You can use the Log Depot add-on product to securely store file-based application logs with Armor for up to 13 months. Log Depot can only collect single-line log formats.
Within the Armor Management Portal (AMP), you can view logs from the previous 90 days. You can view these logs and overall storage usage in the Log Search section of the Log Management screen.
At a high-level, there are two steps to use Log Depot:
You can use Log Depot to collect CloudTrail logs from AWS.
To learn how to collect CloudTrail logs, see Collect and view CloudTrail logs in AMP.
Log Depot does not provide security analysis, parsing, or awareness of log content.
You can only store up to 10,000 logs, regardless if you do not reach the 90-day limit.
|The Log and Event Management subagent will sync and update this screen every 15 minutes.|
Log Depot's prices are based on a subscription (base) charge and an overage (tiered) charge.
The monthly subscription charge includes up to 25GB of storage. Additional storage above 25GB will be charged on a tiered level.
Review the following table to understand the pricing structure:
|LD Base Subscription||$200||£155|
|$ per GB||£ per GB||Tier Discount|
|0GB - 25GB (Included in Base Subscription)||Included (is $8/GB)||Included (is £6.20)||-|
|26GB - 50GB||$7.2||£5.58||10%|
|51GB - 100GB||$6.56||£5.08||18%|
|101GB - 250GB||$6.08||£4.71||24%|
|251GB - 500GB||$5.60||£4.34||30%|
|501GB - 1000GB||$5.28||£4.09||34%|
To use these instructions, you must have powershell admin access.
For filelog type, run C:\.armor\opt\armor policy filelog add --path C:\inetpub\logs\web1.log --category web --tags web1,iis
To use these instructions, you must have sudo access.
Review the following example to understand how to send logs to Armor: /opt/armor/armor policy filelog add --path /var/log/dpkg.log --category platform --tags Ubuntu
Review the following table to better understand how to interact with the agent via the command line:
|armor -h||Displays the agent's help dialog|
|armor policy -h||Displays the agent's policy help dialog|
|armor policy filelog -h||Displays the agent's policy filelog help dialog|
|armor policy filelog add -h||Displays the agent's policy filelog add help dialog|
|armor policy filelog --add [path]||Adds a filebeat logging policy with the user-defined path, category, and tag(s).|
|armor policy add eventlog [name]||Adds a (Windows) eventlog logging policy with the user-defined path, category, and tag(s).|
|armor policy remove filelog [path]|
|armor policy show||Displays command functionality and syntax available at the command line. "show" can be added to any level of command to help drive user input|
|armor policy sync||Synchronizes the local Armor CORE Agent with API services to pull down the latest policy version|
If you do not see any data in the Log Search section of the Log Management screen, consider that