Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

...

Note

In order to use this document, you must have the Write LogManagement permission assigned to your account.

Anchor
Overview
Overview

You can use the Log Relay add-on product to securely store file-based application logs with Armor for 30 days or 13 months, based on your log retention plan

You can send the following log types:

  • File-based logs
  • CloudTrail logs
  • Azure Monitor logs
     

...


Log Relay

...

  • Collects only single-line log formats.
  • Does not provide security analysis, parsing, or awareness of log content. 
  • Can store up to 10,000 logs

At a high-level, to use Log Relay, you must: 

  • Order Host Log

...

  1. In the Armor Management Portal (AMP), on the left-side navigation, click Security
  2. Click Log Management
  3. Click Activate Log Depot
  4. Review the product information, and then click Purchase
  5. (Optional) To deactivate, submit a support ticket. 
    1. Do you have to wait for Support to confirm or does it "start" right away? 

Global Log Search

You can filter by linux-logs, wineentlog, linux-log, and log-depot.

  • Collector
  • Send logs to Armor

Note

In some cases, the terms Log Depot, Host Log Collector, or Log Relay may be used interchangeably.

Note

For pricing information, please contact your account manager.

Excerpt
hiddentrue

Anchor
Review pricing information
Review pricing information
Review pricing information

Host Log Collector's prices are based on a subscription (base) charge and an overage (tiered) charge. 

The monthly subscription charge includes up to 25GB of storage. Additional storage above 25GB will be charged on a tiered level. 

Review the following table to understand the pricing structure:

SKU$/Month£/Month
LD Base Subscription$200£155

$ per GB£ per GBTier Discount
0GB - 25GB (Included in Base Subscription)Included (is $8/GB)Included (is £6.20)-
26GB - 50GB$7.2£5.5810%
51GB - 100GB$6.56£5.0818%
101GB - 250GB$6.08£4.7124%
251GB - 500GB$5.60£4.3430%
501GB - 1000GB$5.28£4.0934%
1001GB+$5.12£3.9736%


Anchor
Order host log collector
Order host log collector
Order Log Relay for Host Log Collection

...


Step 1: Add Log Relay

Use the Post Host Log Collector (Activate) API to add Host Log Collector to your account. 

Method / TypePOST
API call / URL/log-management/log-depot/activate
ParametersThere are no parameters for this API call.
Full API call / URL
Code Block
languagetext
POST https://api.armor.com/log-management/log-depot/activate
Sample 200 return
Code Block
languagetext
{
  "accountId": 0,
  "modifiedByUserId": 0,
  "modifiedDate": "2017-10-23T16:35:13.540Z",
  "isEnabled": true
}
Note
To learn more about this API call, see Post Host Log Collector (Activate)
Excerpt
hiddentrue

Excerpt Include
ESLP:NOT PUBLISHED: Order Log Depot (snippet)
ESLP:NOT PUBLISHED: Order Log Depot (snippet)
nopaneltrue


Anchor
Send logs to Armor
Send logs to Armor
Step 2: Send Logs to Armor

  1. Contact Armor Support to add a custom file path via a host log collector.

Excerpt
hiddentrue

Option 1: For Windows users

To use these instructions, you must have powershell admin access.

  1. Log into the server instance that contains the Armor agent.
  2. Stop the agent with the following command: 
    • spsv armor-agent
  3. Run the agent policy command to add log policies. You can use the following commands as an example: 
    • For filelog type, run C:\.armor\opt\armor policy filelog add --path C:\inetpub\logs\web1.log --category web --tags web1,iis

    • For eventlog type, run C:\.armor\opt\armor policy eventlog add --name Application --category app --tags app
    • Category is required. You must label your logs based on one of the following categories: app, db, machine-data, platform, user, or web. 
    • Tags are optional. 
  4. Sync the agent's policy to the API with the following command:
    • C:\.armor\opt\armor policy filelog sync
  5. Restart the agent with the following command: 
    • sasv armor-agent
  6. (Optional) To review any collected host log files:
    1. In the Armor Management Portal (AMP), on the left-side navigation, click Security
    2. Click 

...

