Topics Discussed

You can use this document to learn how to create and configure a remote Log Relay device.

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

Before you begin, you must first convert a virtual machine into a Log Relay device. To learn more, see Obtain Log Relay for Remote Log Collection.

For introductory information on Log Relay, see Introduction to Log Relay.


Create and Configure a Remote Log Source 


Based on your specific log type, review the following options to create and configure a remote log source:

Log type

Additional information

Detailed instructions

AWS CloudTrail

For this log type, you must be able to:

  • Gather your AWS account information
  • Create a new trail and sync your AWS S3 bucket 

Create a Remote Log Source - AWS CloudTrail

AWS GuardDuty

For this log type, you must be able to:

  • Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation
  • Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key)
  • Configure the AWS GuardDuty CloudFormation StackSet Template

Create a Remote Log Source - AWS GuardDuty

AWS VPC Flow Logs

For this log type, you must be able to:

  • Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation
  • Configure a Web ACL
  • Configure the AWS WAF CloudFormation Stack Template

Create Flow Connection - AWS VPC Flow Logs

AWS WAF

For this log type, you must be able to:

  • Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation
  • Configure the AWS VPC Flow Log CloudFormation Stack Template

Create a Remote Log Source - AWS WAF

Check Point

For this log type you must be able to:

  • Log into and pre-configure the Check Point box
  • Configure your Check Point device

Create a Remote Log Source - Check Point

Cisco ASA

For this log type, you must be able to: 

  • Log into your Cisco ASA device
  • Access the privileged EXEC mode

Create a Remote Log Source - Cisco ASA

Cisco ISR 

For this log type, you must be able to: 

  • Log into your Cisco ISR device
  • Access the privileged EXEC mode

Create a Remote Log Source - Cisco ISR

Juniper

For this log type, you must be able to:

  • Log into your Juniper SRX  device
  • Access the privileged EXEC mode

Create a Remote Log Source - Juniper

Fortinet FortiGate

For this log type, you must be able to:

  • Log into your Fortinet Security Gateway
  • Access the CLI Console

Create a Remote Log Source - Fortinet Security Gateway

Imperva Incapsula

For this log type, you must be able to:

  • Access the AWS console
  • Configure the IAM Role for an EC2 server or non-EC2 server
  • Log into your log relay server

Create a Remote Log Source - Imperva Incapsula

Palo Alto Firewall

For this log type, you must be able to:

  • Access the Palo Alto console
  • Configure your server and server profile

Create a Remote Log Source - Palo Alto Firewall

SonicWall

For this log type, you must be able to:

  • Log into the SonicWall console
  • Configure your SonicWall device

Create a Remote Log Source - SonicWall

Cylance

For this log type:

  • The user has a Log Relay device online
  • The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay

Create a Remote Log Source - Cylance

Storage Only

For this log type, you must be able to:

  • Configure your device or application for compliance log storage only

Create a Storage Only Log Source



Troubleshooting

In general, if you are having issues adding Log Relay to a remote log device, consider that:

You need to update your permissions in AMP.  

  • In AMP, you must have the following permissions added to your account:  
    • Write Virtual Machine
    • Delete Log Management
    • Read Log Endpoints
    • Read Log Relays
    • Write Log Relays
    • Delete Log Relays

To add the above-mentioned AMP permissions to your account, see Roles and Permissions.

Additional troubleshooting information is located in the specific remote log source documentation. 



Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 1 rates