Topics Discussed

To fully use this screen, you must add the following permissions to your account:

  • Read Log Management
  • Write Log Management
  • Read Log Management Plan Selection
  • Write Log Management Plan Selection

You can use the Log & Data Management screen to:

  • View storage consumption in the Summary section
  • View the status of the logging subagent in the Agent Sources section
  • View the status and configure existing sources and add new sources in the External Sources section
    • For documentation on adding or configuring external sources, click here
  • View or change your storage plan in the Log Storage Plans section


By default, Armor collects and retains the following log types for 30 days:

CentOS/RHEL

Ubuntu/Debian

Windows

/var/log/secure

/var/log/messages

/var/log/audit.log

/var/log/audit/audit.log

/var/log/yum.log

/var/log/auth.log

/var/log/syslog

System Event Log

Security Event Log

To learn how to upgrade your default log collection plan, see Review log retention plans.


Enable Logging Services


Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only). 


Install Logging:

Windows: C:\.armor\opt\armor.exe logging install
Linux: /opt/armor/armor logging install


Uninstall Logging:

Windows: C:\.armor\opt\armor.exe logging uninstall
Linux: /opt/armor/armor logging uninstall 


Logging Help

Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help
 Filebeat Sync Configuration Commands for Linux

Add new paths to filebeat config

/opt/armor/armor logging add-file-paths <paths to file locations>           

Remove paths from filebeat config

 /opt/armor/armor logging remove-file-paths <paths to file locations>       

List added config paths

/opt/armor/armor logging describe-file-paths         

Sync filebeat config

/opt/armor/armor logging sync-file-paths  
 Filebeat Sync Configuration Commands for Windows

Add new paths to filebeat config

C:\.armor\opt\armor.exe logging add-file-paths <paths to file locations>

Remove paths from filebeat config

C:\.armor\opt\armor.exe logging remove-file-paths <paths to file locations> 

List added config paths

C:\.armor\opt\armor.exe logging describe-file-paths         

Sync filebeat config

C:\.armor\opt\armor.exe logging sync-file-paths  

Add winlogbeat event logs

C:\.armor\opt\armor.exe logging add-event-logs <add events>

Remove winlogbeatevent logs

 C:\.armor\opt\armor.exe logging remove-event-logs <add events>

List Event logs

C:\.armor\opt\armor.exe logging describe-event-logs 

Sync event logs

C:\.armor\opt\armor.exe logging sync-event-logs
 Logging Command Usage

Command Usage:

armor logging command [arguments...]

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

CommandArguments Result
  • iis-enable
  • apache-enable
  • nginx-enable

Enables filebeat IIS/apache/nginx.  When run, module yml file will change from disabled state to enable state.

  • iis-disable
  • apache- disable
  • nginx- disable

Disables Filebeat IIS/apache/nginx.  When run the module yml file will change from enable state to disable mode.

  • iis-add-access-paths
  • apache-add-access-paths
  • nginx-add-access-paths
path1, path2, path3Includes the argument paths in module yml file under the 'access_paths' section.
  • iis-remove-access-paths 
  • apache-remove-access-paths
  • nginx-remove-access-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'access_paths' section.

  • iis-add-error-paths
  • apache-add-error-paths
  • nginx-add-error-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'error_paths' section.

  • iis-remove-error-paths
  • apache-remove-error-paths
  • nginx-remove-error-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.

  • iis-sync-config
  • apache-sync-config
  • nginx-sync-config

The command sync the module yml file on vm with latest changes which are required.
  • iis-describe-config
  • apache-describe-config
  • nginx-describe-config

The command displays current access & error paths which are configured in module yml file.












Users can add as many paths in a single command as needed by must be comma-separated.

  • Linux example (multiple/one path):

    • /opt/armor/armor logging add-file-paths "/var/log/thing,/var/log/stuff/log,/path/to/log"
    • /opt/armor/armor logging add-file-paths /var/log/thing
  • Windows example (multiple/one path):

    • C:\.armor\opt\armor.exe logging add-file-paths "C:\var\log\thing,D:\path\to\log"
    • C:\.armor\opt\armor.exe logging add-file-paths C:\var\log\thing


Examples: Below is example usage for logging apache and similarly for iis and ngix module.

Command Usage:

armor logging apache-enable

armor logging apache-disable

armor logging apache-add-access paths <required paths needs to add here>

armor logging apache-remove-access paths <required paths needs to add here>

armor logging apache-add-error paths <required paths needs to add here>

armor logging apache-remove-error paths <required paths needs to add here>

armor logging apache-sync-config

armor logging apache-describe-config


View Logging Subagent Status


You can use these instructions to review the logging status of your virtual machines. Specifically, you can verify if your virtual machine is sending logs to Armor.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management.
  3. Click Agent Sources.

Column

Description

Name

This column displays the name of the virtual machine or instance that contains the Armor agent. 

You can click a specific virtual machine to access the Virtual Machines screen.

