| Note |
|---|
To fully use this screen, you must add the following permissions to your account: - Read LogManagement
- Write LogManagement
- Read Log Management Plan Selection
- Write Log Management Plan Selection
|
You can use the Log & Data Management screen to: - View collected logs in the Search section
- View the status of the logging subagent in the Sources section
By default, Armor collects and retains the following log types for 30 days: CentOS/RHEL | Ubuntu/Debian | Windows |
|---|
/var/log/secure /var/log/messages /var/log/audit.log /var/log/audit/audit.log /var/log/yum.log | /var/log/auth.log /var/log/syslog | System Event Log Security Event Log |
| Anchor |
|---|
| View collected logs |
|---|
| View collected logs |
|---|
|
Search for Collected Logs
| Note |
|---|
The Armor Management Portal (AMP) only displays logs from the previous 30 days. |
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Search.
- Enter separate search terms within quotation marks.
- Enter exact search terms, including letter capitalization.
Column | Description |
|---|
| Date | This column displays the date and time when Armor received the corresponding log. | | Source | This column displays the name data shows the IP address of the virtual machine that generated the log. | | Message | This column displays the specific log message. |
| Note |
|---|
To better understand how to perform successful searches, consider the following sample log message:2019-04-08T18:46:09Z INFO No non-zero metrics in the last 30s In a log message, spaces between words indicates a separate search term. For instance, there are no spaces in 2019-04-08T18:46:09Z. As a result, 2019-04-08T18:46:09Z is considered one search term. In this example, to search for dates, you must enter the complete and exact date; you cannot perform searches with partial search terms, such as 2019-04. Successful search parameters | Unsuccessful search parameters | Description |
|---|
| | If the search term contains special characters, such as a colon, then you must perform the search with quotation marks ( " " ). Also, in this example, the complete search term is 2019-04-08T18:46:09Z. You cannot perform a search on partial search terms, such as 2019.
| | | You cannot perform a search on partial search terms. In this example, the complete search term is INFO, not INF. | | | You can search for different search terms by separating terms with quotation marks. In this example, the complete search term is 30s, not 30. You cannot perform searches with partial search terms. | | | Similar to the use of quotation marks, you can also use an asterisk ( * ) to perform a wildcard search for strings. A wildcard search may take a few more seconds to complete. |
|
| Anchor |
|---|
| View logging subagent status |
|---|
| View logging subagent status |
|---|
|
View Logging Subagent Status
You can use these instructions to review the logging status of your virtual machines. Specifically, you can verify if your virtual machine is sending logs to Armor. - In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Agent Sources.
Column | Description |
|---|
| Name | This column displays the name of the virtual machine or instance that contains the Armor agent. You can click a specific virtual machine to access the Virtual Machines screen. | | Type | This column displays if the virtual machine or instance has been converted to a log collecting device, also known as Log Relay. | | Last Log Received | This column displays the date and time when Armor last received a log. | | Retention Type | This column displays the length of time that Armor keeps logs.
By default, the Armor Management Portal (AMP) retains log status and details for the previous 30 days. To review logs older than 30 days for a specified instance, see Review log retention plans. | | Average Size | This column displays the average size of the collected logs. | | Log Status | This column displays the status of the logging subagent. - Online indicates the agent has sent logs within the past hour.
- Warning indicates the agent in the past 24 hours has sent logs that exceeds the 7-day moving average by 10% or more.
- Critical indicates the agent has not sent logs within the past hour.
- Offline indicates the agent (or the instance) is offline.
|
| Anchor |
|---|
| View log collections projections |
|---|
| View log collections projections |
|---|
|
View Log Collections Projections
| Excerpt Include |
|---|
| ESLP:View log collection projections (snippet) |
|---|
| ESLP:View log collection projections (snippet) |
|---|
| nopanel | true |
|---|
|
| Anchor |
|---|
| Review log retention plans |
|---|
| Review log retention plans |
|---|
|
Review Log Retention Plans
| Plan name | Log retention rate | Description |
|---|
| Log Management Essentials | 30 days | This plan collects and stores your default log types for 30 days, which you can view in AMP. By default, users are automatically subscribed to this plan. | Note |
|---|
To make sure that you do not pass the default log collection limit, Armor recommends that you review the: - Daily Log Storage Usage graph in the Summary section
- Total Log Storage graph in the Retention Plan section
|
| | Compliance Professional | 13 months | This plan collects and stores your default log types for 13 months at an additional cost. Logs from the previous 30 days are visible in AMP; however, to view logs older than 30 days, you must send a support ticket. | Note |
|---|
For existing virtual machines: After you select this plan, existing virtual machines will not be automatically enrolled in this plan; you must update each virtual machine separately. To learn more, see Upgrade log retention for existing virtual machines. |
|
| Anchor |
|---|
| Upgrade log retention for existing virtual machines |
|---|
| Upgrade log retention for existing virtual machines |
|---|
|
Upgrade Default Log Retention for Existing Virtual Machines
| Excerpt Include |
|---|
| ESLP:Upgrade log retention for existing virtual machines (snippet) |
|---|
| ESLP:Upgrade log retention for existing virtual machines (snippet) |
|---|
| nopanel | true |
|---|
|
| Anchor |
|---|
| Upgrade log retention for new virtual machines |
|---|
| Upgrade log retention for new virtual machines |
|---|
|
Upgrade Default Log Retention for New Virtual Machines
You can use these instructions to update the default log retention plan for future virtual machines. In short, after you perform this step, any virtual machine you create afterwards will be automatically enrolled in the 13-month log retention plan. | Note |
|---|
For pricing information, please contact your account manager. |
| Excerpt Include |
|---|
| ESLP:Upgrade default log retention for new virtual machines (snippet) |
|---|
| ESLP:Upgrade default log retention for new virtual machines (snippet) |
|---|
| nopanel | true |
|---|
|
| Anchor |
|---|
| Export log service status |
|---|
| Export log service status |
|---|
|
Export Log Service Status
| Excerpt Include |
|---|
| ESLP:Export log service status (snippet) |
|---|
| ESLP:Export log service status (snippet) |
|---|
| nopanel | true |
|---|
|
| Info |
|---|
| Anchor |
|---|
| Troubleshooting |
|---|
| Troubleshooting |
|---|
|
TroubleshootingIf you do not see any data in the Search section or the Sources section of the Log & Data Management screen, consider that: - The selected date range does not contain any data.
- The virtual machine may be powered off.
- You do not have permission to view log data.
- You must have the ReadLogManagement permission enabled to view log data. Contact your account administrator to enable this permission. To learn how to update your permissions, see Roles and Permissions.
If you cannot add or update your plan, consider that you do not have permission to update your plans. You must have the following permissions enabled: - Read Log Management Plan Selection
- Write Log Management Plan Selection
- Read LogManagement
- Write LogManagement
|
To learn how to collect and send additional log types to AMP, see Introduction to Log Relay.
Was this helpful?
|
