Page tree

This topic only applies to Armor Anywhere users.

To fully use this screen, you must add the following permissions to your account:

  • Delete Log Management
  • Read Log Endpoints
  • Write Log Endpoints
  • Delete Log Endpoints

Overview

You can use this document to add a remote log collector to a remote device (log source). 


Step 1: Review compatible log source types

Before you create a remote log collector, review the following compatible log source types:  

 Click here to expand...

Although the following log types are available in AMP, not every log type will be subjected to Armor's full security process.

Syslog collection is a separate service. As a result, Syslog collection is shared responsibility between you and Armor. Syslog collection may be subject to additional costs. 

Log Source TypeProtocol
3Com 8800 Series Switch

Syslog

TLS Syslog

APC UPS

Syslog

TLS Syslog

Amazon AWS CloudTrailAmazon AWS S3 REST API
Ambiron TrustWave ipAngel Intrusion Prevention System (IPS)

Syslog

TLS Syslog

Apache HTTP Server

Syslog

TLS Syslog

Application Security DbProtect

Syslog

TLS Syslog

Arbor Networks Peakflow SP

Syslog

TLS Syslog

Arpeggio SIFT-IT

Syslog

TLS Syslog

Array Networks SSL VPN Access Gateways

Syslog

TLS Syslog

Aruba ClearPass Policy Manager

Syslog

TLS Syslog

Aruba Introspect

Syslog

TLS Syslog

Aruba Mobility Controller

Syslog

TLS Syslog

Avaya VPN Gateway

Syslog

TLS Syslog

Barracuda Spam & Virus Firewall

Syslog

TLS Syslog

Barracuda Web Application Firewall

Syslog

TLS Syslog

Barracuda Web Filter

Syslog

TLS Syslog

BeyondTrust PowerBroker

Syslog

TLS Syslog

Bit9 Security Platform

Syslog

TLS Syslog

Blue Coat SG Appliance

Syslog

TLS Syslog

BlueCat Networks Adonis

Syslog

TLS Syslog

Bridgewater Systems AAA Service Controller

Syslog

TLS Syslog

Brocade FabricOS

Syslog

TLS Syslog

CA ACF2

Syslog

TLS Syslog

CA SiteMinder

Syslog

TLS Syslog

CA Top Secret

Syslog

TLS Syslog

CRYPTOCard CRYPTOShield

Syslogs

TLS Syslog

Carbon Black

Syslog

TLS Syslog

Carbon Black Protection

Syslog

TLS Syslog

Centrify Infrastructure Services

Syslog

TLS Syslog

Check Point

Syslog

TLS Syslog

Cilasoft QJRN/400

Syslog

TLS Syslog

Cisco 12000 Series Routers

Syslog

TLS Syslog

Cisco 6500 Series Switches

Syslog

TLS Syslog

Cisco 7600 Series Routers

Syslog

TLS Syslog

Cisco ACE Firewall

Syslog

TLS Syslog

Cisco ACS

Syslog

TLS Syslog

Cisco Adaptive Security Appliance (ASA)

Syslog

TLS Syslog

Cisco Aironet

Syslog

TLS Syslog

Cisco CSA

Syslog

TLS Syslog

Cisco Call Manager

Syslog

TLS Syslog

Cisco Carrier Routing System

Syslog

TLS Syslog

Cisco CatOS for Catalyst Switches

Syslog

TLS Syslog

Cisco Cloud Web SecurityAmazon AWS S3 REST API
Cisco Firewall Services Module (FWSM)

Syslog

TLS Syslog

Cisco IOS

Syslog

TLS Syslog

Cisco Integrated Services Router

Syslog

TLS Syslog

Cisco IronPort

Syslog

TLS Syslog

Cisco Meraki

Syslog

TLS Syslog

Cisco NAC Appliance

Syslog

TLS Syslog

Cisco Nexus

Syslog

TLS Syslog

Cisco PIX Firewall

Syslog

TLS Syslog

Cisco Stealthwatch

Syslog

TLS Syslog

Cisco VPN 3000 Series Concentrator

Syslog

TLS Syslog

Cisco Wireless LAN Controllers

Syslog

TLS Syslog

Cisco Wireless Services Module (WiSM)

