Page tree


Knowledge Base


Feedback

Have a suggestion for the Armor Knowledge Base?

Send a message to
kb@armor.com.









This topic applies to Armor Complete and Armor Anywhere users. 

You can use this document to learn about the basic, high-level steps needed to send additional log types to Armor, also known as remote log collection. To send these remote logs, you must obtain Log Relay

Consider this document as pre-configuration document to verify that you can perform the required steps; additional, detailed instructions are available to help you navigate each step. 

At a high level, you must: 

  • Obtain Log Relay
  • Create a remote Log Relay
  • Configure a remote Log Relay


Default Log Collection


By default, the Armor Agent collects the following logs for 30 days: 

CentOS/RHELUbuntu/DebianWindows

/var/log/secure

/var/log/messages

/var/log/audit.log

/var/log/audit/audit.log

/var/log/yum.log

/var/log/auth.log

/var/log/syslog

System Event Log

Security Event Log


Supported Remote Log Collection


Currently through Log Relay, Armor supports logs collection from the following remote devices: 

  • AWS CloudTrail
  • AWS GuardDuty
  • AWS WAF
  • Cisco ASA
  • Cisco ISR 
  • Juniper


Configure Your Account for Remote Log Collection



Step 1: Obtain Log Relay

When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc. 


Option 1: Armor Complete

At a high level, to obtain Log Relay for your Armor Complete account, you must:

  • Create a virtual machine
  • Run an API call to convert your virtual machine into a Log Relay device 
  • Contact Armor Support to add a custom file path 


Option 2: Armor Anywhere

At a high level, to obtain Log Relay for your Armor Anywhere account, you must: 

  • Update your firewall rules, specifically for TCP  
  • Download and install the Armor Agent
  • Create a virtual machine
  • Update a virtual machine to become a log collecting device 


Step 2: Create a remote log source (remote Log Relay)

In the Armor Management Portal (AMP), you will create a remote log source (remote Log Relay) through a series of simple drop-down menus. In some cases, some fields will be pre-populated with information.  


Step 3: Configure a remote log source (Remote Log Relay)

After you create a remote log source (remote Log Relay) in AMP, you must access your remote log source's environment for additional configuration. 

In general, you will need to configure the remote log source to upload logs via syslog (TCP/UDP), and then send the logs to a device-specific port. 

Log typeAdditional information
AWS CloudTrail

For this log type, you must be able to:

  • Gather your AWS account information
  • Create a new trail and sync your AWS S3 bucket 
AWS GuardDuty

For this log type, you must be able to:

  • Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation
  • Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key)
  • Configure the AWS GuardDuty CloudFormation StackSet Template
AWS WAF

For this log type, you must be able to:

  • Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation
  • Configure a Web ACL
  • Configure the AWS WAF CloudFormation Stack Template
Cisco ASA

For this log type, you must be able to: 

  • Log into your Cisco ASA device
  • Access the privileged EXEC mode
Cisco ISR

For this log type, you must be able to: 

  • Log into your Cisco ISR device
  • Access the privileged EXEC mode
Juniper

For this log type, you must be able to:

  • Log into your Juniper SRX device
  • Access the privileged EXED mode
Fortinet FortiGate

For this log type, you must be able to:

  • Log into your Fortinet Security Gateway
  • Access the CLI Console


Additional Documentation 

For a detailed guide on how to obtain Log Relay, see Obtain Log Relay for Remote Log Collection