Page tree

This topic only applies to Armor Complete users. 

To fully use this screen, you must add the following permissions to your account:

  • Read LogManagement
  • Write LogManagement
  • Read Log Management Plan Selection
  • Write Log Management Plan Selection

Overview

You can use the Log & Data Management screen to:

  • View collected logs in the Search section
  • View the status of the logging subagent in the Sources section

By default, Armor collects and retains the following log types for 30 days:

CentOS/RHEL
Ubuntu/Debian
Windows

/var/log/secure

/var/log/messages

/var/log/audit.log

/var/log/audit/audit.log

/var/log/yum.log

/var/log/auth.log

/var/log/syslog

System Event Log

Security Event Log

To upgrade the log retention rate for these default log types from 30 days to 13 months, see Review log retention plans.


View collected logs 

The Armor Management Portal (AMP) only displays logs from the previous 30 days.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Search.
ColumnDescription
DateThis column displays the date and time when Armor received the corresponding log.
SourceThis column displays the name of the virtual machine that generated the log.
MessageThis column displays the specific log message.


View logging subagent status

You can use these instructions to review the logging status of your virtual machines. Specifically, you can verify if your virtual machine is sending logs to Armor.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management.
  3. Click Sources.
ColumnDescription
VM

This column displays the name of the instance that contains the Armor agent.

You can click a specific virtual machine to access the Virtual Machines screen.

Last Log ReceivedThis column displays the date and time when Armor last received a log.
Retention Type

This column displays the length of time that Armor keeps logs.

By default, the Armor Management Portal (AMP) retains log status and details for the previous 30 days. To review logs older than 30 days for a specified instance, see Review log retention plans.
Average SizeThis column displays the average size of the collected logs.
Log Status

This column displays the status of the logging subagent.

  • Online indicates the agent has sent logs within the past hour.
  • Warning indicates the agent in the past 24 hours has sent logs that exceeds the 7-day moving average by 10% or more.
  • Critical indicates the agent has not sent logs within the past hour.
  • Offline indicates the agent (or the instance) is offline.


Review log retention plans

Plan nameLog retention rateDescription
Log Management Essentials30 days

This plan collects and stores your logs for 30 days, which you can view in AMP.

By default, users are automatically subscribed to this plan.

To make sure that you do not pass the default log collection limit, Armor recommends that you review the:

  • Daily Log Storage Usage graph in the Summary section
  • Total Log Storage graph in the Retention Plan section
Compliance Professional13 months

This plan collects and stores your logs for 13 months at an additional cost.

Logs from the previous 30 days are visible in AMP; however, to view logs older than 30 days, you must send a support ticket.

For existing virtual machines:

After you select this plan, existing virtual machines will not be automatically enrolled in this plan; you must update each virtual machine separately.

To learn more, see Upgrade log retention for existing virtual machines.

For future virtual machines:

After you select this plan, new virtual machines will be automatically enrolled in this plan.

To learn more, see Upgrade log retention for new virtual machines.


Upgrade log retention for existing virtual machines

You can use these instructions to upgrade the default log retention rate for an existing virtual machine.  

In order to add and update your plan, you must have the following permissions assigned to your account: 

  • Read Log Management Plan Selection
  • Write Log Management Plan Selection
  • Read LogManagement 
  • Write LogManagement 
  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Sources
  4. Locate and hover over the desired virtual machine. 
  5. Click the vertical ellipses. 
  6. Select Upgrade Plan
  7. Review the pricing information, and then select Upgrade Local Storage Plan
  8. (Optional) Repeat these steps for additional existing virtual machines. 


Upgrade default log retention for new virtual machines 

You can use these instructions to update the default log retention plan for future virtual machines. In short, after you perform this step, any virtual machine you create afterwards will be automatically enrolled in the 13-month log retention plan. 

For pricing information, please contact your account manager.


Existing virtual machines will not be upgraded. To upgrade the log retention rate for existing virtual machines, you must update each existing virtual machine individually.

To learn more, see Upgrade log retention for existing virtual machines.


In order to add and update your plan, you must have the following permissions assigned to your account: 

  • Read Log Management Plan Selection
  • Write Log Management Plan Selection
  • Read LogManagement 
  • Write LogManagement 
  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Retention Plan
  4. For Compliance Professional, click Choose This
  5. Review the product information, and then click Select Plan.  
    • Now when you create a virtual machine, the machine will be automatically enrolled in this updated log retention plan. 
    • To learn how to create a virtual machine, see Virtual Machines.


View log collections projections

You can use these instructions to review AMP’s prediction regarding future log collection. You can use this information to estimate log collection cost.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Retention Plan.
  4. Review the Total Log Storage graph. 
    • The dotted line indicates AMP’s prediction for your future log collections.


Export log service status

You can export logs to analyze the offline or to provide to an auditor. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Log Sources
  4. (Optional) Use the filter function to customize the data displayed. 
  5. Under the table, click CSV.
  6. You have the option to export all data (All) or only the data that appears on the current screen (Current Set). 
Data TypeData Detail
Vm NameThis data shows the name of the Armor Agent.
Last Log DateThis data shows the last date that Armor received logs. A blank entry indicates that the action has never taken place.
Vm ProviderThis data shows if you are an Anywhere or Complete user. If Armor cannot determine your specific environment, such as AWS or Azure, then by default, this entry will say Anywhere.
Vm Location

This data shows the virtual data center that hosts your data.

RetentionThis data shows how long the logs are stored in the Armor user interface.
Average SizeThis data shows the average log size.
Agent Status

This data shows the status of your Armor Agent.

Online - This status means the Armor Agent is active and has sent logs within the last hour.

Warning - This status means the previous 24-hour log volume has exceeded the 7-day moving average by 10% or more.

Critical - This status means the Armor Agent has not sent logs within the last hour.

Offline - This status means that the Armor Agent, and possibly the virtual machine, is offline.


Troubleshoot Log Management screen 

Search section or Sources section

If you do not see any data in the Search section or the Sources section of the Log & Data Management screen, consider that:

  • The selected date range does not contain any data.
  • The virtual machine may be powered off. 
  • You do not have permission to view log data.
    • You must have the ReadLogManagement permission enabled to view log data. Contact your account administrator to enable this permission. To learn how to update your permissions, see Roles and Permissions (Armor Complete).

Retention Plan section

If you cannot add or update your plan, consider that you do not have permission to update your plans. You must have the following permissions enabled:  

  • Read Log Management Plan Selection
  • Write Log Management Plan Selection
  • Read LogManagement 
  • Write LogManagement 


Review API calls





In this topic



Have a suggestion for the Armor Knowledge Base? Send a message to kb@armor.com.