Hi
Is there a way to gather TrueNAS Core server status, storage pool raid alerts etc. without using the GUI Login?
I have a customer that is hyper concerned about non active directory controlled logins, currently the WebGUI is used on a schedule for checking status but we need to stop (and probably disable WebGUI login.
Unfortunately there is no accessible email server either.
I can run chron jobs to parse log files is there a list somewhere of status and alert messages I can look for ?
I also work with some sensitive customers and so I sort of understand your question. However, I don’t fully understand what you mean by ‘server status’?
There is nothing inherently insecure by using a WebGUI.
Core and SCALE both offer some flavor of LDAP integration, and if the customer requires and asks for that then why not implement it?
One could always SSH in using ssh-keys to check your statuses, but that’s no different than the WebGUI login (non LDAP authentication).
Also trying to understand their (your) logic…I assume that the customer also requires some kind of auditing that would track these logins…and that those audit logs would be sent to some kind of aggregator (Splunk, Nagios, etc) for review.
Editing here…CORE and SCALE are appliances. They are quite similar to NetApp or any other storage appliance and also use the WebGUI for administration–without all the context I believe that you are trying to satisfy a STIG of some sort. Having a GNOME desktop environment on a server (which is a no-no) is very different than opening a browser and using an admin GUI. Also want ask a similar question–How do you admin your IMPI or iLO on your hosts? They use WebGUIs too.
There’s different ways to mitigate the risks here. Talk with your system security person and work with them on ways to appease your customer AND meet the security requirements.
Not for the web GUI, they don’t–other than SCALE in Enterprise deployments.
Anything that’s shown in the GUI should be accessible through the API, but I’m not sure how much that benefits you. For that, you’d be using an API token, which is again tied to a local (i.e., non-AD) user.
If analyzing the system logs is sufficient, you can have them exported to any remote syslog server; that’s a setting that’s present in the web GUI. That server can then fold/spindle/mutilate them in whatever way you need.
Hi
Yes, analyzing the logs should be sufficient but where can I find a list of messages to look for for any errors or alerts that would show on the GUI dashboard?
For example what text would be logged for a degraded are or SMART monitoring warning?
I’m trying get specifics of what is of interest but all I can get is that a relatively unskilled tech logs on to the GUI and notes any error messages.
Thanks
Chris
Thanks
It’s just an insistence by a very stubborn customer - doesn’t need to make sense !
There is nothing inherently insecure by using a WebGUI
There is if every one that needs to access the GUI needs to know the root password…
I think we can login with an ordinary user AD controlled account to retrieve the data though I may need to run a cron job as root to extract
not my logic I can assure you! It’s a PITA! The customer does run a Splunk log aggregator but has not asked us to connect this system to it.
This wouldn’t be the case if you’d stop using CORE.
Hi
“This wouldn’t be the case if you’d stop using CORE”
Could you explain or link to an explanation of that? Does SCALE support WebGUI use by non root accounts?
Thanks
Here’s a section from the CORE to SCALE migration guide on that topic:
Yes, and in fact it recommends it. There isn’t as yet any granularity in permissions–any member of the admins group has full access–but use of root is discouraged, and it’s possible to have multiple admin users.
Actually, 24.10 introduced RBAC limited admin accounts
Thanks that’s good, I’ll explore that option but it may be difficult to upgrade because I don’t have a spare set of the operational hardware to test a SCALE install on.
This is a fairly legacy system running on re-imaged IBM S3 storage hardware on a customer site. I’ll get the hardware details and ask here if SCALE will run on it.
I’d still like to workout what log files to monitor for critical system events, most importantly Raid array degraded.
