| Section |
|---|
|
| Section |
|---|
| | Section |
|---|
| Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include: - Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
- Greater context to aid in more effective detection, alerting and response.
- Ability to meet compliance mandates through the storing of log data for up to 13 months.
ARMOR ANYWHERE can be configured to collect logs from the following sources: |
|
|
| Section |
|---|
|
| Section |
|---|
| width | 33.333332% |
|---|
| id | 816674197 |
|---|
| | Section |
|---|
| margin | 0 8px |
|---|
| id | 816674207 |
|---|
| alternate-style | true |
|---|
|  Image Removed
Apache Server |
| Section |
|---|
| margin | 8px 8px |
|---|
| id | 816688110 |
|---|
| alternate-style | true |
|---|
|  Image Removed
Armor Anywhere |
|
| Section |
|---|
| width | 33.333332% |
|---|
| id | 816693111 |
|---|
| | Section |
|---|
| margin | 0 8px |
|---|
| id | 816693112 |
|---|
| alternate-style | true |
|---|
|  Image RemovedMicrosoft IIS
|
| Section |
|---|
| margin | 8px 8px |
|---|
| id | 816697410 |
|---|
| alternate-style | true |
|---|
|  Image Removed
MSSQL |
|
| Section |
|---|
| width | 33.333332% |
|---|
| id | 816701154 |
|---|
| | Section |
|---|
| margin | 0 8px |
|---|
| id | 816701164 |
|---|
| alternate-style | true |
|---|
|  Image Removed
NGINX |
| Section |
|---|
| margin | 8px 8px |
|---|
| id | 816704889 |
|---|
| alternate-style | true |
|---|
|  Image Removed
Sysmon |
|
|
...
...
| width | 100.00002% |
|---|
| id | 816596181 |
|---|
...
| Anchor |
|---|
| Armor Agent - Collecting Linux and Windows Standard Logs |
|---|
| Armor Agent - Collecting Linux and Windows Standard Logs |
|---|
|
Armor Agent - Collecting Linux and Windows Standard Logs
...
Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).
Install Logging:
| Code Block |
|---|
| theme | Midnight |
|---|
| firstline | 1 |
|---|
| linenumbers | true |
|---|
|
Windows: C:\.armor\opt\armor.exe logging install
Linux: /opt/armor/armor logging install |
Uninstall Logging:
| Code Block |
|---|
| theme | Midnight |
|---|
| firstline | 1 |
|---|
| linenumbers | true |
|---|
|
Windows: C:\.armor\opt\armor.exe logging uninstall
Linux: /opt/armor/armor logging uninstall |
Logging Help
| Code Block |
|---|
| theme | Midnight |
|---|
| firstline | 1 |
|---|
| linenumbers | true |
|---|
|
Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help |
| Expand |
|---|
| theme | Midnight |
|---|
| title | Filebeat Sync Configuration Commands for Linux |
|---|
| Add new paths to filebeat config
| Code Block |
|---|
theme | Midnight |
|---|
/opt/armor/armor logging add-file-paths <paths to file locations> |
Remove paths from filebeat config | Code Block |
|---|
| /opt/armor/armor logging remove-file-paths <paths to file locations> |
|
List added config paths | Code Block |
|---|
| /opt/armor/armor logging describe-file-paths |
|
Sync filebeat config | Code Block |
|---|
| /opt/armor/armor logging sync-file-paths |
|
| Expand |
|---|
|
| Expand |
|---|
| theme | Midnight |
|---|
| title | Filebeat Sync Configuration Commands for Windows |
|---|
| Add new paths to filebeat config
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging add-file-paths <paths to file locations> |
Remove paths from filebeat config
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging remove-file-paths <paths to file locations> |
List added config paths
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging describe-file-paths |
Sync filebeat config
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging sync-file-paths |
Add winlogbeat event logs
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging add-event-logs <add events> |
Remove winlogbeat event logs
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging remove-event-logs <add events> |
List Event logs
| Code Block |
|---|
|
C:\.armor\opt\armor.exe logging describe-event-logs |
Sync event logs
| Code Block |
|---|
theme | Midnight |
|---|
C:\.armor\opt\armor.exe logging sync-event-logs |
|
| Expand |
|---|
| Command Usage | :armor logging command [arguments...] | The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.
| Command | Arguments | Result |
|---|
- iis-enable
- apache-enable
- nginx-enable
| Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state. | - iis-disable
- apache- disable
- nginx- disable
| Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode. | - iis-add-access-paths
- apache-add-access-paths
- nginx-add-access-paths
| path1, path2, path3 | Includes the argument paths in module yml file under the 'access_paths' section. |
- iis-remove-access-paths
- apache-remove-access-paths
- nginx-remove-access-paths
| path1, path2, path3 | Removes the argument paths in module yml file under the 'access_paths' section. |
- iis-add-error-paths
- apache-add-error-paths
- nginx-add-error-paths
| path1, path2, path3 | Includes the argument paths in module yml file under the 'error_paths' section. |
- iis-remove-error-paths
- apache-remove-error-paths
- nginx-remove-error-paths
| path1, path2, path3 | Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section. |
- iis-sync-config
- apache-sync-config
- nginx-sync-config
| The command sync the module yml file on vm with latest changes which are required. | - iis-describe-config
- apache-describe-config
- nginx-describe-config
| The command displays current access & error paths which are configured in module yml file. | Users can add as many paths in a single command as needed by must be comma-separated.
Examples: Below is example usage for logging apache and similarly for iis and ngix module.
Command Usage:
armor logging apache-enable
armor logging apache-disable
armor logging apache-add-access paths <required paths needs to add here>
armor logging apache-remove-access paths <required paths needs to add here>
armor logging apache-add-error paths <required paths needs to add here>
armor logging apache-remove-error paths <required paths needs to add here>
armor logging apache-sync-config
armor logging apache-describe-config
|
Default Logging Configuration for the Armor Agent
...
Windows
The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:
Sysmon Id's
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255
Security Event Id's
1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4794, 4798, 4799, 5140, 7034, 7045, 33205
Linux
The Armor Agent forwards the following log files for Linux servers:
| CentOS/RHEL | Ubuntu/Debian |
|---|
- /var/log/secure
- /var/log/messages
- /var/log/yum.log
| - /var/log/auth.log
- /var/log/syslog
|
Log and Data Management Home
Was this helpful?
Image Added
Sysmon
Image Added
NGINX
Image Added
MSSQL
Image AddedMicrosoft IIS
Image Added
Armor Anywhere
Image Added
Apache Server
Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:
- Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
- Greater context to aid in more effective detection, alerting and response.
- Ability to meet compliance mandates through the storing of log data for up to 13 months.
ARMOR ANYWHERE can be configured to collect logs from the following sources: