...
...
| Section |
|---|
| background-color | $lightGrayColor |
|---|
| id | 229691330 |
|---|
|
|
...
You can use this document to learn how to create and configure a remote Log Relay device.
| Note |
|---|
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: - Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
|
| Note |
|---|
Before you begin, you must first convert a virtual machine into a Log Relay device. To learn more, see Obtain Log Relay for Remote Log Collection. For introductory information on Log Relay, see Introduction to Log Relay. |
Create and Configure a Remote Log Source
...
Based on your specific log type, review the following options to create and configure a remote log source:
Log type | Additional information | Detailed instructions |
AWS CloudTrail | For this log type, you must be able to: - Gather your AWS account information
- Create a new trail and sync your AWS S3 bucket
| AWS CloudTrail |
AWS GuardDuty | For this log type, you must be able to: - Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation
- Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key)
- Configure the AWS GuardDuty CloudFormation StackSet Template
| AWS GuardDuty |
AWS VPC Flow Logs | For this log type, you must be able to: - Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation
- Configure a Web ACL
- Configure the AWS WAF CloudFormation Stack Template
| Create Flow Connection - AWS VPC Flow Logs |
AWS WAF | For this log type, you must be able to: - Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation
- Configure the AWS VPC Flow Log CloudFormation Stack Template
| AWS WAF |
Check Point | For this log type you must be able to: - Log into and pre-configure the Check Point box
- Configure your Check Point device
| Create a Remote Log Source - Check Point |
Cisco ASA | For this log type, you must be able to: - Log into your Cisco ASA device
- Access the privileged EXEC mode
| Create a Remote Log Source - Cisco ASA |
Cisco ISR | For this log type, you must be able to: - Log into your Cisco ISR device
- Access the privileged EXEC mode
| Create a Remote Log Source - Cisco ISR |
Juniper | For this log type, you must be able to: - Log into your Juniper SRX device
- Access the privileged EXEC mode
| Create a Remote Log Source - Juniper |
Fortinet FortiGate | For this log type, you must be able to: - Log into your Fortinet Security Gateway
- Access the CLI Console
| Create a Remote Log Source - Fortinet Security Gateway |
Imperva Incapsula | For this log type, you must be able to: - Access the AWS console
- Configure the IAM Role for an EC2 server or non-EC2 server
- Log into your log relay server
| Create a Remote Log Source - Imperva Incapsula |
Palo Alto Firewall | For this log type, you must be able to: - Access the Palo Alto console
- Configure your server and server profile
| Create a Remote Log Source - Palo Alto Firewall |
SonicWall | For this log type, you must be able to: - Log into the SonicWall console
- Configure your SonicWall device
| Create a Remote Log Source - SonicWall |
Cylance | For this log type: - The user has a Log Relay device online
- The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay
| Create a Remote Log Source - Cylance |
Storage Only | For this log type, you must be able to: - Configure your device or application for compliance log storage only
| Create a Storage Only Log Source |
| Warning |
|---|
Troubleshooting In general, if you are having issues adding Log Relay to a remote log device, consider that: You need to update your permissions in AMP. - In AMP, you must have the following permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
|
| Note |
|---|
To add the above-mentioned AMP permissions to your account, see Roles and Permissions. Additional troubleshooting information is located in the specific remote log source documentation. |
Was this helpful?
Topics Discussed