This topic only applies to Armor Anywhere users.
To fully use this screen, you must add the following permissions to your account:
- Delete Log Management
- Read Log Endpoints
- Write Log Endpoints
- Delete Log Endpoints
Overview
You can use this document to add a remote log collector to a remote device (log source).
Step 1: Review compatible log source types
Before you create a remote log collector, review the following compatible log source types:
Step 2: Create an endpoint
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Endpoint.
- Click the plus ( + ) sign.
- If you do not have any endpoints already created, then click Add a New Log Endpoint.
- Complete the missing fields.
- In Private IP, enter the public IP address that Armor will connect to.
- In Private IP, enter the private IP address that Armor will connect to.
- If you are not using a NAT, then enter the public IP address again.
- In Password and Confirm Password, create and enter a password for your device.
- Click Save Log Endpoint.
- After you create an endpoint, there will be a Pending status assigned to the endpoint. After the endpoint has been provisioned, the status will change to Online. You cannot select a Pending endpoint.
Step 3: Create a remote log source
There are three options:
- Create a remote log source for a non-AWS environment
- Create a remote log source for an AWS environment
- Create a remote log source to collect Windows logs
Option 1: Create a remote log source for a non-AWS environment
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Sources.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- Complete the missing fields:
- In Endpoint, select the endpoint that you previously created.
- In Log Source Type, select the type of log source.
- In Hostname, enter the system hostname that matches the system for log collection.
- The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
- In Protocol, based on your selection in Log Source Type, select the available protocol.
- Click Save Log Source.
Option 2: Create a remote log source for an AWS environment
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Sources.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- Complete the missing fields:
- In Endpoint, select the endpoint that you previously created.
- In Log Source Type, select Amazon AWS CloudTrail.
- In Hostname, enter the system hostname that matches the system for log collection.
- The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
- In Protocol, based on your selection in Log Source Type, select the available protocol.
- In Account Number, enter your AWS account number, including any zero (0) prefix.
- In Region, select the region for your virtual machine.
- Click Save Log Source.
- In the Sources screen, refresh the screen until the log source reaches an Online status.
- Access the AWS console.
- In AWS console, under Management & Governance, click CloudTrail.
- In the left-side navigation, click Trails.
- Click Create Trail.
- In Trail name, enter a descriptive name for your trail.
- Under Storage location, for Create a new S3 bucket, mark No.
- In the S3 bucket drop-down menu, select logs.armor.com.
- Click Create.
Option 3: Create a remote log source to collect Windows logs
Armor does not support the managed deployment of the WinCollect platform. As a result, you can use the following instructions as basic guidance.
Armor Support will not deliver any registrations keys to use with the WinCollect agents.
Armor officially supports Windows instances though one Wincollect agent per instance of Windows.
Although WinCollect supports event collection from multiple sources, the Armor API will still require a log source to be created per Windows system.
- Download and install the agent.
- In this step, two files will be added to your local machine, including the WinCollect Stanadlone Patch installer. This GUI installer can be used to directly configured the WinCollect instance, as well as pull logs from other Windows system. (This process is not supported by Armor.)
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Sources.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- Complete the missing fields:
- In Endpoint, select the endpoint that you previously created.
- In Log Source Type, select Microsoft Windows Security Event Log.
- In Hostname, enter the system hostname that matches the system for log collection.
- The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
- In Protocol, based on your selection in Log Source Type, select the available protocol.
- Click Save Log Source.
- In the Sources screen, refresh the screen until the log source reaches an Online status.
- In your local machine, launch the WinCollect Configuration Utility GUI.
- In the left-side window, next to Destinations, click the ( + ) icon.
- Click Syslog TCP.
- In the top, right menu, click Add New Destination.
- Enter a descriptive name, such as Armor Defense Inc TLS, and then click Ok.
- The properties screen will appear.
- Enter the fully qualified domain name (FQDN) for the event collector.
- Enter the port that was allocated for your Windows Event Log source.
- Configure a throttle limit, such as 500 EPS.
- Click Deploy Changes to save.
- In the left-side window, under Devices, right-click Microsoft Windows Event Log.
- Click Add New Device.
- Enter a descriptive name for your log source, such as the system name of your Windows host.
- In Device Address, enter the local system hostname for the logs to be collected.
- In Security, mark the box.
- (Optional) For a DNS Active Directory or File Replication server, make the corresponding box.
- In Destinations, click Add.
- Select the name of destination you previously created, and then click Ok.
- In the top, right menu, click Deploy Changes.
To use the command prompt:
- Gather the following information:
- Hostname
- Armor Collector FQDN
- Armor Log Source Port
- Windows Services Hosted by System
- Active Directory Collector
- DNS Server
- File Replication Service
- Download and install the agent.
- Right-click the WinCollect agent installation file, and then select Run as administrator.
- Enter the following information into your command prompt:
- wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" HEARTBEAT_INTERVAL=6000 LOG_SOURCE_AUTO_CREATION_ENABLED= True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice= DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName= <hostname>&Component1.LogSourceIdentifier= <Armor_Collector_FQDN>&Component1.Dest.Name=QRadar&Component1 .Dest.Hostname=<Armor_Collector_FQDN>&Component1.Dest.Port= <armor_port>&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1 .Log.System=true&Component1.Log.Application=false &Component1.Log.DNS+Server=false&Component1.Log.File+Replication+ Service=false&Component1.Log.Directory+Service=false&Component1. RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+ Event+Rate+Server&Component1.MinLogs ToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1875"""
View existing remote log sources
You can use these instructions to view existing remote log sources.
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Log & Data Management.
Click Sources.
Column | Description |
|---|---|
Hostname | This column displays the hostname that was created in AMP. |
Type | This column displays the log source type, such as Amazon AWS CloudTrail. |
State | This column displays if the log source is in a Pending or Online status. |
Endpoint | This column displays the corresponding endpoint for the log source. |
Protocol/Port | This column displays the protocol, such as TLS Syslog or Syslog. |
Last Event | This column displays the last log message that Armor received. There may be a five-minute delay between when Armor receives this information versus when this information is displayed in AMP. |
View existing endpoints
You can use these instructions to view existing endpoints.
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click Endpoint.
| Column | Description |
|---|---|
| Hostname | This column displays the hostname that was created in AMP. |
| State | This column displays the possible states of an endpoint, which can be:
|
| Public IP | This column display the public IP address that corresponds to the endpoint. |
| Private IP | This column display the private IP address that corresponds to the endpoint. |
| Software Version | This column displays the version of the software installed on the endpoint. |
| Last Event | This column displays the last log message that Armor received. There may be a five-minute delay between when Armor receives this information versus when this information is displayed in AMP. |
Add a remote collector in a RedHat system
You can use these instructions to specifically add a remote collector in a RedHat system.
This remote log collector only works with RHEL 7.5, with no additional updates.
Armor does not explicitly support adding a remote collector in a RedHat system; however, you can use the following instructions as basic guidance.
Step 1: Review requirements and pre-installation considerations
Resource requirements
| Requirement | Description |
|---|---|
| Supported operating system | RedHat 7.5 |
| Bits | 64-bit |
| NTP | NIST recommended |
| Memory | 16GB |
| Minimum Free Space | Primary Device: 30GB Secondary Device: 1024G |
| Disk IOPS | 300 |
| Data Transfer Rate (MB/s | 300 |
Partitioning guide
| Mount Path | Size | LVM Supported? |
|---|---|---|
| /boot | 1 GB | No |
| /boot/efi | 200 MB | No |
| /var | 5 GB | Yes |
| /var/log | 15 GB | Yes |
| /var/log/audit | 3 GB | Yes |
| /opt | 10 GB | Yes |
| /home | 1 GB | Yes |
| /storetmp | 15 GB | Yes |
| /tmp | 3 GB | Yes |
| swap | 12GB <> 24GB (75% of RAM | Not applicable |
| / | 15 GB | Yes |
| /store | 80% of remaining space | Yes |
| /transiet | 20% of remaining space | Yes |
RAID configuration
| Type | Notes |
|---|---|
| RAID10 | Recommended |
| RAID0 | Not supported |
| RAID5 | Not supported |
| RAID50 | Not supported |
Step 2: Configure your environment
- Copy the Red Hat Enterprise Linux minimal ISO to a DVD or a bootable USB flash drive.
- Insert the portable storage device into your appliance, and then restart your appliance.
- From the start menu, perform one of the following options:
- Select the USB or DVD drive as the boot option.
- To install on a system that supports Extensible Firmware Interface (EFI), you must start the system in legacy mode.
- When prompted, log into the system as the root user.
- In the installation wizard, follow the on-screen instructions:
- Set the language to English (US).
- Click Date & Time, and then set the time for your deployment.
- Click Installation Destination, and then select I will configure partitioning.
- In the drop-down list, select LVM.
- To add the mount points and capacities for your partitions, click Add, and then click Done.
- Click Network & Host Name.
- Enter the hostname for your appliance.
- The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
- In the list, select the interface, move the switch to ON, and then click Configure.
- In the General tab, select Automatically connect to this network when it is available.
- In the IPv4 Settings tab, select Manual in the Method list.
- To enter the IP address, Netmask, and Gateway for the appliance in Addresses, click Add.
- Add two DNS servers.
- Click Save, click Done, and then click Begin Installation.
- Set the root password, and then click Finish configuration.
- Armor recommends at least ASCII characters, with upper-case letters, lower-case letters, and special characters.
- Save this password in a secure password vault.
- Edit /etc/ssh/sshd_config to ensure the following configurations:
- PermitRootLogin yes
- PasswordAuthentication yes
- In /root/.ssh/authorized_key, remove all keys.
- Disable SELinux, and then after the installation process is complete, restart the system.
- Via SSH, validate root login with password.
- ssh -o PreferredAuthentications=password -l root
Step 3: Install the event collector
- Copy the QRadar ISO to the device.
- Create the /media/cdrom directory. To do so, enter the following command: mkdir /media/cdro
- Mount the QRadar ISO. To do so, enter the following command: mount -o loop /media/cdro
- Run the QRadar setup. To do so, enter the following: /media/cdrom/setup
- A new kernel may be installed as part of the installation, which requires a system restart. After the system restart, repeat the commands in Step 3 and Step 4 to continue the installation.
- In Software Installed System, select Software Install, and then select Next.
- In Software Appliance Assignment, select Event Collector, and then select Next.
- In Type of Setup, select Normal Setup (default), and then select Next.
- In Select Continent/Area, select UTC, and then select Next.
- In Internet Protocol Setup, select ipv4 Internet Protocol version 4, and then select Next.
- If required, select the bonded interface setup. (This action is not supported by Armor.)
- Select the management interface
- In the wizard, in Hostname, enter a fully qualified domain name.
- In IP address, enter a static IP address or use the assigned IP address.
- If you do not have an email server, then in Email server name, enter localhost.
- Do not modify the root password.
- Click Finish.
- In the installation wizard, follow the instructions to complete the installation. The installation process may take a few minutes.
- Reboot.