TypeThis column displays if the virtual machine or instance has been converted to a log collecting device, also known as Log Relay
Last Log ReceivedThis column displays the date and time when Armor last received a log.
Retention Type

This column displays the length of time that Armor keeps logs.
By default, the Armor Management Portal (AMP) retains log status and details for the previous 30 days. To review logs older than 30 days for a specified instance, see Review log retention plans.

Average SizeThis column displays the average size of the collected logs.
Log Status

This column displays the status of the logging subagent.

  1. Online indicates the agent has sent logs within the past hour.
  2. Warning indicates the agent in the past 24 hours has sent logs that exceeds the 7-day moving average by 10% or more.
  3. Critical indicates the agent has not sent logs within the past hour.
  4. Offline indicates the agent (or the instance) is offline.



View Log Collections Projections


You can use these instructions to review AMP’s prediction regarding future log collection. You can use this information to estimate log collection cost.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Retention Plan.
  4. In the bottom of the screen, review the Total Log Storage graph. 
    • The dotted line indicates AMP’s prediction for your future log collections.


Review Log Retention Plans


Plan nameLog retention rateDescription
Log Management Essentials30 days

This plan collects and stores your default log types for 30 days, which you can view in AMP.

By default, users are automatically subscribed to this plan.

To make sure that you do not pass the default log collection limit, Armor recommends that you review the:

  1. Daily Log Storage Usage graph in the Summary section
  2. Total Log Storage graph in the Retention Plan section
Compliance Professional13 months

This plan collects and stores your default log types for 13 months at an additional cost.

Logs from the previous 30 days are visible in AMP; however, to view logs older than 30 days, you must send a support ticket.

For existing virtual machines:

After you select this plan, existing virtual machines will not be automatically enrolled in this plan; you must update each virtual machine separately.

To learn more, see Upgrade log retention for existing virtual machines.

For future virtual machines:

After you select this plan, new virtual machines will be automatically enrolled in this plan.

To learn more, see Upgrade log retention for new virtual machines.



Upgrade Default Log Retention for Existing Virtual Machines


You can use these instructions to upgrade the default log retention rate for an existing virtual machine.  

In order to add and update your plan, you must have the following permissions assigned to your account: 

  • Read Log Management Plan Selection
  • Write Log Management Plan Selection
  • Read LogManagement 
  • Write LogManagement 
  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Agent Sources
  4. Locate and hover over the desired virtual machine. 
  5. Click the vertical ellipses. 
  6. Select Upgrade Plan
  7. Review the pricing information, and then select Upgrade Local Storage Plan
  8. (Optional) Repeat these steps for additional existing virtual machines. 



Upgrade Default Log Retention for New Virtual Machines 


You can use these instructions to update the default log retention plan for future virtual machines. In short, after you perform this step, any virtual machine you create afterwards will be automatically enrolled in the 13-month log retention plan. 

For pricing information, please contact your account manager.

Existing virtual machines will not be upgraded. To upgrade the log retention rate for existing virtual machines, you must update each existing virtual machine individually.

To learn more, see Upgrade log retention for existing virtual machines.

In order to add and update your plan, you must have the following permissions assigned to your account: 

  • Read Log Management Plan Selection
  • Write Log Management Plan Selection
  • Read LogManagement 
  • Write LogManagement 
  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Retention Plan
  4. For Compliance Professional, click Choose This
  5. Review the product information, and then click Select Plan.  
    • Now when you create a virtual machine, the machine will be automatically enrolled in this updated log retention plan. 
    • To learn how to create a virtual machine, see ANYWHERE Virtual Machines or Virtual Machines.



Extract Logs


Customers who are enrolled in Armor's 13-month log retention plan can request to have logs extracted through Armor Support after 40 days of log collection. 

For more information on log retention plans, see Review log retention plans.

To learn how to submit a request to Armor Support, see Create a support ticket

Review the following requirements before submitting your log extraction request to Armor Support.

Review Requirements

Requirement TypeDescription
Supported Storage Methods

s3 bucket

  1. A globally unique S3 bucket name must be provided to Armor Support
  2. Access to the S3 bucket must be provided (IAM)
    1. Access keys
  3. File type: JSON


Physical hard drive

  1. File type: JSON


Unsupported Storage Methods

Armor does not support the following storage methods:

  1. Azure Blobs
  2. GCP Storage
  3. CSV format (Excel)



Troubleshooting

If you do not see any data in the Search section or the Sources section of the Log & Data Management screen, consider that:

  1. The selected date range does not contain any data.
  2. The virtual machine may be powered off. 
  3. You do not have permission to view log data.
    1. You must have the ReadLogManagement permission enabled to view log data. Contact your account administrator to enable this permission. To learn how to update your permissions, see Roles and Permissions.

If you cannot add or update your plan, consider that you do not have permission to update your plans. You must have the following permissions enabled:  

  1. Read Log Management Plan Selection
  2. Write Log Management Plan Selection
  3. Read LogManagement 
  4. Write LogManagement 


Related Documentation 

To learn how to collect and send additional log types to AMP, see Introduction to Log Relay.




Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 18 rates