This topic applies to Armor Complete and Armor Anywhere users.
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source).
Before you begin
For remote log collection, you must have Log Relay added to your account.
- To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.
Step 1: Create a remote log source
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click External Sources.
- Click Log Relay Source.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- Complete the missing fields:
- In Endpoint, select the available Armor Endpoint.
- In Log Source Type, select Apache HTTP Server.
In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.
- The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
- In Protocol, select TLS Syslog.
- Click Save Log Source.
Step 2: Implement server
Before you begin, ensure that the following pages are installed:
- apt-get install -y rsyslog-gnutls
- Create a directory to hold Armor pem file:
- mkdir -pv /etc/rsyslog.d/keys/ca.d
- Change to the newly created directory:
- cd /etc/rsyslog.d/keys/ca.d
- Download Armor PEM files:
- Create a file called /etc/rsyslog.d/54-nginx.conf with the template below.
- Replace access-log with FULL path of access log.
- Repeat for each access log needed.
- If more than one access log file is defined, then ensure that InputFileStateFile name is unique per log file ###
- Create a file called /etc/rsyslog.d/55-armor.conf with the template below.
- Replace target-name:port with the name of the configured endpoint and port.
Ensure that rsyslog configuration has no syntax errors:
service rsyslog restart