Syslog

TLS Syslog

Citrix Access Gateway

Syslog

TLS Syslog

Citrix NetScaler

Syslog

TLS Syslog

CloudLock Cloud Security Fabric

Syslog

TLS Syslog

CloudPassage Halo

Syslog

TLS Syslog

Cloudera Navigator

Syslog

TLS Syslog

Configurable Authentication message filter

Syslog

TLS Syslog

Configurable Firewall Filter

Syslog

TLS Syslog

CorreLog Agent for IBM zOS

Syslog

TLS Syslog

CrowdStrike Falcon Host

Syslog

TLS Syslog

Cyber-Ark Vault

Syslog

TLS Syslog

CyberArk Privileged Threat Analytics

Syslog

TLS Syslog

CyberGuard TSP Firewall/VPN

Syslog

TLS Syslog

DCN DCS/DCRS Series

Syslog

TLS Syslog

DG Technology MEAS

Syslog

TLS Syslog

Damballa Failsafe

Syslog

TLS Syslog

EMC VMWare

Syslog

TLS Syslog

ESET Remote Administrator

Syslog

TLS Syslog

Enterprise-IT-Security.com SF-Sherlock

Syslog

TLS Syslog

Epic SIEM

Syslog

TLS Syslog

Exabeam

Syslog

TLS Syslog

Extreme 800-Series Switch

Syslog

TLS Syslog

Extreme A2-Series

Syslog

TLS Syslog

Extreme A4-Series

Syslog

TLS Syslog

Extreme B2-Series

Syslog

TLS Syslog

Extreme B3-Series

Syslog

TLS Syslog

Extreme B5-Series

Syslog

TLS Syslog

Extreme C2-Series

Syslog

TLS Syslog

Extreme C3-Series

Syslog

TLS Syslog

Extreme C5-Series

Syslog

TLS Syslog

Extreme D2-Series

Syslog

TLS Syslog

Extreme Dragon Network IPS

Syslog

TLS Syslog

Extreme G3-Series

Syslog

TLS Syslog

Extreme HiGuard

Syslog

TLS Syslog

Extreme HiPath

Syslog

TLS Syslog

Extreme I3-Series

Syslog

TLS Syslog

Extreme Matrix E1 Switch

Syslog

TLS Syslog

Extreme Matrix K/N/S Series Switch

Syslog

TLS Syslog

Extreme NAC

Syslog

TLS Syslog

Extreme NetsightASM

Syslog

TLS Syslog

Extreme Networks ExtremeWare Operating System (OS)

