You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

Topics Discussed

You can add a remote log collector to the following remote devices (log sources):

Create a remote log source (Apache HTTP Server for Ubuntu 14)


To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source). 


Pre-deployment considerations

For remote log collection, you must have Log Relay added to your account.  


Create A Remote Log Source

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click External Sources.
  3. Click Log Relay Source.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    1. In Endpoint, select the available Armor Endpoint.
    2. In Log Source Type, select Apache HTTP Server
    3. In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.

      1. The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
    4. In Protocol, select TLS Syslog
  6. Click Save Log Source.


Implement Server

Before you begin, ensure that the following pages are installed:

  • rsyslog-gnutls
    • apt-get install -y rsyslog-gnutls
  1. Create a directory to hold Armor pem file: 
    • mkdir -pv /etc/rsyslog.d/keys/ca.d
  2. Change to the newly created directory: 
    • cd /etc/rsyslog.d/keys/ca.d
  3. Download Armor PEM files: 
  4. Create a file called /etc/rsyslog.d/54-nginx.conf with the template below. 
    • Replace access-log with FULL path of access log.
    • Repeat for each access log needed.
    • If more than one access log file is defined, then ensure that InputFileStateFile name is unique per log file ###

      #########################
      $ModLoad imfile
      
      
      # access log
      $InputFileName access-log
      $InputFileTag httpd:
      $InputFileStateFile stat-nginx-access
      $InputFileSeverity info
      $InputFilePollInterval 1
      $InputRunFileMonitor
      #########################
  5. Create a file called /etc/rsyslog.d/55-armor.conf with the template below. 
    • Replace target-name:port with the name of the configured endpoint and port.

      #########################
      #RsyslogGnuTLS
      
      global(
        # certificate files
        defaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.d/logs.armor.com.pem"
      )
      
      template(
        name="RFC3164Template"
        type="string"
        string="<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
      )
      
      # make gtls driver the default
      $DefaultNetstreamDriver gtls
      
      # do not validate peer
      # if set to anon then $ActionSendStreamDriverPermittedPeer must not be set
      #$ActionSendStreamDriverAuthMode anon
      
      # run driver in TLS-only mode
      $ActionSendStreamDriverMode 1
      $ActionSendStreamDriverAuthMode x509/name
      $ActionSendStreamDriverPermittedPeer *.logs.armor.com
      
      ### Send auth or authpriv messages to Armor
      # https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/t_DSM_guide_Linux_OS_syslog.html
      ## if ( $syslogfacility-text == "auth" or $syslogfacility-text == "authpriv" ) then {
      ##   & stop
      ## }
      ###
      
      ### Send httpd messages to Armor
      if ( $programname startswith "httpd" ) then {
        $ActionQueueType LinkedList
      
        # unique name prefix for spool files
        $ActionQueueFileName q_sendHttpdToArmor
      
        # infinite retries if host is down
        $ActionResumeRetryCount -1
      
        # 1gb disk queue
        $ActionQueueMaxDiskSpace 1g
      
        # save messages to disk on shutdown
        $ActionQueueSaveOnShutdown on
      
        # queue.workerThreads may not be raised above 1
        # Specifies the maximum number of worker threads that can be run parallel.
        $ActionQueueWorkerThreads 1
      
        # queue.dequeueSlowDown limited to 100 messages per second
        # Regulates how long dequeueing should be delayed. This value must be specified in microseconds (1000000us is 1sec). It can be used to slow down rsyslog so it won't send
        # things to fast. For example if this parameter is set to 10000 on a UDP send action, the action won't be able to put out more than 100 messages per second.
        $ActionQueueDequeueSlowDown 10000
      
        # queue.discardSeverity default 8
        # As soon as the threshold of the parameter queue.discardMark is reached incoming aswell as queued messages with a priority equal or lower than specified will be erased.
        # With the default no messages will be erased. You have to specify a numeric severity value for this parameter.
        $ActionQueueDiscardSeverity 6
      
      
        # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
        *.* @@target-name:port;RFC3164Template
      
        # ### end of the forwarding rule ###
        & stop
      }
      #########################
  6. Ensure that rsyslog configuration has no syntax errors:

    • rsyslogd -N1

  7. Restart rsyslog: 

    • service rsyslog restart

  8. Verify.


Create a remote log source (Apache HTTP Server For CentOS 6)


To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source). 


Pre-deployment considerations

For remote log collection, you must have Log Relay added to your account.  


Create a remote log source

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click External Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    1. In Endpoint, select the available Armor Endpoint.
    2. In Log Source Type, select Apache HTTP Server
    3. In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.

      1. The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
    4. In Protocol, select TLS Syslog
  6. Click Save Log Source.


