommended where possible to use the inbuilt cucm roles, as using a custom roles incurs a slight performance penalty with having to check/validate no changes have been made to the target system(s) when creating a session.
UCXN Templates
Authentication Rule
Create the required Authentication rule - Go System Templates → UCXN Templates → Authentication Rule, then select New Authentication Rule Template
User template
Note that the user template must exist
Access Rule
The access rule links all of the configuration together - Go Access Rules → Rules, then select New Access Rule
Test Access
The test access tool can be used to check what access users have
Note that the User key needs to be defined in matching groups
Configure policies
are a set of checks or parameters that are applied to Caches when they run.
Node Age
This policy is applied to a NodeName discovery, allowing reports to be run on Nodes removed from Yarngate (e.g. the interface) or if a node in a cluster is removed.
Defines the number of days before a Node is marked as Inactive and when the Node is deleted. Below shows the Default
A custom policy can be added by Navigating to Administration > Caching > Policies > Create Policy.
Account age
A custom policy can be added by Navigating to Administration > Caching > Policies > Create Policy.
Audit Config
An Audit policy is used with the Node Cache and System Audit Check report. Yarngate will collect via AXL/Soap the audit configuration settings and check these against the policy to validate
audit enabled
detailed audit enabled
correct audit level (6, informational)
being sent to one of the Syslog servers defined (the cucm audit config can only send to 1 syslog server)
An Audit policy can be added by Navigating to Administration > Caching > Policies > Create Policy.
Configure Caches
Nodes
The Node Cache speeds up reporting by not needing to poll the systems each time a report is run continually. The Node Cache is populated via entitlement group(s).
Policies are applied to the Node cache to check for Audit configuration settings and age out deleted or unreachable Nodes per the Policy.
A Schedule is recommended to keep the cache up-to-date and run just before a maintenance window ends to allow the capture of any new nodes or removal.
Navigate to Administration > Caching > Caches > Create Cache
Apply the Node, Audit Policy and Entitlement group(s) and press save
Once saved, navigate back to the new cache, and the Add a Schedule button will be visible.
You can add the required details for the schedule with enable toggled at the bottom.
You can just navigate back to the cache to see the Schedule status.
To modify or disable the schedule, press modify, make the required changes and press save.
To Modify a schedule toggle, enable to Off with the required changes; once saved, toggle it to On. The scheduler won't allow a time from the past to be saved.
Subnet Groups
Subnet groups contain Individual hosts or Subnets; These are then linked to Subnet Group Lists.
Subnet Lists
Subnet List contains one or more groups of Subnets; These are applied to robot accounts to validate that Robot accounts are being used from known hosts/systems.
Robot Accounts
Robot accounts are manually entered and assigned to a Subnet List. These will feed into the Robot report.
Exception Report Log not currently in use will be removed from view. leave blank
Admin Users
Provides a Cache and history of all Admin user accounts
Reporting
Templates
Templates can be used to perform ongoing AdHoc reports with pre-filled details or assigned to a Schedule to perform reoccurring reports.
Navigate to Administration > Reporting > Templates
Select the template type and populate the presets.
Select a Template and press Create Report From Template to run an ad hoc report.
Please take a look at the report types below for more detailed information.
Schedules
Report templates are assigned to a Schedule to be run at regular intervals
Hourly
Daily
Weekly
Monthly
Reports are created based on a Schedule with the option to send Element counters to winprtg via an HTTP (s) Push.
Currently, the Metrics pushed to winprtg include
Field | Value |
|---|---|
ReportStatus | 0 for normal 1 for warning flag |
PassedElements | Numeric |
ErrorElements | Numeric |
WarningElements | Numeric |
SkippedElements | Numeric |
TotalElements | Numeric |
Robot Accounts
This report allows us to cross-check Robot accounts logging in from unknown IP addresses based on matching Defined subnets.
The report within the GUI will show logins from unknown (unmatched subnets) and the tally.
The xlsx contains all the Matched and Unmatched Subnets for the Robot accounts.
Due to the unstructured nature of the syslog messages, we need to exclude any activities from an enduser as well as some internal system actions; below are the default exclusions.
It's possible to run a report for ALL users in the elasticsearch by leaving the Robot Accounts Cache Blank.
System Audit Check
This report uses the Node Cache to validate settings via AXL/Soap to confirm the Audit Policy complies with the expected values.
This is done on a NodeCache level
This will check the policy for
audit enabled
detailed audit enabled
correct audit level (6, informational)
being sent to one of the Syslog servers defined (the cucm audit config can only send to 1 syslog server)
the xlsx export contains all the configured details and the policy being tested against.