Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
Home > Armor Anywhere - Product User Guide > Convert a virtual machine into a log collecting device through Log Relay (Armor Anywhere)

Excerpt Include
Armor Anywhere users (snippet)
Armor Anywhere users (snippet)
nopaneltrue

Anchor
Overview
Overview
Overview

You can use the Log Relay feature to convert your virtual machines into a log collecting device, which will forward logs to the Armor Management Portal (AMP). Within AMP, Armor will securely store, review, and analyze supported log types. 

Note

In some cases, the term Log Collection or Log Collector may be used instead of Log Relay.


...

Anchor
Add Log Collector
Add Log Collector
Add Log Relay

Step 1: Review requirements

Firewall rules

You must add the following firewall rules: 

...

Note
To learn more about firewall rules, see Requirements for Armor Anywhere

...

Permissions

You must have the Write Virtual Machine permission included in your account in order to use Log Relay. 

Note
To learn more about permissions, see Roles and permissions (Armor Anywhere)

...

Supported Devices

Log Relay can only be used with Linux operating systems that contain the Armor Anywhere agent. 

Additionally, Log Relay supports devices that do not have the Armor Anywhere agent, such as WAFs or next-generation firewalls. 

...

Pricing information 

While Log Relay is available to all Armor Anywhere users, there is a cost associated with sending and storing logs. 

For pricing information, please contact your Account Manager.

...

Step 2: Configure your virtual machine

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
  2. Click Virtual Machines
  3. Locate and hover over the desired virtual machine. 
  4. Click the vertical ellipses. 
  5. Click Convert to Log Relay
  6. Review the product information, and then click Convert VM to Log Relay
    • By default, the Armor agent will update the virtual machine within 15 minutes.

...

Step 3: View collected logs

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
  2. Click Virtual Machines
  3. Locate and select the desired virtual machine. 
    • You will be taken to the Log Collection screen to view the Log Volume graph and table.  

      GraphThe Log Volume graph displays the amount of logs that Armor is receiving on a daily bases.  
      Table
      ColumnDescription
      Source NameThis column displays the name of the virtual machine that is collecting and sending logs.
      Number of EventsThis column displays the number of logs collected.
      Last Log ReceivedThis column displays the date and time that Armor last received a log.

...

Anchor
Remove Log Collector
Remove Log Collector
Remove Log Relay

If you remove the log relay feature from a virtual machine, Armor will still retain the collected logs. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure
  2. Click Virtual Machines
  3. Locate and hover over the desired virtual machine. 
  4. Click the vertical ellipses. 
  5. Click Remove Log Relay.
  6. Click Remove Log Relay Services.  

...

Anchor
Troubleshoot Log Collector
Troubleshoot Log Collector
Troubleshoot Log Relay 

If you do not see any data in the Log Collection screen for Log Relay, consider that:

  • Your instance is powered off.
    • To review the status of your instance, in the left-side navigation, click Infrastructure, and then click Virtual Machines
    • For more information, see Virtual Machines (Armor Anywhere)
  • You do not have permission to view and configure this screen.
    • You must have the Write Virtual Machine permission enabled. Contact your account administrator to enable these permissions. To learn how to update you permissions, see Roles and permissions (Armor Anywhere).

...

Excerpt
hiddentrue

Frequently Asked Questions

How does the Log Management feature help me as an Armor customer?

Armor’s Log Management feature was built with ease, simplicity, and security value in mind for our customers. Using our logging sub-agent, customers can now convert any VM with an Armor Agent to a log management box, enabling you to send anything from the logs of your new WAF to PaaS logs such as AWS CloudTrail. This allows Armor to provide you with security analytics and remediation tuned to the breadth of your full environment.


How do I convert a VM into a Log Management?

First, please make sure you have installed the Armor Agent on one of your virtual machines using the instructions provided for you within the Armor Management Portal (AMP). After you have done this, visit the Virtual Machines page in the Infrastructure section of AMP. You will see your VM. Click into it, and you will see a settings cog. Click that cog, and a pop out option to convert to log collector will appear.  On the following screen you will see more detailed information about how the service works and any port forwarding requirements needed to run the service. After you have setup the Log Management service, you will see telemetry data for that log collector whenever you click into the VM detail page from the VM infrastructure page.


How many logs can I send Armor?

Armor will ingest and store as many logs for you as you would like. Armor's Log Management feature is a usage-based component of AMP. As a customer, you pay us based on how much you use.


What telemetry data is shown to me in AMP around the Log Management service?

AMP shows you data about daily log volume by hour, sources, events per source, and top sources by index size and EPS calculations. We also have implemented robust search and filtering capabilities allowing you to easily search logs for audit purposes.


What Log Management functionality available via API?

Most crucial functions are covered in our Swagger API. You can find this documentation at https://developer.armor.com. Common examples of Log Management API use are converting a VM to a log collector and retrieving telemetry data.


What security analysis does Armor and its SOC perform on logs ingested through Log Management?

This depends on how you decide to leverage our Log Management service. Armor will ingest and store logs for you for compliance requirements. For example, customers focused on compliance requirements can count on Armor's Spartan platform, SIEM and SOC to evaluate log data from any system it has a pre-defined connected for to identify Indicators of Compromise (IOC). Any other data will be stored based on your usage of the service for compliance requirements only.

In another scenario, if you choose to engage Armor to build a data parsing engine for your log source, we will build a pipe connecting your log source to our platform and custom tune that pipe using Armor's knowledge of your environment through the Armor security services. This allows our SOC to build rules into our correlation and analytics engines to provide you the best view of your current security posture and remediation efforts in the event of a compromise. In this case, you would get Armor's full security value out of any log source you onboard with us.


What Log Sources does Armor support with its Log Management service?

Armor's Log Management feature natively supports logs coming from Armor's core security services (FIM, Malware Prevention, IDS, etc.), AWS CloudTrail logs, Fortinet WAFs, and Imperva WAFs. Armor customers can engage Armor's development team to build connectors to other log sources in their environment, such as OS, application and authentication logs. 



...