Syslog

TLS Syslog

Extreme Stackable and Standalone Switches

Syslog

TLS Syslog

Extreme XSR Security Routers

Syslog

TLS Syslog

F5 Networks BIG-IP AFM

Syslog

TLS Syslog

F5 Networks BIG-IP APM

Syslog

TLS Syslog

F5 Networks BIG-IP ASM

Syslog

TLS Syslog

F5 Networks BIG-IP LTM

Syslog

TLS Syslog

F5 Networks FirePass

Syslog

TLS Syslog

Fair Warning

Syslog

TLS Syslog

Fidelis XPS

Syslog

TLS Syslog

FireEye

Syslog

TLS Syslog

Forcepoint Sidewinder

Syslog

TLS Syslog

Forcepoint V Series

Syslog

TLS Syslog

ForeScout CounterACT

Syslog

TLS Syslog

Fortinet FortiGate Security Gateway

Syslog

TLS Syslog

Foundry Fastiron

Syslog

TLS Syslog

FreeRADIUS

Syslog

TLS Syslog

Great Bay Beacon

Syslog

TLS Syslog

H3C Comware Platform

Syslog

TLS Syslog

H3C IP Security Devices

Syslog

TLS Syslog

H3C Routers

Syslog

TLS Syslog

H3C Switches

Syslog

TLS Syslog

H3C Wireless LAN Devices

Syslog

TLS Syslog

HBGary Active Defense

Syslog

TLS Syslog

HP Network Automation

Syslog

TLS Syslog

HP ProCurve

Syslog

TLS Syslog

Hewlett Packard UniX

Syslog

TLS Syslog

Honeycomb Lexicon File Integrity Monitor

Syslog

TLS Syslog

Huawei AR Series Router

Syslog

TLS Syslog

Huawei S Series Switch

Syslog

TLS Syslog

HyTrust CloudControl

Syslog

TLS Syslog

IBM AIX Audit

Syslog

TLS Syslog

IBM AIX Server

Syslog

TLS Syslog

IBM Bluemix Platform

Syslog

TLS Syslog

IBM CICS

Syslog

TLS Syslog

IBM DB2

Syslog

TLS Syslog

IBM DataPower

Syslog

TLS Syslog

IBM Federated Directory Server

Syslog

TLS Syslog

IBM Guardium

Syslog

TLS Syslog

IBM IMS

Syslog

TLS Syslog

IBM QRadar Network Security XGS

Syslog

TLS Syslog

IBM QRadar Packet Capture

Syslog

TLS Syslog

IBM Resource Access Control Facility (RACF)

Syslog

TLS Syslog

IBM SAN Volume Controller

Syslog

TLS Syslog

IBM Security Access Manager for Enterprise Single Sign-On

Syslog

TLS Syslog

IBM Security Access Manager for Mobile

Syslog

TLS Syslog

IBM Security Directory Server

Syslog

TLS Syslog

IBM Security Network IPS (GX)

Syslog

TLS Syslog

IBM Security Trusteer Apex Advanced Malware Protection

Syslog

TLS Syslog

IBM Tivoli Access Manager for e-business

Syslog

TLS Syslog

IBM WebSphere Application Server

Syslog

TLS Syslog

IBM i

Syslog

TLS Syslog

IBM z/OS

Syslog

TLS Syslog

IBM zSecure Alert

Syslog

TLS Syslog

ISC BIND

Syslog

TLS Syslog

Illumio Adaptive Security Platform

Syslog

TLS Syslog

Imperva Incapsula

Syslog

TLS Syslog

Imperva SecureSphere

Syslog

TLS Syslog

Infoblox NIOS

Syslog

TLS Syslog

Itron Smart Meter

Syslog

TLS Syslog

Juniper DX Application Acceleration Platform

Syslog

TLS Syslog

Juniper EX-Series Ethernet Switch

Syslog

TLS Syslog

Juniper Junos OS Platform

Syslog

TLS Syslog

Juniper Junos WebApp Secure

Syslog

TLS Syslog

Juniper M Series Multiservice Edge Routing

Syslog

TLS Syslog

Juniper MX Series Ethernet Services Router

Syslog

TLS Syslog

Juniper Networks Firewall and VPN

Syslog

TLS Syslog

Juniper Networks Infranet Controller

Syslog

TLS Syslog

Juniper Networks Intrusion Detection and Prevention (IDP)

