Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Insert excerptESLP:Permissions for Log Relay and Remote Log Collection (snippet)ESLP:Permissions for Log Relay and Remote Log Collection (snippet)nopaneltrue

You can use this document to collect and send AWS VPC Flow Logs to Armor's Security Information & Event Management (SIEM). 

Note

Armor does not support AWS Enriched VPC Flow Logs.

...

Before you begin, review the following requirements. 

Prerequisites

  • Armor Account ID

    Note

    To learn how to obtain your Account ID, see Get Accounts API.

  • Ubuntu shell for build and deployment

AMP Permissions

Your Armor Management Portal (AMP) account must have the following permissions: 

...

Note

To learn more about permissions in AMP, see Roles and Permissions

Log Relay

For remote log collection, you must have Log Relay added to your account.  

Flow Source

A flow source is required in order to ingest flow data in the Armor SIEM. The flow source will be dedicated to your flow data. You will not be charged until data begins to flow into the Armor SIEM.

Complete the following steps to create a flow source:

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click External Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. In Endpoint, select the available Armor Endpoint.
  6. In Log Source Type, select Amazon AWS VPC Flow Logs
  7. In the pop-up window, click Yes, Create Flow Source.

    1. A message will display at the bottom of the screen, indicating that the flow source has been created.

AWS account permissions (policies)

Your AWS service account must have full access to AWS CloudWatch.

Your individual AWS user account must have full access to the following AWS features: 

  • AWS VPC
  • AWS Lambda
  • AWS CloudWatch
  • AWS CloudFormation

AWS Components

The AWS components that will be used are: 

  •  S3 
  • IAM
  • Lambda
  • VPC Flow Logs 
Warning

Armor does not provide support for using AWS CloudFormation to set up AWS VPC Flow Log resources in AWS GovCloud (US).

...

You can use these instructions to collect and send logs from a single VPC Flow Log.

  1. Login into the AWS console.
  2. Go to the CloudFormation service.
  3. Click Create stack

...

titleInstructions
Note

AWS is in the process of updating the screens in their AWS console. As a result, there are two versions of the AWS CloudFormation screen.

Review the following table to understand your particular view, and then review the appropriate option. 

...

...

...

In the AWS console, in the top menu, on the right side, select the desired region.

Note

The CloudFormation template must be executed in the same region as the flow log.

Image Removed

...

  • This name must begin with a letter, and can only contain letters, numbers, and hyphens.

...

  • By default, the logs will be stored in s3 with AES256 encryption.

...

  • Example: https://<LOG_RELAY_IP>:5443

...

  1. By default, Armor has configured 3 days; set to 0 to keep logs until manually removed.

...

In StrictSsl, indicate whether or not strict SSL checks should be enforced on the destination log URL (True or False).

  • For TLS Syslog and HTTPS sources, Armor recommends that StrictSsl be set to True. 

  • For all other sources, StrictSsl can be set to False.

    Note

    If StrictSsl is set to True (TLS Syslog and HTTPS), you must complete the steps to enable SSL to utilize the CloudFormation template. If these steps are not performed, when you attempt to launch the newly created CloudFormation template, the process will fail. 

    Expand
    titleSteps to enable SSL ...

    SSL/TLS Secured Communications

    In most cases, we assume network isolation using subneting and/or firewalls are in place to secure communication between a log source and your Log Relay. There are a few exceptions to this assumption:

    In scenarios where it is typical to have data traverse the Internet, or in scenarios where a device only supports TLS-secured transport, the Log Relay config supports TLS ingestion.

    Certificates

    When you install the Log Relay software, a self-signed certificate and its corresponding private key are generated and placed in /opt/armor/logrelay.pem and /opt/armor/logrelay.key respectively. If the device sending logs requires strict SSL checks, you have a few options to satisfy this requirement:

    Exporting the Self-Signed Certificate

    You may export the certificate and add it to the trust store of the log source device (if supported). You copy the PEM certificate from the Log Relay server and then consult the vendor-supplied documentation to install a new trusted certificate.

