Topics Discussed

You can use this document to learn about the basic, high-level steps needed to send additional log types to Armor, also known as remote log collection. To send these remote logs, you must obtain Log Relay

Review the information outlined in this pre-configuration document, to verify that you can perform the required steps. Additional, detailed instructions are available to help you navigate each step. 

At a high level, you must: 

  • Obtain Log Relay
  • Create a remote Log Relay
  • Configure a remote Log Relay


Default Log Collection


By default, the Armor Agent collects the following logs for 30 days: 

CentOS/RHELUbuntu/DebianWindows

/var/log/secure

/var/log/messages

/var/log/audit.log

/var/log/audit/audit.log

/var/log/yum.log

/var/log/auth.log

/var/log/syslog

System Event Log

Security Event Log


Review Requirements


Requirement TypeProduct CompatibilityDescription

Supported Devices 

  • Armor Complete
  • Armor Anywhere

You can only convert Linux machines that are in an OK state.

To learn more about the health status of a virtual machine, see Health Overview Dashboard or ANYWHERE Health Overview Dashboard


Additionally, Log Relay supports devices that do not have the Armor Anywhere agent, such as WAFs or next-generation firewalls. 

Pricing Information

  • Armor Complete

  • Armor Anywhere

While log collection is available to all users, there is a cost associated with sending and storing logs.

For pricing information, please contact your Account Manager. 

Permissions 

  • Armor Complete

  • Armor Anywhere

In order to use Log Relay, you must have the following permissions included in your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays
To learn more about permissions, see Roles and Permissions.

Log Retention Plan 

  • Armor Complete

  • Armor Anywhere

Armor Complete virtual machines that are converted to a log relay device will be automatically enrolled in the Compliance Professional plan.

This plan:

  • Collects and stores your logs for 13 months at an additional cost.
  • Provides certain HIPAA and PCI compliance.

For pricing information, please contact your Account Manager.


Armor Anywhere agents that are converted to a log relay device will retain the default Log Management Essentials plan subscription. This plan collects and stores your logs for 30 days.

Firewall Rules

  • Armor Anywhere

Armor Anywhere users must add the following generic firewall rules: 

Inbound / OutboundService / PurposePortDestination 
InboundLog Relay (Logstash)
  • 5140/udp
  • 5141/tcp
The IP address for your virtual machine
OutboundArmor's logging service (ELK)
  • 5443/tcp
  • 5400-5600/tcp (Reserved)
    • Armor reserves the right to utilize this port range for future expansion or service changes.

1c.log.armor.com

  • These endpoints are served by the Amazon Elastic Load Balancers. As a result, the actual endpoints will vary dynamically across Amazon's IP ranges.

The above-mentioned ports do not provide security analytics. To receive security analytics for logs from supported remote log devices, you must add additional firewall rules; these additional ports are described in the configuration documents listed in Step 4: Configure a remote log source (remote Log Relay).

For non-supported remote log sources, collected logs will not receive any security analytics. 

To learn more about firewall rules, see Requirements for Armor Anywhere


Configure Your Account for Remote Log Collection


Step 1: Obtain Log Relay

When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc. 


Option 1: Armor Complete

At a high level, to obtain Log Relay for your Armor Complete account, you must:

  • Create a virtual machine
  • Run an API call to convert your virtual machine into a Log Relay device 
  • Contact Armor Support to add a custom file path 


Option 2: Armor Anywhere

At a high level, to obtain Log Relay for your Armor Anywhere account, you must: 

  • Update your firewall rules, specifically for TCP  
  • Download and install the Armor Agent
  • Create a virtual machine
  • Update a virtual machine to become a log collecting device 


Step 2: Create a remote log source (remote Log Relay)

In the Armor Management Portal (AMP), you will create a remote log source (remote Log Relay) through a series of simple drop-down menus. In some cases, some fields will be pre-populated with information.  


Step 3: Configure a remote log source (Remote Log Relay)

After you create a remote log source (remote Log Relay) in AMP, you must access your remote log source's environment for additional configuration. 

In general, you will need to configure the remote log source to upload logs via syslog (TCP/UDP), and then send the logs to a device-specific port. 

Armor currently supports logs collection from the following remote devices: 

Log Type

Additional Information

Detailed Instructions

AWS CloudTrail

For this log type, you must be able to:

  • Gather your AWS account information
  • Create a new trail and sync your AWS S3 bucket 
Create a Remote Log Source - AWS CloudTrail
AWS GuardDuty

For this log type, you must be able to:

  • Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation
  • Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key)
  • Configure the AWS GuardDuty CloudFormation StackSet Template
Create a Remote Log Source - AWS GuardDuty
AWS VPC Flow Logs

For this log type, you must be able to:

  • Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation
  • Configure a Web ACL
  • Configure the AWS WAF CloudFormation Stack Template

Create a Remote Log Source - AWS VPC Flow Logs

AWS WAF

For this log type, you must be able to:

  • Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation
  • Configure the AWS VPC Flow Log CloudFormation Stack Template
Create a Remote Log Source - AWS WAF
Check Point

For this log type you must be able to:

  • Log into and pre-configure the Check Point box
  • Configure your Check Point device
Create a Remote Log Source - Check Point
Cisco ASA

For this log type, you must be able to: 

  • Log into your Cisco ASA device
  • Access the privileged EXEC mode
Create a Remote Log Source - Cisco ASA
Cisco ISR 

For this log type, you must be able to: 

  • Log into your Cisco ISR device
  • Access the privileged EXEC mode
Create a Remote Log Source - Cisco ISR
Fortinet FortiGate

For this log type, you must be able to:

  • Log into your Fortinet Security Gateway
  • Access the CLI Console
Create a Remote Log Source - Fortinet Security Gateway
Imperva Incapsula

For this log type, you must be able to:

  • Access the AWS console
  • Configure the IAM Role for an EC2 server or non-EC2 server
  • Log into your log relay server

Create a Remote Log Source - Imperva Incapsula

Juniper

For this log type, you must be able to:

  • Log into your Juniper SRX  device
  • Access the privileged EXEC mode
Create a Remote Log Source - Juniper
Palo Alto Firewall

For this log type, you must be able to:

  • Access the Palo Alto console
  • Configure your server and server profile
Create a Remote Log Source - Palo Alto Firewall
SonicWall

For this log type, you must be able to:

  • Log into the SonicWall console
  • Configure your SonicWall device
Create a Remote Log Source - SonicWall




Related Documentation 

For a detailed guide on how to obtain Log Relay, see Obtain Log Relay for Remote Log Collection




Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 5 rates