Syslog

TLS Syslog

Juniper Networks Network and Security Manager

Syslog

TLS Syslog

Juniper SRX Series Services Gateway

Syslog

TLS Syslog

Juniper Steel-Belted Radius

Syslog

TLS Syslog

Juniper T Series Core Platform

Syslog

TLS Syslog

Juniper WirelessLAN

Syslog

TLS Syslog

Juniper vGW

Syslog

TLS Syslog

Kaspersky Security Center

Syslog

TLS Syslog

Kaspersky Threat Feed Service

Syslog

TLS Syslog

Lastline Enterprise

Syslog

TLS Syslog

Lieberman Random Password Manager

Syslog

TLS Syslog

LightCyber Magna

Syslog

TLS Syslog

Linux DHCP Server

Syslog

TLS Syslog

Linux OS

Syslog

TLS Syslog

Linux iptables Firewall

Syslog

TLS Syslog

Mac OS X

Syslog

TLS Syslog

McAfee Network Security Platform

Syslog

TLS Syslog

McAfee Web Gateway

Syslog

TLS Syslog

Metainfo MetaIP

Syslog

TLS Syslog

Microsoft Azure

Syslog

TLS Syslog

Microsoft DHCP Server

Syslog

TLS Syslog

Microsoft DNS Debug

Syslog

TLS Syslog

Microsoft Exchange Server

Syslog

TLS Syslog

Microsoft Hyper-V

Syslog

TLS Syslog

Microsoft IAS Server

Syslog

TLS Syslog

Microsoft IIS

Syslog

TLS Syslog

Microsoft ISA

Syslog

TLS Syslog

Microsoft SQL Server

Syslog

TLS Syslog

Microsoft SharePoint

Syslog

TLS Syslog

Microsoft Windows Security Event Log

Syslog

TLS Syslog

Motorola SymbolAP

Syslog

TLS Syslog

NCC Group DDos Secure

Syslog

TLS Syslog

Name Value Pair

Syslog

TLS Syslog

NetApp Data ONTAP

Syslog

TLS Syslog

Niksun 2005 v3.5

Syslog

TLS Syslog

Nominum Vantio

Syslog

TLS Syslog

Nortel Application Switch

Syslog

TLS Syslog

Nortel Contivity VPN Switch

Syslog

TLS Syslog

Nortel Ethernet Routing Switch 2500/4500/5500

Syslog

TLS Syslog

Nortel Ethernet Routing Switch 8300/8600

Syslog

TLS Syslog

Nortel Multiprotocol Router

Syslog

TLS Syslog

Nortel Secure Network Access Switch (SNAS)

Syslog

TLS Syslog

Nortel Secure Router

Syslog

TLS Syslog

Nortel Switched Firewall 5100

Syslog

TLS Syslog

Nortel Switched Firewall 6000

Syslog

TLS Syslog

Nortel Threat Protection System (TPS) Intrusion Sensor

Syslog

TLS Syslog

Nortel VPN Gateway

Syslog

TLS Syslog

Novell eDirectory

Syslog

TLS Syslog

OSSEC

Syslog

TLS Syslog

Onapsis Inc Onapsis Security Platform

Syslog

TLS Syslog

OpenBSD OS

Syslog

TLS Syslog

Oracle Acme Packet SBC

Syslog

TLS Syslog

Oracle Database Listener

Syslog

TLS Syslog

Oracle RDBMS Audit Record

Syslog

TLS Syslog

Oracle RDBMS OS Audit Record

Syslog

TLS Syslog

Palo Alto Endpoint Security Manager

Syslog

TLS Syslog

Palo Alto PA Series

Syslog

TLS Syslog

PostFix MailTransferAgent

Syslog

TLS Syslog

ProFTPD Server

Syslog

TLS Syslog

Proofpoint Enterprise Protection/Enterprise Privacy

Syslog

TLS Syslog

Pulse Secure Pulse Connect Secure

Syslog

TLS Syslog

RSA Authentication Manager

Syslog

TLS Syslog

Radware AppWall

Syslog

TLS Syslog

Radware DefensePro

Syslog

TLS Syslog

Redback ASE

Syslog

TLS Syslog

SSH CryptoAuditor

Syslog

TLS Syslog

STEALTHbits StealthINTERCEPT

Syslog

TLS Syslog

STEALTHbits StealthINTERCEPT Alerts

Syslog

TLS Syslog

STEALTHbits StealthINTERCEPT Analytics

Syslog

TLS Syslog

SafeNet DataSecure/KeySecure

Syslog

TLS Syslog

Samhain HIDS

Syslog

TLS Syslog

Sentrigo Hedgehog

Syslog

TLS Syslog

Skyhigh Networks Cloud Security Platform

Syslog

TLS Syslog

Snort Open Source IDS

Syslog

TLS Syslog

Solaris BSM

Syslog

TLS Syslog

Solaris Operating System Authentication Messages

Syslog

TLS Syslog

Solaris Operating System DHCP Logs

Syslog

TLS Syslog

Solaris Operating System Sendmail Logs

Syslog

TLS Syslog

SonicWALL SonicOS

Syslog

TLS Syslog

Sophos Astaro Security Gateway

Syslog

TLS Syslog

Sophos Web Security Appliance

Syslog

TLS Syslog

Squid Web Proxy

Syslog

TLS Syslog

Starent Networks Home Agent (HA)

Syslog

TLS Syslog

Stonesoft Management Center

Syslog

TLS Syslog

Symantec DLP

Syslog

TLS Syslog

Symantec Encryption Management Server

Syslog

TLS Syslog

Symantec Endpoint Protection

Syslog

TLS Syslog

Symantec Gateway Security (SGS) Appliance

Syslog

TLS Syslog

ThreatGRID Malware Threat Intelligence Platform

Syslog

TLS Syslog

TippingPoint Intrusion Prevention System (IPS)

