Topics Discussed

You can use this document to learn how to create and configure a remote Log Relay device.

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

Before you begin, you must first convert a virtual machine into a Log Relay device. To learn more, see Obtain Log Relay for Remote Log Collection.

For introductory information on Log Relay, see Introduction to Log Relay.


Create a remote log source 


  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click External Sources
    •  If you do not see any data, then click Let's Get Started.
  4. Click External Sources
  5. Click the plus ( + ) icon. 
    • If you do not have any log sources already created, then click Add a New Log Source


Configure a remote log source 


Based on your specific log type, review the following options to create and configure a remote log source:

Log typeAdditional informationDetailed instructions
AWS CloudTrail

For this log type, you must be able to:

  • Gather your AWS account information
  • Create a new trail and sync your AWS S3 bucket 
Create a Remote Log Source - AWS CloudTrail
AWS GuardDuty

For this log type, you must be able to:

  • Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation
  • Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key)
  • Configure the AWS GuardDuty CloudFormation StackSet Template
Create a Remote Log Source - AWS GuardDuty
AWS VPC Flow Logs

For this log type, you must be able to:

  • Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation
  • Configure a Web ACL
  • Configure the AWS WAF CloudFormation Stack Template

Create a Remote Log Source - AWS VPC Flow Logs

AWS WAF

For this log type, you must be able to:

  • Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation
  • Configure the AWS VPC Flow Log CloudFormation Stack Template
Create a Remote Log Source - AWS WAF
Check Point

For this log type you must be able to:

  • Log into and pre-configure the Check Point box
  • Configure your Check Point device
Create a Remote Log Source - Check Point
Cisco ASA

For this log type, you must be able to: 

  • Log into your Cisco ASA device
  • Access the privileged EXEC mode
Create a Remote Log Source - Cisco ASA
Cisco ISR 

For this log type, you must be able to: 

  • Log into your Cisco ISR device
  • Access the privileged EXEC mode
Create a Remote Log Source - Cisco ISR
Juniper

For this log type, you must be able to:

  • Log into your Juniper SRX  device
  • Access the privileged EXEC mode
Create a Remote Log Source - Juniper
Fortinet FortiGate

For this log type, you must be able to:

  • Log into your Fortinet Security Gateway
  • Access the CLI Console
Create a Remote Log Source - Fortinet Security Gateway
Imperva Incapsula

For this log type, you must be able to:

  • Access the AWS console
  • Configure the IAM Role for an EC2 server or non-EC2 server
  • Log into your log relay server

Create a Remote Log Source - Imperva Incapsula

Palo Alto Firewall

For this log type, you must be able to:

  • Access the Palo Alto console
  • Configure your server and server profile
Create a Remote Log Source - Palo Alto Firewall
SonicWall

For this log type, you must be able to:

  • Log into the SonicWall console
  • Configure your SonicWall device
Create a Remote Log Source - SonicWall


Troubleshooting

In general, if you are having issues adding Log Relay to a remote log device, consider that:

You need to update your permissions in AMP.  

  • In AMP, you must have the following permissions added to your account:  
    • Write Virtual Machine
    • Delete Log Management
    • Read Log Endpoints
    • Read Log Relays
    • Write Log Relays
    • Delete Log Relays

To add the above-mentioned AMP permissions to your account, see Roles and Permissions.

Additional troubleshooting information is located in the specific remote log source documentation. 




Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 0 rates