Configuring cloud plugins

Cloud plugins are installed with a base configuration that can be updated later on, primarily through the BigFix WebUI.

Discovery frequency

It is the frequency with which a cloud plugin runs the discovery of the related cloud resources. Cloud plugins are installed with a default discovery frequency of 120 minutes.

The discovery frequency can be updated from the Plugin Management section of the BigFix WebUI. There are also BES Support tasks that allow updating the discovery frequency of cloud plugins.

Logs

Cloud plugins are installed with a standard log level, and the following default log path:

  • Windows: C:\Program Files (x86)\BigFix Enterprise\BES Plugin Portal\Plugins\Plugin_name\Logs\log.txt
  • Linux: /var/opt/BESPluginPortal/Plugins/Plugin_name/Logs/log.txt

The log file rotates when it reaches the size of 10 MB. The latest 10 rotated logs are available in the log directory.

You can update the log path and verbosity in the Plugin Management section of the BigFix WebUI.

Support of multiple sets of credentials

A cloud plugin might be configured to use multiple sets of credentials. The first set is specified at installation time, further sets can be added at any time from the Plugin Management section of the BigFix WebUI.

At each discovery, the cloud plugin goes through all available credential sets, and retrieves the cloud resources that are available to each set. If a credential set reaches the maximum number of failed discovery attempts, it is no longer taken into account during the next discoveries.

Maximum number of failed discovery attempts

It is the maximum number of consecutive discovery failures for a credential set before it is skipped. Not all kind of discovery failures would increase the counter, only those related to failed login attempts due to incorrect or expired passwords. Successful discovery attempts reset the counter. Restarting the plugin portal would reset the counter as well.

Skipping a failing credential set after three consecutive failures helps reducing the chance of having it affected by possible account lockout policies in place on the cloud platform side.

When a credential set reaches the maximum number of failed attempts, the following message is written in the standard log:

[error] Refresh all: user 'Account Label' reached the maximum attempts (3)
 and it will be skipped

When this happens, the operator should take advantage of the BigFix WebUI to update the password. The updated credential set is taken into account again starting from the next discovery.

Proxy support

The AWS and the Microsoft Azure plugins must be able to access related cloud services using HTTPS over the Internet. In both cases, it is possible to use a proxy to do that, although the supported proxy configuration differs.

How to configure a proxy for AWS plugin

When installing the AWS plugin, you can configure it to run discoveries through a proxy by filling in the appropriate fields of the installation Fixlet or of the Install cloud plugin page on the BigFix WebUI. The WebUI also allows you to specify the proxy at a later time by editing the configuration of an installed plugin.

In case of an HTTPS proxy, it is possible to configure the AWS plugin to validate the SSL certificate of the proxy using a custom CA certificate file. A BES Support task allows you to carry out this configuration.

How to configure a proxy for Microsoft Azure plugin

In order to have the Microsoft Azure plugin go through a proxy, it is necessary to configure the proxy as follows:
Windows
The proxy must be set at system level using the http_proxy and https_proxy environment variables.
Linux
The following key/value pairs must be specified in the /etc/opt/BESPluginPortal/custom.config file (create this file manually if it does not already exist):
  • https_proxy=http://proxyHost:proxyPort/
  • http_proxy=http://proxyHost:proxyPort/

On both Windows and Linux, restart the BigFix Plugin Portal service to make the proxy configuration effective.

Note: Because the Azure SDK embedded in the Azure cloud plugin requires the proxy to be set at system level, communications from the local Plugin Portal to its parent Relay will also be affected. To restore direct communications, the Plugin Portal must have the proxy defined through the relevant BigFix configuration settings, with the parent Relay included in the related exception list. For more details, see Server/Relay Proxy settings.