Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 30 Next »

This topic only applies to Armor Anywhere users.

Overview

You can use the Log Collector feature to convert virtual machines allow your instances to forward logs to the Armor Management Portal (AMP). Within AMP, Armor will securely store, review, and analyze supported log types. 

While Log Collector is available to all Armor Anywhere users, there is a fee associated with sending and storing logs. For pricing information, please contact your Account Manager.



Add Log Collector

Step 1: Review requirements

Firewall rules

You must add the following firewall rules: 

Inbound / OutboundService / PurposePortDestination
OutboundLog Collector5443/tcpThe IP address for your instance (log collector)
OutboundArmor's logging service5443/tcp
To learn more about firewall rules, see Requirements for Armor Anywhere

Permissions

You must have the Write Virtual Machine permission included in your account in order to use Log Collector. 

To learn more about permissions, see Roles and permissions (Armor Anywhere)

Supported devices

Log Collector can only be used with Linux operating systems that contain the Armor Anywere agent. In shortin on Linux operating systems. 

In addition to collecting logs from Armor Anywhere's security services, such as FIM and Malware Protection, Log Collector can also collect logs from:

  • AWS CloudTrail
  • Fortinet WAF
  • Imperva WAF

Pricing information 

While Log Collector is available to all Armor Anywhere users, there is a fee associated with sending and storing logs. Log Collector is a usage-based feature; you only pay what you use. 

For pricing information, please contact your Account Manager.


Step 2: Add Log Collector

You can use these instructions to configure (convert) your instance into a log collecting device. 

In order to convert your virtual machine into a log collector, you must have the Write Virtual Machine permission assigned to your account.

To learn more about permissions, see Roles and permissions (Armor Anywhere).

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
  2. Click Virtual Machines
  3. Locate and hover over the desired virtual machine. 
  4. Click the vertical ellipses. 
  5. Click Convert to Log Collector
  6. Review the product information, and then click Confirm

Step 3: View collected logs

You can use the Log Collector screen to view and confirm that Armor is receiving your logs. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
  2. Click Virtual Machines
  3. Locate and select the desired virtual machine. 
    • You will be taken to the Log Collector screen to view the Log Volume graph. 



Remove Log Collector

If you remove the log collector feature from a virtual machine, Armor will still retain the collected logs. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure
  2. Click Virtual Machines
  3. Locate and hover over the desired virtual machine. 
  4. Click the vertical ellipses. 
  5. Click Remove Log Collector

Troubleshoot Log Collector 

If you do not see any data in the Log Collector screen, consider that:

  • Your instance is powered off.
    • To review the status of your instance, in the left-side navigation, click Infrastructure, and then click Virtual Machines
    • For more information, see Virtual Machines (Armor Anywhere)
  • You do not have permission to view and configure this screen.
    • You must have the Write Virtual Machine permission enabled. Contact your account administrator to enable these permissions. To learn how to update you permissions, see Roles and permissions (Armor Anywhere).

Frequently Asked Questions

How does the Log Collector feature help me as an Armor customer?

Armor’s Log Collector feature was built with ease, simplicity, and security value in mind for our customers. We wanted to give our customers the ability to send us logs from virtual appliances, applications, PaaS solutions, containers, etc. in your environment and have us ingest them into our Spartan platform, and provide you Security Analytics, Compliance, and a 24/7-365 SOC. Armor gives customers the ability to convert any VM with an Armor Agent to a Log Collector box. This installs our logging sub-agent on the box and allows you to pass Armor logs that do not already come from our own set of security services deployed in the Agent. This could be your new WAF or PaaS logs such as AWS CloudTrail or AWS CloudWatch so Armor can provide you with security analytics and remediation tuned to the breadth of your full environment.


How do I convert a VM into a Log Collector?

First, please make sure you have installed the Armor Agent on one of your virtual machines, using the instructions provided for you within the Armor Management Portal (AMP). After you have done this, visit the Virtual Machines page in the Infrastructure section of AMP. You will see your VM, click into it, and you will see a settings cog. Click that cog,  its pop out option to convert to log collector.  On the following screen you will see more detailed information about how the service works and any port forwarding requirements needed to run the service. After you have setup the Log Collector service, you will see telemetry data for that log collector whenever you click into the VM detail page from the VM infrastructure page.


How many logs can I send Armor? 

Armor will ingest and store as many logs for you as you would like. Armor's Log Collector feature is a usage-based component of AMP. As a customer, you pay us based on how much you use. This allows us to ingest, store and provide security analytics on your logs for both security remediation efforts and storage for compliance requirements.


What telemetry data is shown to me in AMP around the Log Collector service? 

AMP shows you data about daily log volume by hour, sources, events per source, and top sources by index size and EPS calculations. We also have implemented robust search and filtering capabilities allowing you to easily search logs for audit purposes.


What Log Collector functionality is available via API? 

Most important functions are covered in our Swagger API. You can find this documentation at https://developer.armor.com. Common examples of Log Collector API use are converting a VM to a log collector, retrieving telemetry data, etc.


What security analysis does Armor and its SOC perform on logs ingested through Log Collector? 

This depends on how you as a customer decides to leverage our Log Collector service. Armor will either ingest and store logs for you for compliance requirements. In this case Armor's Spartan platform, SIEM, and SOC will evaluate log data for security Indicators of Compromise (IOC) from any system it has a pre-defined connector for. Any other data will be stored based on your usage of the service for compliance requirements only. However, if you choose to engage Armor to build a data parsing engine for your log source, we will build a pipe connecting your log source to our platform and custom tune that pipe to Armor's knowledge of your environment through the Armor security services. This allows our SOC to build rules into our correlation and analytics engines to provide you the best view of your current security posture and remediation efforts in the event of a compromise. In this scenario, you would get Armor's full security value out of any log source you onboard with us.


What Log Sources does Armor support with its Log Collector service?

Armor's Log Collector feature natively supports logs coming from Armor's core security services (FIM, Malware Prevention, IDS, etc.), AWS CloudTrail logs, Fortinet WAFs, and Imperva WAFs. Armor customers can engage Armor's development team to build connectors to other log sources in their environment. These types of logs include OS logs, application logs, authentication and authorization logs.