Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 58 Next »

This topic only applies to Armor Complete users. 


Overview

You can use the Log & Data Management screen to:

  • View collected logs in the Search section
  • View the status of the logging subagent in the Sources section

By default, Armor collects and retains the following log types for 30 days:

CentOS/RHEL
Ubuntu/Debian
Windows

/var/log/secure

/var/log/messages

/var/log/audit.log

/var/log/audit/audit.log

/var/log/yum.log

/var/log/auth.log

/var/log/syslog

System Event Log

Security Event Log


View log status and details

The Armor Management Portal (AMP) only displays logs from the previous 30 days.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Search.
    • Enter separate search terms within quotation marks.
    • Enter exact search terms, including letter capitalization.
ColumnDescription
DateThis column displays the date and time when Armor received the corresponding log.
SourceThis column displays the name of the virtual machine that generated the log.
MessageThis column displays the specific log message.

To better understand how to perform successful searches, consider the following sample log message: 2019-04-08T18:46:09Z INFO No non-zero metrics in the last 30s

In a log message, spaces between words indicates a separate search term. For instance, there are no spaces in 2019-04-08T18:46:09Z. As a result, 2019-04-08T18:46:09Z is considered one search term. In this example, to search for dates, you must enter the complete and exact date; you cannot perform searches with partial search terms, such as 2019-04.

Successful search parametersUnsuccessful search parametersDescription
  • "2019-04-08T18:46:09Z"
  • 2019
  • 2019-04-08T18:46:09Z

If the search term contains special characters, such as a colon, then you must perform the search with quotation marks ( " " ).

Also, in this example, the complete search term is 2019-04-08T18:46:09Z. You cannot perform a search on partial search terms, such as 2019.


  • "INFO"
  • INF
You cannot perform a search on partial search terms. In this example, the complete search term is INFO, not INF.
  • "metrics" "30s"
  • "metrics" "30"

You can search for different search terms by separating terms with quotation marks.

In this example, the complete search term is 30s, not 30. You cannot perform searches with partial search terms.

  • *zero *30
  • *zero 30

Similar to the use of quotation marks, you can also use an asterisk ( * ) to perform a wildcard search for strings.

A wildcard search may take a few more seconds to complete.


Upgrade log retention plan

Error rendering macro 'excerpt-include'

No link could be created for 'Upgrade log retention plan (snippet)'.


Export log service status

You can export the logs that are displayed in the Armor Management Portal (AMP) to analyze offline or to provide to an auditor. 

This file export will only contain logs from the previous 30 days.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click Log Sources
  4. (Optional) Use the filter function to customize the data displayed. 
  5. Under the table, click CSV.
  6. You have the option to export all data (All) or only the data that appears on the current screen (Current Set). 
Data TypeData Detail
Vm NameThis data shows the name of the Armor Agent.
Last Log DateThis data shows the last date that Armor received logs. A blank entry indicates that the action has never taken place.
Vm ProviderThis data shows if you are an Anywhere or Complete user. If Armor cannot determine your specific environment, such as AWS or Azure, then by default, this entry will say Anywhere.
Vm Location

This data shows the virtual data center that hosts your data.

RetentionThis data shows how long the logs are stored in the Armor user interface.
Average SizeThis data shows the average log size.
Agent Status

This data shows the status of your Armor Agent.

Online - This status means the Armor Agent is active and has sent logs within the last hour.

Warning - This status means the previous 24-hour log volume has exceeded the 7-day moving average by 10% or more.

Critical - This status means the Armor Agent has not sent logs within the last hour.

Offline - This status means that the Armor Agent, and possibly the virtual machine, is offline.


Troubleshoot Log Source section of the Log Management screen 

Search section or Sources section

If you do not see any data in the Search section or the Sources section of the Log & Data Management screen, consider that:

  • The selected date range does not contain any data.
  • The virtual machine may be powered off. 
  • You do not have permission to view log data.
    • You must have the ReadLogManagement permission enabled to view log data. Contact your account administrator to enable this permission. To learn how to update your permissions, see Roles and Permissions (Armor Complete).

Retention Plan section

If you cannot add or update your plan, consider that you do not have permission to update your plans. You must have the following permissions enabled:  

  • Read Log Management Plan Selection
  • Write Log Management Plan Selection
  • Read LogManagement 
  • Write LogManagement 






In this topic



Have a suggestion for the Armor Knowledge Base? Send a message to kb@armor.com.