Knowledge Base
Feedback
Have a suggestion for the Armor Knowledge Base?
Send a message to kb@armor.com.
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
You can use this document to learn about the specific, high-level steps needed to send additional log types to Armor's Security Information & Event Management (SIEM).
At a high level, you must:
- Obtain Log Relay
- Create a remote Log Relay
- Configure a remote Log Relay
Before you begin:
For Armor Complete users, you must already have a virtual machine in your account
- To learn how to create a virtual machine, see Virtual Machines.
For Armor Anywhere users, you must already have downloaded and installed the Armor Agent.
- To learn how to download the Armor Agent, see Install the Armor Anywhere agent (Linux).
For introductory information on Log Relay, see Introduction to Log Relay.
Step 1: Review Requirements
| Requirement Type | Product Compatibility | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Supported Devices |
| You can only convert Linux machines that are in an OK state. To learn more about the health status of a virtual machine, see Health Overview Dashboard or ANYWHERE Health Overview Dashboard. | ||||||||||||
Pricing Information |
| While log collection is available to all users, there is a cost associated with sending and storing logs. For pricing information, please contact your Account Manager. | ||||||||||||
Permissions |
| In order to use Log Relay, you must have the following permissions included in your account:
To learn more about permissions, see Roles and Permissions. | ||||||||||||
Log Retention Plan |
| Virtual machines that are converted to a log relay device will be automatically enrolled in the Compliance Professional plan. This plan:
For pricing information, please contact your Account Manager. | ||||||||||||
Firewall Rules |
| Armor Anywhere users must add the following generic firewall rules:
The above-mentioned ports do not provide security analytics. To receive security analytics for logs from supported remote log devices, you must add additional firewall rules; these additional ports are described in the configuration documents listed in Step 4: Configure a remote log source (remote Log Relay). For non-supported remote log sources, collected logs will not receive any security analytics. To learn more about firewall rules, see Requirements for Armor Anywhere. |
Step 2: Obtain Log Relay
When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc.
Option 1: For Armor Anywhere users
- In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
- Click Virtual Machines.
- Locate and hover over the desired virtual machine.
- Click the vertical ellipses.
- Click Convert to Log Relay.
- Review pricing information, and then click Convert VM to Log Relay.
- You will be redirected to the Virtual Machines screen.
- You will be redirected to the Virtual Machines screen.
- Under Type, the virtual machine will be labeled as Log Relay. (By default, the Armor agent will update the virtual machine within 15 minutes.)
Option 2: For Armor Complete users
Use the PUT Assign Log Collector API call to add Log Relay to your account.
In some cases, the terms Log Depot, Host Log Collector, or Log Relay may be used interchangeably.
Method / Type PUT API Call / URL /vms/core/{coreInstanceId}/profile
Parameters You must enter your virtual machine's coreInstanceId.
To locate this ID, in AMP, access the Virtual Machine screen, click the desired virtual machine to expand, and then copy the Agent ID. The Agent ID is a combination of numbers and letters.
Full API Call / URL PUT https://api.armor.com//vms/core/1gfh39d-hdd78-dhd73-434/profile
- Contact Armor Support to add a custom file path via a host log collector.
Step 3: Create a remote log source (remote Log Relay)
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click External Sources.
- If you do not see any data, then click Let's Get Started.
- Click External Sources.
- Click the plus ( + ) icon.
- If you do not have any log sources already created, then click Add a New Log Source.
Step 4: Configure a remote log source (Remote Log Relay)
Based on your specific log type, review the following options to create and configure a remote log source:
| Log type | Additional information | Detailed instructions |
|---|---|---|
| AWS CloudTrail | For this log type, you must be able to:
| Create a remote log source (AWS CloudTrail) |
| AWS GuardDuty | For this log type, you must be able to:
| Create a remote log source (AWS GuardDuty) |
| AWS WAF | For this log type, you must be able to:
| Create a remote log source (AWS WAF) |
| Cisco ASA | For this log type, you must be able to:
| Create a remote log source (Cisco ASA) |
| Cisco ISR | For this log type, you must be able to:
| Create a remote log source (Cisco ISR) |
| Juniper | For this log type, you must be able to:
| Create a remote log source (Juniper) |
| Fortinet FortiGate | For this log type, you must be able to:
| Create a remote log source (Fortinet Security Gateway) |
Troubleshooting
In general, if you are having issues adding Log Relay to a remote log device, consider that:
You need to update your permissions in AMP.
- In AMP, you must have the following permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
Delete Log Relays
To add permissions to your account:
- In the Armor Management Portal (AMP), in the left-side navigation, click Account.
- Click Roles + Permissions.
- Locate and select your role.
- Mark the above-mentioned AMP permissions.
- Click Save Role in the bottom of the screen.
Additional troubleshooting information is located in the specific remote log source documentation.