Syslog

TLS Syslog

TippingPoint X Series Appliances

Syslog

TLS Syslog

Top Layer IPS

Syslog

TLS Syslog

Trend InterScan VirusWall

Syslog

TLS Syslog

Trend Micro Deep Discovery Analyzer

Syslog

TLS Syslog

Trend Micro Deep Discovery Email Inspector

Syslog

TLS Syslog

Trend Micro Deep Discovery Inspector

Syslog

TLS Syslog

Trend Micro Deep Security

Syslog

TLS Syslog

Tripwire Enterprise

Syslog

TLS Syslog

Tropos Control

Syslog

TLS Syslog

Universal CEF

Syslog

TLS Syslog

Universal LEEF

Syslog

TLS Syslog

VMware vCenter

Syslog

TLS Syslog

VMware vShield

Syslog

TLS Syslog

Vectra Networks Vectra

Syslog

TLS Syslog

Venustech Venusense Firewall

Syslog

TLS Syslog

Venustech Venusense Network Intrusion Prevention System

Syslog

TLS Syslog

Venustech Venusense Security Platform

Syslog

TLS Syslog

Venustech Venusense Unified Threat Management

Syslog

TLS Syslog

Verdasys Digital Guardian

Syslog

TLS Syslog

Vericept Content 360

Syslog

TLS Syslog

Vormetric Data Security

Syslog

TLS Syslog

WatchGuard Fireware OS

Syslog

TLS Syslog

Zscaler Nss

Syslog

TLS Syslog

genua genugate

Syslog

TLS Syslog

iT-CUBE agileSI

Syslog

TLS Syslog


Step 2: Create an endpoint

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Endpoint.
  4. Click the plus ( + ) sign. 
    • If you do not have any endpoints already created, then click Add a New Log Endpoint
  5. Complete the missing fields. 
    • In Private IP, enter the public IP address that Armor will connect to. 
    • In Private IP, enter the private IP address that Armor will connect to.
      • If you are not using a NAT, then enter the public IP address again. 
    • In Password and Confirm Password, create and enter a password for your device. 
  6. Click Save Log Endpoint
    • After you create an endpoint, there will be a Pending status assigned to the endpoint. After the endpoint has been provisioned, the status will change to Online. You cannot select a Pending endpoint. 


Step 3: Create a remote log source

There are three options: 

  • Create a remote log source for a non-AWS environment
  • Create a remote log source for an AWS environment
  • Create a remote log source to collect Windows logs

Option 1: Create a remote log source for a non-AWS environment 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    1. In Endpoint, select the endpoint that you previously created. 
    2. In Log Source Type, select the type of log source. 
    3. In Hostname, enter the system hostname that matches the system for log collection.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    4. In Protocol, based on your selection in Log Source Type, select the available protocol.
  6. Click Save Log Source.


Option 2: Create a remote log source for an AWS environment

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    1. In Endpoint, select the endpoint that you previously created. 
    2. In Log Source Type, select Amazon AWS CloudTrail.
    3. In Hostname, enter the system hostname that matches the system for log collection.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    4. In Protocol, based on your selection in Log Source Type, select the available protocol.
    5. In Account Number, enter your AWS account number, including any zero (0) prefix. 
    6. In Region, select the region for your virtual machine.  
  6. Click Save Log Source.
  7. In the Sources screen, refresh the screen until the log source reaches an Online status. 
  8. Access the AWS console.
  9. In AWS console, under Management & Governance, click CloudTrail
  10. In the left-side navigation, click Trails
  11. Click Create Trail
  12. In Trail name, enter a descriptive name for your trail. 
  13. Under Storage location, for Create a new S3 bucket, mark No
  14. In the S3 bucket drop-down menu, select logs.armor.com.
  15. Click Create


Option 3: Create a remote log source to collect Windows logs

Armor does not support the managed deployment of the WinCollect platform. As a result, you can use the following instructions as basic guidance.

Armor Support will not deliver any registrations keys to use with the WinCollect agents.

Armor officially supports Windows instances though one Wincollect agent per instance of Windows.   

Although WinCollect supports event collection from multiple sources, the Armor API will still require a log source to be created per Windows system. 