Implement Server

Before you begin, ensure that the following pages are installed:

  • rsyslog-gnutls
    • yum install -y rsyslog-gnutls
  1. Create a directory to hold Armor pem file: 
    • mkdir -pv /etc/rsyslog.d/keys/ca.d
  2. Change to the newly created directory: 
    • cd /etc/rsyslog.d/keys/ca.d
  3. Download Armor PEM files: 
  4. Place the following two lines in main http.conf or vhost config (will be needed for each vhost): 
    • LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" ArmorCustom
    • CustomLog "|/usr/bin/logger -t httpd -p local6.info" ArmorCustom
  5. Create a file called /etc/rsyslog.d/55-armor.conf with the following template:
    • Replace target-name:port with the name of the configured endpoint and port.

      # make gtls driver the default
      $DefaultNetstreamDriver gtls
      # $ActionSendStreamDriverAuthMode anon
      $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
      $ActionSendStreamDriverAuthMode x509/name
      $ActionSendStreamDriverPermittedPeer *.logs.armor.com
      
      # certificate files
      $DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs.armor.com.pem
      
      # $ActionSendStreamDriverAuthMode x509/name
      # $ActionSendStreamDriverPermittedPeer *.logs.armor.com
      
      
      # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
      local6.*  @@<target-name:port>
      
      
      # ### begin forwarding rule ###
      # The statement between the begin ... end define a SINGLE forwarding
      # rule. They belong together, do NOT split them. If you create multiple
      # forwarding rules, duplicate the whole block!
      # Remote Logging (we use TCP for reliable delivery)
      #
      # An on-disk queue is created for this action. If the remote host is
      # down, messages are spooled to disk and sent when it is up again.
      # $ActionQueueFileName fwdRule1 # unique name prefix for spool files
      $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
      $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
      $ActionQueueWorkerThreads 1
      $ActionQueueDequeueSlowDown 10000
      $ActionQueueDiscardSeverity 6
      $ActionQueueType LinkedList   # run asynchronously
      $ActionResumeRetryCount -1    # infinite retries if host is down
      # ### end of the forwarding rule ###
  6. Ensure that rsyslog configuration has no syntax errors:

    • rsyslogd -N1

  7. Ensure that httpd configuration has no syntax errors:

    • httpd -t

  8. Reload httpd:

    • service httpd reload

  9. Restart rsyslog: 

    • service rsyslog restart

  10. Verify.

Troubleshooting 

If enforced, RHEL/CentOS - SELinux will block rsyslog from using a remote port. To troubleshoot:

  1. Install SELinux troubleshooting tool:

    • yum install -y setroubleshoot-server

  2. Check to see if rsyslog is being blocked from using remote port

    • sealert -a /var/log/audit/audit.log

  3. Follow recommendations to allow: Example:

    • grep 72733A6D61696E20513A526567 /var/log/audit/audit.log | audit2allow -M mypol
      semodule -i mypol.pp



Create a remote log source (Wincollect)


To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

You can use this document to add a remote log collector to a Wincollect remote device (log source). 


Pre-deployment considerations

For remote log collection, you must have Log Relay added to your account.  


Create A Remote Log Source

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click External Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    • In Endpoint, select the available Armor Endpoint.
    • In Log Source Type, select Microsoft Windows Security Event Log
    • In Hostname, enter the system hostname that matches the system for log collection.
      • The hostname is case-sensitive and must match the exact same letters casing as the logs that are sent into this log source.
    • In Protocol, based on your selection in Log Source Type, select the available protocol.
  6. Click Save Log Source.
  7. In the Sources screen, refresh the screen until the log source reaches an Online status. 


Update Access Control List

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  2. Click Log & Data Management
  3. Click External Sources
  4. Hover over the gear icon, and then click the blue icon for Edit Access Control List
  5. In the field, enter a public IP address or a range of addresses that will send data to Armor. Enter the address in CIDR notation. 
  6. Click Add CIDR.
  7. Click Save ACL.


Install and Configure Wincollect to Forward Windows Security Logs

  1. Download and install two Wincollect installers. 
  2. Log into your server. 
  3. Right-click the Wincollect Standard Installer, and then select Run as administrator.
    • Click Next until you reach the Setup Type screen.
    • In the Setup Type screen, select Stand Alone.
    • Click Next until you see the option to install. Click Install
    • After the installation is complete, click Finish to close the window. 
  4. Right-click the Wincollect Standalone Patch Installer, and then select Run as administrator.
    • Click Next until you reach the Custom Setup screen.
    • Verify that Configuration Console is set to install on the local hard drive.
    • Click Next until you see the option to install. Click Install.
    • Click Finish to close the window.
  5. Install .Net 3.5. 
    • If you already have .NET 3.5 installed, then you can skip this step. 
    • For Windows Server 2012 and higher, you can access the Server Manager to perform the installation. (In the top menu, click Manager, click Add Roles and Features, click Features, mark .NET Framework 3.5 Features, mark .NET Framework 3.5, and then click Next.)  