    Using a Certificate from a Valid CA

    You can also generate a CSR and request a certificate from a CA the log source device already trusts. Using openssl you can generate a new CSR. We recommend using a configuration file to supply Subject Alternate Names (SANs) for the various DNS hostnames pointed at your Log Relay in addition to its IP address.

    logrealy.cnf

    Code Block
    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    
    [ req_distinguished_name ]
    countryName                = <COUNTRY>
    stateOrProvinceName        = <STATE>
    localityName               = <CITY>
    organizationName           = <COMPANY_NAME>
    commonName                 = <LOG_RELAY_IP_ADDRESS>
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1   = <DNS_NAME_1>
    DNS.2   = <DNS_NAME_2>
    DNS.3   = <DNS_NAME_3>

    Fill in the values in angle brackets above with applicable values. For <COUNTRY> us the 2-digit ISO country code. For <STATE>. you can use the 2-digit abbreviation or the full name of your state or province.

    If the IP address of the Log Relay changes frequently or you already use a DNS hostname as the default means of addressing the Log Relay, use the DNS hostname instead of the IP address in <LOG_RELAY_IP_ADDRESS>.

    Add any DNS hostnames that resolve to this Log Relay using the alt_names section of the config. If you're not using any SANs, remove the [alt_names] and [req_ext] sections and remove the
    reference under the [req] section.

    Then use openssl to request the certificate:

    Code Block
    openssl req -new rsa:2048 -key /opt/armor/logrelay.key -nodes -out logrelay.csr -config logrelay.cnf

    Note that you may need to run this command as root as the key is owned by the Log Relay service account.

    After you've generated your CSR and received the certificate from the CA, ensure that it is in PEM format and upload it to your Log Relay machine. Ensure that is accessible to the Log Relay service account.

    Once the file is uploaded and has the correct permissions, update the override environment file to point at the path of the new certificate. Create a file at /etc/sysconfig/armor-logstash.override with the following contents:

    Code Block
    ARMOR_LOGSTASH_SSL_CERT='/path/to/cert.pem'

    If you used a key other than the one included with the Log Relay, you can specify it in this file as well:

    Code Block
    ARMOR_LOGSTASH_SSL_KEY='/path/to/private.key'

    Note that this key must not have a password and be in PKCS8 format. You can use file permissions and/or selinux policies to protect the key.

    After creating or updating these configuration files, restart the Log Relay service:

    Code Block
    sudo systemctl restart armor-logstash.service

...

  1. This can be found in the Account Overview section of your AMP account.

...

  1. ALL - Capture all traffic (default); recommended
  2. Accept - Capture the VPC accepted traffic
  3. Reject - Capture the VPC rejected traffic  

...

In 

  • Select all VPC IDs for this account (within the account's region) that you would like to ingest. 
    Image Removed
    Image Removed
    Image Removed
    Image Removed

...

Click Next

...

At the bottom of the screen, mark the box to accept the terms, and then click Create.

(Optional) Click the Refresh button to see the status of the stack creation.

...

...

Option 2: New View 

...

In the AWS console, in the top menu, on the right side, select the desired region for log collection. 

...

  • This name must begin with a letter, and can only contain letters, numbers, and hyphens.

...

  • By default, the logs will be stored in s3 with AES256 encryption.

...

  • Example: https://<LOG_RELAY_IP>:5443

...

  1. By default, Armor has configured 3 days; set to 0 to keep logs until manually removed.

In StrictSsl, indicate whether or not strict SSL checks should be enforced on the destination log URL (True or False).

...

For TLS Syslog and HTTPS sources, Armor recommends that StrictSsl be set to True. 

For all other sources, StrictSsl can be set to False.

...

If StrictSsl is set to True (TLS Syslog and HTTPS), you must complete the steps to enable SSL to utilize the CloudFormation template. If these steps are not performed, when you attempt to launch the newly created CloudFormation template, the process will fail. 

...

titleSteps to enable SSL ...

