Page tree

This topic only applies to Armor Anywhere users.

Overview

You can use the Log Collector feature to convert your virtual machines into a log collecting device, which will forward logs to the Armor Management Portal (AMP). Within AMP, Armor will securely store, review, and analyze supported log types. 


Add Log Collector

Step 1: Review requirements

Firewall rules

You must add the following firewall rules: 

Inbound / OutboundService / PurposePortDestination
InboundLog Collector (Logstash)
  • 5140/udp
  • 5141/tcp
The IP address for your virtual machine (log collector)
OutboundArmor's logging service (ELK)
  • 5443/tcp
  • 5400-5600/tcp (Reserved)
    • Armor reserves the right to utilize this port range for future expansion or service changes.

1c.log.armor.com

  • These endpoints are served by the Amazon Elastic Load Balancers. As a result, the actual endpoints will vary dynamically across Amazon's IP ranges.
To learn more about firewall rules, see Requirements for Armor Anywhere

Permissions

You must have the Write Virtual Machine permission included in your account in order to use Log Collector. 

To learn more about permissions, see Roles and permissions (Armor Anywhere)

Supported Devices

Log Collector can only be used with Linux operating systems that contain the Armor Anywhere agent. 

Additionally, Log Collector supports devices that do not have the Armor Anywhere agent, such as WAFs or next-generation firewalls. 


Pricing information 

While Log Collector is available to all Armor Anywhere users, there is a cost associated with sending and storing logs. 

For pricing information, please contact your Account Manager.


Step 2: Configure your virtual machine

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
  2. Click Virtual Machines
  3. Locate and hover over the desired virtual machine. 
  4. Click the vertical ellipses. 
  5. Click Convert to Log Collector
  6. Review the product information, and then click Confirm
    • By default, the Armor agent will update the virtual machine within 15 minutes.

Step 3: View collected logs

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.
  2. Click Virtual Machines
  3. Locate and select the desired virtual machine. 
    • You will be taken to the Log Collector screen to view the Log Volume graph and table.  

      GraphThe Log Volume graph displays the amount of logs that Armor is receiving on a daily bases.  
      Table
      ColumnDescription
      Source NameThis column displays the name of the virtual machine that is collecting and sending logs.
      Number of EventsThis column displays the number of logs collected.
      Last Log ReceivedThis column displays the date and time that Armor last received a log.

Remove Log Collector

If you remove the log collector feature from a virtual machine, Armor will still retain the collected logs. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure
  2. Click Virtual Machines
  3. Locate and hover over the desired virtual machine. 
  4. Click the vertical ellipses. 
  5. Click Remove Log Collector

Troubleshoot Log Collector 

If you do not see any data in the Log Collector screen, consider that:

  • Your instance is powered off.
    • To review the status of your instance, in the left-side navigation, click Infrastructure, and then click Virtual Machines
    • For more information, see Virtual Machines (Armor Anywhere)
  • You do not have permission to view and configure this screen.
    • You must have the Write Virtual Machine permission enabled. Contact your account administrator to enable these permissions. To learn how to update you permissions, see Roles and permissions (Armor Anywhere).




In this topic



Have a suggestion for the Armor Knowledge Base? Send a message to kb@armor.com.