Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »


Knowledge Base


Feedback

Have a suggestion for the Armor Knowledge Base?

Send a message to
kb@armor.com.









Overview

You can use the Log Depot add-on product to securely store file-based application logs with Armor for up to 13 months.

Within the Armor Management Portal (AMP), you can view logs from the previous 90 days. You can view these logs and overall storage usage in the Log Search section of the Log Management screen.  

Log Depot can help you meet compliance requirements.

For Log Depot, Armor does not provide security analysis, parsing, or awareness of log content.

Log Depot can only collect single-line log formats.

The Log and Event Management subagent will sync and update this screen every 15 minutes. 

Pricing information

Log Depot's prices are based on a subscription (base) charge and an overage (tiered) charge. 

The monthly subscription charge includes up to 25GB of storage. Additional storage above 25GB will be charged on a tiered level. 

Review the following table to understand the pricing structure:

SKU$/Month£/Month
LD Base Subscription$200£155

$ per GB£ per GBTier Discount
0GB - 25GB (Included in Base Subscription)Included (is $8/GB)Included (is £6.20)-
26GB - 50GB$7.2£5.5810%
51GB - 100GB$6.56£5.0818%
101GB - 250GB$6.08£4.7124%
251GB - 500GB$5.60£4.3430%
501GB - 1000GB$5.28£4.0934%
1001GB+$5.12£3.9736%

Order Log Depot

  1. In the Armor Management Portal (AMP), on the left-side navigation, click Security
  2. Click Log Management
  3. Click Log Source
  4. Under the table, click Activate Log Depot
  5. Review the product information, and then click Purchase
  6. After you begin the purchase process, you can start sending logs to Armor. 

Send logs to Armor


Windows users

To use these instructions, you must have powershell admin access.

  1. Log into a server instance that contains the Armor Anywhere - Security Agent. 
  2. Stop the agent with the following command: 
    • spsv armor-agent
  3. Run the agent policy command to add log policies. You can use the following commands as an example: 
    • For filelog type, run C:\.armor\opt\armor policy filelog add --path C:\inetpub\logs\web1.log --category web --tags web1,iis

    • For eventlog type, run C:\.armor\opt\armor policy eventlog add --name Application --category app --tags app
    • Category is required. You must label your logs based on one of the following categories: app, db, machine-data, platform, user, or web. 
    • Tags are optional. 
  4. Sync the agent's policy to the API with the following command:
    • C:\.armor\opt\armor policy filelog sync
  5. Restart the agent with the following command: 
    • sasv armor-agent
  6. (Optional) To review any Log Depot files in AMP:
    1. In the Armor Management Portal (AMP), on the left-side navigation, click Security
    2. Click Log Management
    3. Click Log Search

Linux users

To use these instructions, you must have sudo access. 

Review the following example to understand how to send logs to Armor: /opt/armor/armor policy filelog add --path /var/log/dpkg.log --category platform --tags Ubuntu

TextDescription
/opt/armor/armor policy filelog addBase script
--path /var/log/dpkg.logThe location of the files.
--category platform

The type (category) of logs.

You must label your logs based on one of the following categories: app, db, machine-data, platform, user, or web. 

--tags Ubuntu

In the Log Search screen, you can search by tags.

Tags are optional.


  1. Log into a server instance that contains the Armor Anywhere - Security Agent. 
  2. Stop the agent with the following command: 
    • service armor-agent stop
  3. Run the agent policy command to add log policies. You can use the following command as example: 
    • /opt/armor/armor policy filelog add --path /var/log/app.log --category app --tags app,app1
      • Category is required. You must label your logs based on one of the following categories: app, db, machine-data, platform, user, or web. 
      • Tags are optional.
  4. Sync the agent's policy to the API with the following command: 
    • /opt/armor/armor policy filelog sync
  5. Restart the agent with the following command: 
    • service armor-agent start
  6. (Optional) To review any Log Depot files in AMP:
    1. In the Armor Management Portal (AMP), on the left-side navigation, click Security
    2. Click Log Management
    3. Click Log Search

Review additional agent-related commands

Review the following table to better understand how to interact with the agent via the command line: 

CommandDescription
armor -hDisplays the agent's help dialog
armor policy -hDisplays the agent's policy help dialog
armor policy filelog -hDisplays the agent's policy filelog help dialog
armor policy filelog add -hDisplays the agent's policy filelog add help dialog
armor policy filelog --add [path]Adds a filebeat logging policy with the user-defined path, category, and tag(s).
armor policy add eventlog [name]Adds a (Windows) eventlog logging policy with the user-defined path, category, and tag(s).
armor policy remove filelog [path]
armor policy showDisplays command functionality and syntax available at the command line. "show" can be added to any level of command to help drive user input
armor policy syncSynchronizes the local Armor CORE Agent with API services to pull down the latest policy version



Troubleshoot Log Search section of the Log Management screen

If you do not see any data in the Log Search section of the Log Management screen, consider that

  • You did not order the Log Depot add-on product. 
  • You did not properly sync Log Depot to collect your log files. 
  • The selected date range does not contain any data.
  • You do not have permission to view log data.
    • You must have the Read LogSearch permission enabled to view log data. Contact your account administrator to enable this permission. To learn how to update you permissions, see Roles and Permissions