    1. Log & Data Management
    2. Click Search. 

Troubleshooting Global Log Search screen

Send and store your logs

GET COMMAND LINE TO SEND AND STORE LOGS FROM JOSHUA

DO NOT INCLUDE PRICING INFORMATION

After you have received confirmation from Armor Support, you can send your logs via the command line. 

https://kb.firehost.co/display/AA/Log+Depot+Service+Description

Add link to Log Depot in Log Management service description. Service Description: Log and Event Management

Add this to the Service Description: Log and Event Management

Additionally, you can also send file-based logs, CloudTrail logs, and Azure Monitore logs to Armor for a 13-month storage.

in the Log Management screen, click On. 

GFLOBAL LOG SEARCH in amp

SUE THE COMMAND LINE TO SORT HTE LOGS AND SEND TO armor

    1. Use the filter function to select Log Relay

Option 2: For Linux users

To use these instructions, you must have sudo access. 

Note

Review the following example to understand how to send logs to Armor: /opt/armor/armor policy filelog add --path /var/log/dpkg.log --category platform --tags Ubuntu

TextDescription
/opt/armor/armor policy filelog addBase script
--path /var/log/dpkg.logThe location of the files.
--category platform

The type (category) of logs.

You must label your logs based on one of the following categories: app, db, machine-data, platform, user, or web. 

--tags Ubuntu

In the Search screen, you can search by tags.

Tags are optional.

  1. Log into a server instance that contains the Armor agent. 
  2. Stop the agent with the following command: 
    • service armor-agent stop
  3. Run the agent policy command to add log policies. You can use the following command as example: 
    • /opt/armor/armor policy filelog add --path /var/log/app.log --category app --tags app,app1
      • Category is required. You must label your logs based on one of the following categories: app, db, machine-data, platform, user, or web. 
      • Tags are optional.
  4. Sync the agent's policy to the API with the following command: 
    • /opt/armor/armor policy filelog sync
  5. Restart the agent with the following command: 
    • service armor-agent start
  6. (Optional) To review any collected host log files::
    1. In the Armor Management Portal (AMP), on the left-side navigation, click Security
    2. Click Log & Data Management
    3. Click 

...

    1. Search
    2. Use the filter function to select Log Relay


Anchor
Review

...

Provide a feature, at an extra charge, for customers to send any file-based, Cloud Trail, or Azure Monitor log they want to Armor for 13 months storage. This project does not include any kind of security analysis, parsing, or any awareness of log content, but it does include displaying the log in AMP. Log types include file-based application logs, Azure Monitor logs, and CloudTrail logs. This project does not impact how we currently analyze OS security logs.

https://kb.firehost.co/display/AA/Log+Depot+Positioning

https://kb.firehost.co/display/AA/Log+Depot

additional agent-related commands
Review additional agent-related commands
Review Additional Agent-Related Commands

...

Review the following table to better understand how to interact with the agent via the command line: 

CommandDescription
armor -hDisplays the agent's help dialog
armor policy -hDisplays the agent's policy help dialog
armor policy filelog -hDisplays the agent's policy filelog help dialog
armor policy filelog add -hDisplays the agent's policy filelog add help dialog
armor policy filelog --add [path]Adds a filebeat logging policy with the user-defined path, category, and tag(s).
armor policy add eventlog [name]Adds a (Windows) eventlog logging policy with the user-defined path, category, and tag(s).
armor policy showDisplays command functionality and syntax available at the command line. "show" can be added to any level of command to help drive user input
armor policy syncSynchronizes the local Armor CORE Agent with API services to pull down the latest policy version

Anchor
Troubleshoot Log Search section of the Log Management screen
Troubleshoot Log Search section of the Log Management screen

Info

Troubleshooting

If you do not see any data in the Search section of the Log & Data Management screen, consider that

  • You did not order Log Relay. 
  • You did not properly sync Log Relay to collect logs. 
  • The selected date range does not contain any data.
  • You do not have permission to view log data.
    • You must have the Write LogManagement permission enabled to access the Search section. Contact your account administrator to enable this permission. To learn how to update you permissions, see Roles and Permissions



Was this helpful?
Rate Macro

Scrolltotop