  1. Download and install the agent.
    • In this step, two files will be added to your local machine, including the WinCollect Stanadlone Patch installer. This GUI installer can be used to directly configured the WinCollect instance, as well as pull logs from other Windows system. (This process is not supported by Armor.)
  2. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  3. Click Log & Data Management.
  4. Click Sources.
  5. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  6. Complete the missing fields:
    1. In Endpoint, select the endpoint that you previously created. 
    2. In Log Source Type, select Microsoft Windows Security Event Log
    3. In Hostname, enter the system hostname that matches the system for log collection.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    4. In Protocol, based on your selection in Log Source Type, select the available protocol.
  7. Click Save Log Source.
  8. In the Sources screen, refresh the screen until the log source reaches an Online status. 
  9. In your local machine, launch the WinCollect Configuration Utility GUI. 
  10. In the left-side window, next to Destinations, click the ( + ) icon. 
  11. Click Syslog TCP
  12. In the top, right menu, click Add New Destination
  13. Enter a descriptive name, such as Armor Defense Inc TLS, and then click Ok
    • The properties screen will appear. 
  14. Enter the fully qualified domain name (FQDN) for the event collector. 
  15. Enter the port that was allocated for your Windows Event Log source. 
  16. Configure a throttle limit, such as 500 EPS.
  17. Click Deploy Changes to save. 
  18. In the left-side window, under Devices, right-click Microsoft Windows Event Log
  19. Click Add New Device
  20. Enter a descriptive name for your log source, such as the system name of your Windows host. 
  21. In Device Address, enter the local system hostname for the logs to be collected. 
  22. In Security, mark the box. 
  23. (Optional) For a DNS Active Directory or File Replication server, make the corresponding box. 
  24. In Destinations, click Add
  25. Select the name of destination you previously created, and then click Ok
  26. In the top, right menu, click Deploy Changes

To use the command prompt:

  1. Gather the following information:
    • Hostname
    • Armor Collector FQDN
    • Armor Log Source Port
    • Windows Services Hosted by System
      • Active Directory Collector
      • DNS Server
      • File Replication Service
  2. Download and install the agent.
  3. Right-click the WinCollect agent installation file, and then select Run as administrator.
  4. Enter the following information into your command prompt:
    • wincollect-<version_number>.x86.exe /s /v"/qn INSTALLDIR=\"C:\Program Files \IBM\WinCollect\" HEARTBEAT_INTERVAL=6000 LOG_SOURCE_AUTO_CREATION_ENABLED= True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice= DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName= <hostname>&Component1.LogSourceIdentifier= <Armor_Collector_FQDN>&Component1.Dest.Name=QRadar&Component1 .Dest.Hostname=<Armor_Collector_FQDN>&Component1.Dest.Port= <armor_port>&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1 .Log.System=true&Component1.Log.Application=false &Component1.Log.DNS+Server=false&Component1.Log.File+Replication+ Service=false&Component1.Log.Directory+Service=false&Component1. RemoteMachinePollInterval=3000&Component1.EventRateTuningProfile=High+ Event+Rate+Server&Component1.MinLogs ToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1875"""





View existing remote log sources

You can use these instructions to view existing remote log sources. 

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management.

  3. Click Sources.

Column

Description

Hostname

This column displays the hostname that was created in AMP.

Type

This column displays the log source type, such as Amazon AWS CloudTrail.

State

This column displays if the log source is in a Pending or Online status.

Endpoint

This column displays the corresponding endpoint for the log source.

Protocol/Port

This column displays the protocol, such as TLS Syslog or Syslog.

Last Event

This column displays the last log message that Armor received. There may be a five-minute delay between when Armor receives this information versus when this information is displayed in AMP.


View existing endpoints


You can use these instructions to view existing endpoints.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click Endpoint.
ColumnDescription
HostnameThis column displays the hostname that was created in AMP.
State

This column displays the possible states of an endpoint, which can be:

  • Pending
  • Online
  • Error
  • Deleted
Public IPThis column display the public IP address that corresponds to the endpoint.
Private IPThis column display the private IP address that corresponds to the endpoint.
Software Version

This column displays the version of the software installed on the endpoint.


Last EventThis column displays the last log message that Armor received. There may be a five-minute delay between when Armor receives this information versus when this information is displayed in AMP.


Add a remote collector in a RedHat system

You can use these instructions to specifically add a remote collector in a RedHat system. 

This remote log collector only works with RHEL 7.5, with no additional updates.

