Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Step 1: Review compatible log source types

Step 2: Create an endpoint

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Endpoint.
  4. Click the plus ( + ) sign. 
    • If you do not have any endpoints already created, then click Add a New Log Endpoint
  5. Complete the missing fields. 
    • In Public IP, enter the public IP address that Armor will connect to. 
    • In Private IP, enter the private IP address that Armor will connect to.
    • In Password and Confirm Password, create and enter a password for your device. 
  6. Click Save Log Endpoint
    • After you create an endpoint, there will be a Pending status assigned to the endpoint. After the endpoint has been provisioned, the status will change to Online. You cannot select a Pending endpoint. 

Before you create a remote log collector, review the following

Excerpt Include
Review compatible log source types
:  

...

Note

Although the following log types are available in AMP, not every log type will be subjected to Armor's full security process.

Note

Syslog collection is a separate service. As a result, Syslog collection is shared responsibility between you and Armor. Syslog collection may be subject to additional costs. 

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslogs

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

...

Syslog

TLS Syslog

(snippet)
Review compatible log source types (snippet)
nopaneltrue

...

Step 2: Create an endpoint

Excerpt Include
Create an endpoint (snippet)
Create an endpoint (snippet)
nopaneltrue

...

Step 3: Create a remote log source

There are two three options: 

  • Create a remote log source for a non-AWS environment
  • Create a remote log source for an AWS environment
  • Create a remote log source to collect Windows logs

Option 1: Create a remote log source for a non-AWS environment 

...

  • If you do not have any log sources already created, then click Add a New Log Source

...

  1. In Endpoint, select the endpoint that you previously created. 
  2. In Log Source Type, select the type of log source. 
  3. In Hostname, enter the system hostname that matches the system for log collection.
    1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
  4. In Protocol, based on your selection in Log Source Type, select the available protocol.

...

Excerpt Include
Create a remote log source for a non-AWS environment (snippet)
Create a remote log source for a non-AWS environment (snippet)
nopaneltrue

...

Option 2: Create a remote log source for an AWS environment

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    1. In Endpoint, select the endpoint that you previously created. 
    2. In Log Source Type, select Amazon AWS CloudTrail.
    3. In Hostname, enter the system hostname that matches the system for log collection.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    4. In Protocol, based on your selection in Log Source Type, select the available protocol.
    5. In Account Number, enter your AWS account number, including any zero (0) prefix. 
    6. In Region, select the region for your virtual machine.  
  6. Click Save Log Source.
  7. In the Sources screen, refresh the screen until the log source reaches an Online status. 
  8. Access the AWS console.
  9. In AWS console, under Management & Governance, click CloudTrail
  10. In the left-side navigation, click Trails
  11. Click Create Trail
  12. In Trail name, enter a descriptive name for your trail. 
  13. Under Storage location, for Create a new S3 bucket, mark No
  14. In the S3 bucket drop-down menu, select logs.armor.com.
  15. Click Create

Excerpt Include
Create a remote log source for an AWS environment (snippet)
Create a remote log source for an AWS environment (snippet)
nopaneltrue

...

Option 3: Create a remote log source to collect Windows logs

Note

Armor does not support the managed deployment of the WinCollect platform. As a result, you can use the following instructions as basic guidance.

Armor Support will not deliver any registrations keys to use with the WinCollect agents.

Armor officially supports Windows instances though one Wincollect agent per instance of Windows.   

Although WinCollect supports event collection from multiple sources, the Armor API will still require a log source to be created per Windows system. 

  1. Download and install the agent.
    • In this step, two files will be added to your local machine, including the WinCollect Stanadlone Patch installer. This GUI installer can be used to directly configured the WinCollect instance, as well as pull logs from other Windows system. (This process is not supported by Armor.)
  2. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  3. Click Log & Data Management.
  4. Click Sources.
  5. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  6. Complete the missing fields:
    1. In Endpoint, select the endpoint that you previously created. 
    2. In Log Source Type, select Microsoft Windows Security Event Log
    3. In Hostname, enter the system hostname that matches the system for log collection.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    4. In Protocol, based on your selection in Log Source Type, select the available protocol.
  7. Click Save Log Source.
  8. In the Sources screen, refresh the screen until the log source reaches an Online status. 
  9. In your local machine, launch the WinCollect Configuration Utility GUI. 
  10. In the left-side window, next to Destinations, click the ( + ) icon. 
  11. Click Syslog TCP
  12. In the top, right menu, click Add New Destination
  13. Enter a descriptive name, such as Armor Defense Inc TLS, and then click Ok
    • The properties screen will appear. 
  14. Enter the fully qualified domain name (FQDN) for the event collector. 
  15. Enter the port that was allocated for your Windows Event Log source. 
  16. Configure a throttle limit, such as 500 EPS.
  17. Click Deploy Changes to save. 
  18. In the left-side window, under Devices, right-click Microsoft Windows Event Log
  19. Click Add New Device
  20. Enter a descriptive name for your log source, such as the system name of your Windows host. 
  21. In Device Address, enter the local system hostname for the logs to be collected. 
  22. In Security, mark the box. 
  23. (Optional) For a DNS Active Directory or File Replication server, make the corresponding box. 
  24. In Destinations, click Add
  25. Select the name of destination you previously created, and then click Ok
  26. In the top, right menu, click Deploy Changes
Note

To use the command prompt:

  1. Gather the following information:
    • Hostname
    • Armor Collector FQDN
    • Armor Log Source Port
    • Windows Services Hosted by System
      • Active Directory Collector
      • DNS Server
      • File Replication Service
  2. Download and install the agent.
  3. Right-click the WinCollect agent installation file, and then select Run as administrator.
  4. Enter the following information into your command prompt:
Code Block
wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" HEARTBEAT_INTERVAL=6000 LOG_SOURCE_AUTO_CREATION_ENABLED= True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice= DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName= <hostname>&Component1.LogSourceIdentifier= <Armor_Collector_FQDN>&Component1.Dest.Name=QRadar&Component1 .Dest.Hostname=<Armor_Collector_FQDN>&Component1.Dest.Port= <armor_port>&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1 .Log.System=true&Component1.Log.Application=false &Component1.Log.DNS+Server=false&Component1.Log.File+Replication+ Service=false&Component1.Log.Directory+Service=false&Component1. RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+ Event+Rate+Server&Component1.MinLogs ToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1875""" 

View existing remote log sources

You can use these instructions to view existing remote log sources. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Sources.

...

This column displays the last log message that Armor received. There may be a five-minute delay between when Armor receives this information versus when this information is displayed in AMP.

View existing endpoints

You can use these instructions to view existing endpoints.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Endpoint.

...

This column displays the possible states of an endpoint, which can be:

  • Pending
  • Online
  • Error
  • Deleted

...

This column displays the version of the software installed on the endpoint.

...

Excerpt Include
Create a remote log source to collect Windows logs (snippet)
Create a remote log source to collect Windows logs (snippet)
nopaneltrue

...

View existing remote log sources

Excerpt Include
View existing remote log sources (snippet)
View existing remote log sources (snippet)
nopaneltrue

...

View existing endpoints


Excerpt Include
View existing endpoints (snippet)
View existing endpoints (snippet)
nopaneltrue

...

Add a remote collector in a RedHat system

You can use these instructions to specifically add a remote collector in a RedHat system. 

Note

This remote log collector only works with RHEL 7.5, with no additional updates.

Warning

Armor does not explicitly support adding a remote collector in a RedHat system; however, you can use the following instructions as basic guidance.

Step 1: Review requirements and pre-installation considerations

Resource requirements

...

Partitioning guide

...

RAID configuration

...

Step 2: Configure your environment

  1. Copy the Red Hat Enterprise Linux minimal ISO to a DVD or a bootable USB flash drive.
  2. Insert the portable storage device into your appliance, and then restart your appliance.
  3. From the start menu, perform one of the following options:  
    • Select the USB or DVD drive as the boot option. 
    • To install on a system that supports Extensible Firmware Interface (EFI), you must start the system in legacy mode. 
  4. When prompted, log into the system as the root user.
  5. In the installation wizard, follow the on-screen instructions:
    1. Set the language to English (US).
    2. Click Date & Time, and then set the time for your deployment.
    3. Click Installation Destination, and then select I will configure partitioning.
    4.  In the drop-down list, select LVM.
    5. To add the mount points and capacities for your partitions, click Add, and then click Done
    6. Click Network & Host Name.
    7. Enter the hostname for your appliance.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    8. In the list, select the interface, move the switch to ON, and then click Configure.
    9. In the General tab, select Automatically connect to this network when it is available.
    10. In the IPv4 Settings tab, select Manual in the Method list.
    11. To enter the IP address, Netmask, and Gateway for the appliance in Addresses, click Add.  
    12. Add two DNS servers.
    13. Click Save, click Done, and then click Begin Installation
  6. Set the root password, and then click Finish configuration
    • Armor recommends at least ASCII characters, with upper-case letters, lower-case letters, and special characters. 
    • Save this password in a secure password vault. 
  7. Edit /etc/ssh/sshd_config to ensure the following configurations:
    • PermitRootLogin yes
    • PasswordAuthentication yes
  8. In /root/.ssh/authorized_key, remove all keys. 
  9. Disable SELinux, and then after the installation process is complete, restart the system. 
  10. Via SSH, validate root login with password.
    • ssh -o PreferredAuthentications=password -l root 

Step 3: Install the event collector

  1. Copy the QRadar ISO to the device.
  2. Create the /media/cdrom directory. To do so, enter the following command: mkdir /media/cdro
  3. Mount the QRadar ISO. To do so, enter the following command: mount -o loop /media/cdro
  4. Run the QRadar setup. To do so, enter the following: /media/cdrom/setup 
    • A new kernel may be installed as part of the installation, which requires a system restart. After the system restart, repeat the commands in Step 3 and Step 4 to continue the installation.
  5. In Software Installed System, select Software Install, and then select Next.  
  6. In Software Appliance Assignment, select Event Collector, and then select Next.
  7. In Type of Setup, select Normal Setup (default), and then select Next
  8. In Select Continent/Area, select UTC, and then select Next
  9. In Internet Protocol Setup, select ipv4 Internet Protocol version 4, and then select Next
  10. If required, select the bonded interface setup. (This action is not supported by Armor.)
  11. Select the management interface
  12. In the wizard, in Hostname, enter a fully qualified domain name.
  13. In IP address, enter a static IP address or use the assigned IP address.
  14. If you do not have an email server, then in Email server name, enter localhost.
  15. Do not modify the root password. 
  16. Click Finish.
  17. In the installation wizard, follow the instructions to complete the installation. The installation process may take a few minutes.
  18. Reboot. 

Excerpt Include
Add a remote log collector in a RedHat system (snippet)
Add a remote log collector in a RedHat system (snippet)
nopaneltrue

...