Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:
Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
Greater context to aid in more effective detection, alerting and response.
Ability to meet compliance mandates through the storing of log data for up to 13 months.
ARMOR ANYWHERE can be configured to collect logs from the following sources:
Anchor | ||||
---|---|---|---|---|
|
Armor Agent - Collecting Linux and Windows Standard Logs
Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).
Install Logging:
Code Block |
---|
Windows: C:\.armor\opt\armor.exe logging install Linux: /opt/armor/armor logging install |
Uninstall Logging:
Code Block |
---|
Windows: C:\.armor\opt\armor.exe logging uninstall Linux: /opt/armor/armor logging uninstall |
Logging Help
Code Block |
---|
Windows: C:\.armor\opt\armor.exe logging help Linux: /opt/armor/armor logging help |
Expand | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
|
Expand | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||
Add new paths to filebeat config
Remove paths from filebeat config
List added config paths
Sync filebeat config
Add winlogbeat event logs
Remove winlogbeat event logs
List Event logs
Sync event logs
|
Expand | |||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||
Command Usage:
The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.
Users can add as many paths in a single command as needed by must be comma-separated.
Examples: Below is example usage for logging apache and similarly for iis and ngix module. Command Usage:
|
Default Logging Configuration for the Armor Agent
Windows
The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:
Sysmon Id's
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255
Security Event Id's
1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4740, 4794, 4798, 4799, 5140, 7034, 7045, 33205
Linux
The Armor Agent forwards the following log files for Linux servers:
CentOS/RHEL | Ubuntu/Debian |
---|---|
|
|