SSL/TLS Secured Communications

In most cases, we assume network isolation using subneting and/or firewalls are in place to secure communication between a log source and your Log Relay. There are a few exceptions to this assumption:

In scenarios where it is typical to have data traverse the Internet, or in scenarios where a device only supports TLS-secured transport, the Log Relay config supports TLS ingestion.

Certificates

When you install the Log Relay software, a self-signed certificate and its corresponding private key are generated and placed in /opt/armor/logrelay.pem and /opt/armor/logrelay.key respectively. If the device sending logs requires strict SSL checks, you have a few options to satisfy this requirement:

Exporting the Self-Signed Certificate

You may export the certificate and add it to the trust store of the log source device (if supported). You copy the PEM certificate from the Log Relay server and then consult the vendor-supplied documentation to install a new trusted certificate.

Using a Certificate from a Valid CA

You can also generate a CSR and request a certificate from a CA the log source device already trusts. Using openssl you can generate a new CSR. We recommend using a configuration file to supply Subject Alternate Names (SANs) for the various DNS hostnames pointed at your Log Relay in addition to its IP address.

logrealy.cnf

Code Block
themeMidnight
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                = <COUNTRY>
stateOrProvinceName        = <STATE>
localityName               = <CITY>
organizationName           = <COMPANY_NAME>
commonName                 = <LOG_RELAY_IP_ADDRESS>

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = <DNS_NAME_1>
DNS.2   = <DNS_NAME_2>
DNS.3   = <DNS_NAME_3>

Fill in the values in angle brackets above with applicable values. For <COUNTRY> us the 2-digit ISO country code. For <STATE>. you can use the 2-digit abbreviation or the full name of your state or province.

If the IP address of the Log Relay changes frequently or you already use a DNS hostname as the default means of addressing the Log Relay, use the DNS hostname instead of the IP address in <LOG_RELAY_IP_ADDRESS>.

Add any DNS hostnames that resolve to this Log Relay using the alt_names section of the config. If you're not using any SANs, remove the [alt_names] and [req_ext] sections and remove the
reference under the [req] section.

Then use openssl to request the certificate:

Code Block
themeMidnight
openssl req -new rsa:2048 -key /opt/armor/logrelay.key -nodes -out logrelay.csr -config logrelay.cnf

Note that you may need to run this command as root as the key is owned by the Log Relay service account.

After you've generated your CSR and received the certificate from the CA, ensure that it is in PEM format and upload it to your Log Relay machine. Ensure that is accessible to the Log Relay service account.

Once the file is uploaded and has the correct permissions, update the override environment file to point at the path of the new certificate. Create a file at /etc/sysconfig/armor-logstash.override with the following contents:

Code Block
themeMidnight
ARMOR_LOGSTASH_SSL_CERT='/path/to/cert.pem'

If you used a key other than the one included with the Log Relay, you can specify it in this file as well:

Code Block
themeMidnight
ARMOR_LOGSTASH_SSL_KEY='/path/to/private.key'

Note that this key must not have a password and be in PKCS8 format. You can use file permissions and/or selinux policies to protect the key.

After creating or updating these configuration files, restart the Log Relay service:

...

themeMidnight

...

Topics Discussed

Table of Contents
maxLevel3
minLevel3

To configure your account for remote log collection, you must have the following AMP permissions added to your account:

  • Delete Log Management

  • Read Log Endpoints

  • Write Log Endpoints

You can use this document to collect and send AWS VPC Flow Logs to Armor's Security Information & Event Management (SIEM).

Note

For details about support for AWS Enriched VPC Flow Logs, contact Armor Support


Anchor
Pre-deployment-considerations
Pre-deployment-considerations
Pre-Deployment Considerations

...

Before you begin, review the following requirements.

Prerequisites

  • Armor Account ID


AMP Permissions

Your Armor Management Portal (AMP) account must have the following permissions:

  • Delete Log Management

  • Read Log Endpoints

  • Write Log Endpoints

Note

To learn more about permissions in AMP, see Roles and Permissions.