Download A TLS Certificate

This step only applies to users who currently have TLS certificates. If you have not previously configured your account for TLS certificates, then you can skip to Step 5: Configure your Wincollect Configuration Console

  1. Download your unique TLS certificate from Armor.
  2. Copy the following code into a local server file, and then name the file Get-RemoteSSLCertificate.ps1

     Click here to expand...
    [CmdletBinding()]
    param (
      [Parameter(Mandatory = $true)]
      [string]
      $ComputerName,
    
      [int]
      $Port = 443
    )
    
    $Certificate = $null
    $TcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
    try {
    
      Write-Verbose ("Attempting to download certificate from {0}:{1}" -f $ComputerName, $Port)
      $TcpClient.Connect($ComputerName, $Port)
      $TcpStream = $TcpClient.GetStream()
    
      $Callback = { param($sender, $cert, $chain, $errors) return $true }
    
      $SslStream = New-Object -TypeName System.Net.Security.SslStream -ArgumentList @($TcpStream, $true, $Callback)
      try {
    
        $SslStream.AuthenticateAsClient('', $null, "Tls12", $false)
        $Certificate = $SslStream.RemoteCertificate
    
      }
      finally {
        $SslStream.Dispose()
      }
    
    }
    catch {
      Write-Error ("Unable to download certificate from {0} on port {1}.`nPlease validate that these are correctly configured in `$env:logEndpoint and `$env:logPort to match the information provided from https://portal.armor.com/" -f $ComputerName, $Port)
    }
    finally {
      $TcpClient.Dispose()
    }
    
    if ($Certificate) {
      Write-Verbose ("Certificate downloaded from {0}:{1}" -f $ComputerName, $Port)
      Write-Verbose ("Validating certificate from {0}:{1}" -f $ComputerName, $Port)
      if ($Certificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
        $Certificate = [Convert]::ToBase64String((New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $Certificate).RawData, "InsertLineBreaks")
        $Certificate = "{0}`n{1}`n{2}" -f "-----BEGIN CERTIFICATE-----", $Certificate, "-----END CERTIFICATE-----"
        Write-Verbose ("Validated certificate from {0}:{1}" -f $ComputerName, $Port)
      }
    
      Write-Output $Certificate
    }
    else {
      Write-Error ("Empty certificate downloaded from {0} on port {1}.`nPlease validate that these are correctly configured in `$env:logEndpoint and `$env:logPort to match the information provided from https://portal.armor.com/" -f $ComputerName, $Port)
    }
  3. In a PowerShell window, navigate to the folder that contains your newly created .ps1 file.

  4. Run the following script: 

    .\Get-RemoteSSLCertificate.ps1 -ComputerName <Armor Provided Endpoint FQDN> -Port <Armor Provided Port Number>
  5. Copy the certificate into a new file to save for later use. 


Configure Your Wincollect Configuration Console

  1. In your machine, open the Wincollect Configuration Console
  2. Expand Destinations.
  3. Click SysLog TCP, and then in the right menu, click Add NewDestination


  4. Enter a destination name, such as Armor TLS


  5. Expand SysLogTCP, and then click the newly created destination name to open the destination configuration menu.
    • In Hostname, enter the Armor-provided endpoint FQDN for your source.
    • In Port, enter the Armor-provided port number for your source.
    • In Certificate, enter the newly created certificate.
      • This step only applies to users who currently have TLS certificates. If you have not previously configured your account for TLS certificates, then you can skip this step. 
    • Click Deploy Changes to save your configuration. 


  6. Expand Devices.
  7. Click Microsoft Windows Event Log, and then in the right menu, click Add New Device


    • Enter a device name. (Armor recommends that you use the case-sensitive server name.)
  8. Expand Microsoft Windows Event Log, and then click the newly created device to open the device configuration menu.
    • In Name and Device Address,  enter the case-sensitive local system host name. 


    • In Security, verify that the box is checked.
    • In Destinations, click Add, and then add the newly created destination. 



    • Click Deploy Changes to save your configuration. 


Verify Configurations

  1. Log out of the server, and then log back in. 
    • This action will generate a log which you can use to verify that the configuration to Armor was successful. 
  2. In the Armor Management Portal (AMP), in the left-side navigation, click Security
  3. Click Log & Data Management
  4. Click Search
  5. In the search field, enter the name of your server to locate the newly generated log. 
    • You may need to refresh the screen to see new logs. 




Was this helpful?
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 0 rates