Armor does not explicitly support adding a remote collector in a RedHat system; however, you can use the following instructions as basic guidance.



Step 1: Review requirements and pre-installation considerations

Resource requirements

RequirementDescription
Supported operating systemRedHat 7.5
Bits64-bit
NTP NIST recommended
Memory16GB
Minimum Free SpacePrimary Device: 30GB Secondary Device: 1024G
Disk IOPS300
Data Transfer Rate (MB/s300

Partitioning guide

Mount PathSizeLVM Supported?
/boot1 GBNo
/boot/efi200 MBNo
/var5 GBYes
/var/log15 GBYes
/var/log/audit3 GBYes
/opt10 GBYes
/home1 GBYes
/storetmp15 GBYes
/tmp3 GBYes
swap12GB <> 24GB (75% of RAMNot applicable
/15 GBYes
/store80% of remaining spaceYes
/transiet20% of remaining spaceYes

RAID configuration

TypeNotes
RAID10Recommended
RAID0Not supported
RAID5Not supported
RAID50Not supported



Step 2: Configure your environment

  1. Copy the Red Hat Enterprise Linux minimal ISO to a DVD or a bootable USB flash drive.
  2. Insert the portable storage device into your appliance, and then restart your appliance.
  3. From the start menu, perform one of the following options:  
    • Select the USB or DVD drive as the boot option. 
    • To install on a system that supports Extensible Firmware Interface (EFI), you must start the system in legacy mode. 
  4. When prompted, log into the system as the root user.
  5. In the installation wizard, follow the on-screen instructions:
    1. Set the language to English (US).
    2. Click Date & Time, and then set the time for your deployment.
    3. Click Installation Destination, and then select I will configure partitioning.
    4.  In the drop-down list, select LVM.
    5. To add the mount points and capacities for your partitions, click Add, and then click Done
    6. Click Network & Host Name.
    7. Enter the hostname for your appliance.
      1. The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    8. In the list, select the interface, move the switch to ON, and then click Configure.
    9. In the General tab, select Automatically connect to this network when it is available.
    10. In the IPv4 Settings tab, select Manual in the Method list.
    11. To enter the IP address, Netmask, and Gateway for the appliance in Addresses, click Add.  
    12. Add two DNS servers.
    13. Click Save, click Done, and then click Begin Installation
  6. Set the root password, and then click Finish configuration
    • Armor recommends at least ASCII characters, with upper-case letters, lower-case letters, and special characters. 
    • Save this password in a secure password vault. 
  7. Edit /etc/ssh/sshd_config to ensure the following configurations:
    • PermitRootLogin yes
    • PasswordAuthentication yes
  8. In /root/.ssh/authorized_key, remove all keys. 
  9. Disable SELinux, and then after the installation process is complete, restart the system. 
  10. Via SSH, validate root login with password.
    • ssh -o PreferredAuthentications=password -l root 

Step 3: Install the event collector

  1. Copy the QRadar ISO to the device.
  2. Create the /media/cdrom directory. To do so, enter the following command: mkdir /media/cdro
  3. Mount the QRadar ISO. To do so, enter the following command: mount -o loop /media/cdro
  4. Run the QRadar setup. To do so, enter the following: /media/cdrom/setup 
    • A new kernel may be installed as part of the installation, which requires a system restart. After the system restart, repeat the commands in Step 3 and Step 4 to continue the installation.
  5. In Software Installed System, select Software Install, and then select Next.  
  6. In Software Appliance Assignment, select Event Collector, and then select Next.
  7. In Type of Setup, select Normal Setup (default), and then select Next
  8. In Select Continent/Area, select UTC, and then select Next
  9. In Internet Protocol Setup, select ipv4 Internet Protocol version 4, and then select Next
  10. If required, select the bonded interface setup. (This action is not supported by Armor.)
  11. Select the management interface
  12. In the wizard, in Hostname, enter a fully qualified domain name.
  13. In IP address, enter a static IP address or use the assigned IP address.
  14. If you do not have an email server, then in Email server name, enter localhost.
  15. Do not modify the root password. 
  16. Click Finish.
  17. In the installation wizard, follow the instructions to complete the installation. The installation process may take a few minutes.
  18. Reboot. 






In this topic



Have a suggestion for the Armor Knowledge Base? Send a message to kb@armor.com.