Flow Source

A flow source is required in order to ingest flow data in the Armor SIEM. The flow source will be dedicated to your flow data. You will not be charged until data begins to flow into the Armor SIEM.

Complete the following steps here to enable flow collection for your account.

Webhook Tagging

To learn more about Webhook Tagging for Flow logs, see the article here.

AWS account permissions (policies)

Your AWS service account must have full access to AWS CloudWatch.

Your individual AWS user account must have full access to the following AWS features:

  • AWS VPC

  • AWS Lambda

  • AWS CloudWatch

  • AWS CloudFormation


AWS Components

The AWS components that will be used are:

  • S3

  • IAM

  • Lambda

  • VPC Flow Logs

Warning

Armor does not provide support for using AWS CloudFormation to set up AWS VPC Flow Log resources in AWS GovCloud (US).


Configure the AWS VPC Flow Log CloudFormation Stack Template

...

You can use these instructions to collect and send logs from a single VPC Flow Log.

  1. Login into the AWS console.

  2. Go to the CloudFormation service.

  3. Click Create stack.

    Info

    The CloudFormation template used to implement the integration deploys a lambda function outside of a VPC. If the template is modified to deploy the armor-vpc-flow-lambda-... lambda function in a VPC, the https://1d.log.armor.com:5443 endpoint will need to be made accessible.

  4. In the AWS console, in the top menu, on the right side, select the desired region for log collection.

    Image Added
  5. In Specify an Amazon S3 template URL, input the following link: https://s3-us-west-2.amazonaws.com/logs.armor.com/log-relay-aws-vpc-flows/log-relay-aws-vpc-flows.yaml.

    Image Added
  6. Click Next.

  7. In Stackname, enter a descriptive name.

    1. This name must begin with a letter, and can only contain letters, numbers, and hyphens.

  8. (Optional) In KmsKeyStack, enter the customer KMS key stack (if applicable).

    1. By default, the logs will be stored in s3 with AES256 encryption.

  9. In RetentionInDays, enter the number of days to retain the log files in the S3 bucket.

    1. By default, Armor has configured 3 days; set to 0 to keep logs until manually removed.

  10. In TenantId, enter your Armor account number.

    1. This can be found in the

...

    1. AccountOverview section of your AMP account.

  1. In TrafficType,

...

  1. select the type of traffic to log:

    1. ALL - Capture all traffic (default); recommended

    2. Accept - Capture the VPC accepted traffic

    3. Reject - Capture the VPC rejected

...

    1. traffic

...

  1. In VpcId, select the ID of the VPC for which the flow log will be relayed.

...

    1. Select all VPC IDs for this account (within the account's region) that you would like to ingest.

      Image AddedImage Added

      Image Added

  1. Click Next.

...

  1. Click Next.

...

  1. At the bottom of the screen, mark the box to accept the terms, and then click Create.

  2. (Optional) Click the Refresh button to see the status of the stack creation.

...


...

  1. Image Added
  2. You can verify that the stack was created successfully on the Resources

...

Following successful deployment of the CloudFormation stack, the collected AWS VPC Flow Logs are visible from Log Search on average in 15 minutes and up to 30 minutes.

Verify Connection in AMP

...

  1. In the Armor Management Portal (AMP), in the left-side navigation,

...

  1. click Security.

...

...

  1. Click Log & Data Management, and then select

...

  1. Search.

  2. In the

...

  1. Source

...

  1. column, review the source name to locate the newly created AWS VPC Flow Log remote log source.

    1. In the search field, you can also enter the AWS acccount ID

...

    1. to locate

...

    1. AWS VPC Flow Log messages.


Edit a

...

Stack

...

Note

This section only applies to single stacks, not stack sets. 

Currently, Armor's AWS CloudFormation template does not support updates. If you want to update your stack, then you must delete the remote log source, and then create a new one with your desired updates.?

Info

Migrate from Log Relay

The Armor Log Relay is no longer required to collect and monitor AWS VPC Flow Logs. Deploying a stack using the most recent CloudFormation template will provision a new integration that sends logs directly to Armor.