Versions Compared

Version Old Version 3 New Version Current
Changes made by

Former user

Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Topics Discussed

Table of Contents
maxLevel3
minLevel3

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

You can use this document to send compliance logs to Armor's Data Lake.

Pre-Deployment Considerations

...

To create a remote Log Relay, you must already have:


Configure Your Device or Application

...

Configure the remote log source's logs to be sent to a designated Armor Log Relay device

Note

  • Configure the remote log source to forward syslogs to the IP address of the corresponding Armor Log Relay device.

    • To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.

  • Configure the remote log source to forward syslogs to the appropriate protocol/port of the corresponding Armor Log Relay device.

    • For UDP, enter udp/5140

    • For TCP, enter tcp/5141


If required, configure logs to be sent to a designated Armor Log Relay device over SSL/TLS:

Note

SSL/TLS Secured Communications

In most cases, we assume network isolation using subneting and/or firewalls are in place to secure communication between a log source and your Log Relay. There are a few exceptions to this assumption:

In scenarios where it is typical to have data traverse the Internet, or in scenarios where a device only supports TLS-secured transport, the Log Relay config supports TLS ingestion.

For Steps to enable SSL; see expansion below:

Expand
titleSteps To enable SSL

Certificates

When you install the Log Relay software, a self-signed certificate and its corresponding private key are generated and placed in /opt/armor/logrelay.pem and /opt/armor/logrelay.key respectively. If the device sending logs requires strict SSL checks, you have a few options to satisfy this requirement:

Exporting the Self-Signed Certificate

You may export the certificate and add it to the trust store of the log source device (if supported). You copy the PEM certificate from the Log Relay server and then consult the vendor-supplied documentation to install a new trusted certificate.

Using a Certificate from a Valid CA

You can also generate a CSR and request a certificate from a CA the log source device already trusts. Using openssl you can generate a new CSR. We recommend using a configuration file to supply Subject Alternate Names (SANs) for the various DNS hostnames pointed at your Log Relay in addition to its IP address.

logrealy.cnf

Code Block
[ req ]

default_bits       = 2048

distinguished_name = req_distinguished_name

req_extensions     = req_ext



[ req_distinguished_name ]

countryName                = <COUNTRY>

stateOrProvinceName        = <STATE>

localityName               = <CITY>

organizationName           = <COMPANY_NAME>

commonName                 = <LOG_RELAY_IP_ADDRESS>



[ req_ext ]

subjectAltName = @alt_names



[alt_names]

DNS.1   = <DNS_NAME_1>

DNS.2   = <DNS_NAME_2>

DNS.3   = <DNS_NAME_3>

Fill in the values in angle brackets above with applicable values. For <COUNTRY> us the 2-digit ISO country code. For <STATE>. you can use the 2-digit abbreviation or the full name of your state or province.

If the IP address of the Log Relay changes frequently or you already use a DNS hostname as the default means of addressing the Log Relay, use the DNS hostname instead of the IP address in <LOG_RELAY_IP_ADDRESS>.

Add any DNS hostnames that resolve to this Log Relay using the alt_names section of the config. If you're not using any SANs, remove the [alt_names] and [req_ext] sections and remove the
reference under the [req] section.

Then use openssl to request the certificate:

Code Block
openssl req -new rsa:2048 -key /opt/armor/logrelay.key -nodes -out logrelay.csr -config logrelay.cnf

Note that you may need to run this command as root as the key is owned by the Log Relay service account.

After you've generated your CSR and received the certificate from the CA, ensure that it is in PEM format and upload it to your Log Relay machine. Ensure that is accessible to the Log Relay service account.

Once the file is uploaded and has the correct permissions, update the override environment file to point at the path of the new certificate. Create a file at /etc/sysconfig/armor-logstash.override with the following contents:

Code Block
ARMOR_LOGSTASH_SSL_CERT='/path/to/cert.pem'

If you used a key other than the one included with the Log Relay, you can specify it in this file as well:

Code Block
ARMOR_LOGSTASH_SSL_KEY='/path/to/private.key'

Update the Storage Only configuration to leverage the new certificate. Note that this key must not have a password and be in PKCS8 format. You can use file permissions and/or selinux policies to protect the key.

Update Storage Configuration Certificate

Code Block
/opt/armor/logstash-{version}/config/pipeline-storage/pipeline-storage.conf

To include the following lines in the "pipeline_storage_input_tcp" configuration

Code Block
ssl_enable => "true"

ssl_cert => "${ARMOR_LOGSTASH_SSL_CERT}"

ssl_key => "${ARMOR_LOGSTASH_SSL_KEY}"

ssl_verify => "false"

The final version should be: 

Code Block
input {

    tcp {

        id => "pipeline_storage_input_tcp"

        port => 5141

        codec => line

        add_field => {

            "type" => "storage"

            "[logsource][relay_port]" => "5141"

        }

        ssl_enable => "true"

        ssl_cert => "${ARMOR_LOGSTASH_SSL_CERT}"

        ssl_key => "${ARMOR_LOGSTASH_SSL_KEY}"

        ssl_verify => "false"

    }

}

After creating or updating these configuration files, restart the Log Relay service:

Code Block
sudo systemctl restart armor-logstash.service