Versions Compared

Old Version 88

changes.mady.by.user Development Operations (Deactivated)

Saved on

compared with

New Version 89

changes.mady.by.user Luke Fritz (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
id818302032
Section
width100%
id818302033
Section
id818302034

Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:

  • Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
  • Greater context to aid in more effective detection, alerting and response.
  • Ability to meet compliance mandates through the storing of log data for up to 13 months.

ARMOR ANYWHERE can be configured to collect logs from the following sources:

Section
margin8px
id816674186
Section
width33.333332%
id816674197
Section
margin0 8px
id816674207
alternate-styletrue

Image Added

Apache Server

Section
margin8px 8px
id816688110
alternate-styletrue

Image Added

Armor Anywhere

Section
width33.333332%
id816693111
Section
margin0 8px
id816693112
alternate-styletrue

Image AddedMicrosoft IIS

Section
margin8px 8px
id816697410
alternate-styletrue

Image Added

MSSQL

Section
width33.333332%
id816701154
Section
margin0 8px
id816701164
alternate-styletrue

Image Added

NGINX

Section
margin8px 8px
id816704889
alternate-styletrue

Image Added

Sysmon

Section
id816596170
Section
width100.00002%
id816596181
Section
id816596180

Anchor
Armor Agent - Collecting Linux and Windows Standard Logs
Armor Agent - Collecting Linux and Windows Standard Logs

Armor Agent - Collecting Linux and Windows Standard Logs

Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).


Install Logging:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe logging install
Linux: /opt/armor/armor logging install


Uninstall Logging:

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe logging uninstall
Linux: /opt/armor/armor logging uninstall


Logging Help

Code Block
themeMidnight
firstline1
linenumberstrue
Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help
Expand
titleFilebeat Sync Configuration Commands for Linux

Add new paths to filebeat config

Code Block
themeMidnight
firstline1
/opt/armor/armor logging add-file-paths <paths to file locations>

Remove paths from filebeat config

Code Block
themeMidnight
firstline1
 /opt/armor/armor logging remove-file-paths <paths to file locations>

List added config paths

Code Block
themeMidnight
firstline1
/opt/armor/armor logging describe-file-paths

Sync filebeat config

Code Block
themeMidnight
firstline1
/opt/armor/armor logging sync-file-paths
Expand
titleFilebeat Sync Configuration Commands for Windows

Add new paths to filebeat config

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging add-file-paths <paths to file locations>


Remove paths from filebeat config

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging remove-file-paths <paths to file locations>


List added config paths

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging describe-file-paths


Sync filebeat config

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging sync-file-paths


Add winlogbeat event logs

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging add-event-logs <add events>


Remove winlogbeat event logs

Code Block
themeMidnight
firstline1
 C:\.armor\opt\armor.exe logging remove-event-logs <add events>


List Event logs

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging describe-event-logs


Sync event logs

Code Block
themeMidnight
firstline1
C:\.armor\opt\armor.exe logging sync-event-logs
Expand
titleLogging Command Usage

Command Usage:

armor logging command [arguments...]

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

CommandArguments Result
  • iis-enable
  • apache-enable
  • nginx-enable

Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state.

  • iis-disable
  • apache- disable
  • nginx- disable

Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode.

  • iis-add-access-paths
  • apache-add-access-paths
  • nginx-add-access-paths
path1, path2, path3Includes the argument paths in module yml file under the 'access_paths' section.
  • iis-remove-access-paths
  • apache-remove-access-paths
  • nginx-remove-access-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'access_paths' section.

  • iis-add-error-paths
  • apache-add-error-paths
  • nginx-add-error-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'error_paths' section.

  • iis-remove-error-paths
  • apache-remove-error-paths
  • nginx-remove-error-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.

  • iis-sync-config
  • apache-sync-config
  • nginx-sync-config

The command sync the module yml file on vm with latest changes which are required.
  • iis-describe-config
  • apache-describe-config
  • nginx-describe-config

The command displays current access & error paths which are configured in module yml file.









Users can add as many paths in a single command as needed by must be comma-separated.

  • Linux example (multiple/one path):

    • /opt/armor/armor logging add-file-paths "/var/log/thing,/var/log/stuff/log,/path/to/log"
    • /opt/armor/armor logging add-file-paths /var/log/thing

  • Windows example (multiple/one path):

    • C:\.armor\opt\armor.exe logging add-file-paths "C:\var\log\thing,D:\path\to\log"
    • C:\.armor\opt\armor.exe logging add-file-paths C:\var\log\thing


Examples: Below is example usage for logging apache and similarly for iis and ngix module.

Command Usage:

armor logging apache-enable

armor logging apache-disable

armor logging apache-add-access paths <required paths needs to add here>

armor logging apache-remove-access paths <required paths needs to add here>

armor logging apache-add-error paths <required paths needs to add here>

armor logging apache-remove-error paths <required paths needs to add here>

armor logging apache-sync-config

armor logging apache-describe-config


Default Logging Configuration for the Armor Agent

Windows

The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:

Sysmon Id's

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255

Security Event Id's

1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4794, 4798, 4799, 5140, 7034, 7045, 33205


Linux

The Armor Agent forwards the following log files for Linux servers:

CentOS/RHELUbuntu/Debian
  • /var/log/secure
  • /var/log/messages
  • /var/log/yum.log
  • /var/log/auth.log
  • /var/log/syslog


Log and Data Management Home

Was this helpful?