Topics Discussed
| Table of Contents | ||||
|---|---|---|---|---|
|
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
Write Virtual Machine
Delete Log Management
Read Log Endpoints
Read Log Relays
Write Log Relays
Delete Log Relays
You can use this document to send compliance logs to Armor's Data Lake.
Pre-Deployment Considerations
...
To create a remote Log Relay, you must already have:
A Log Relay server on your account
To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection
Configured the system clock
Configure Your Device or Application
...
Configure the remote log source's logs to be sent to a designated Armor Log Relay device
| Note |
|---|
|
If required, configure logs to be sent to a designated Armor Log Relay device over SSL/TLS:
| Note |
|---|
SSL/TLS Secured Communications In most cases, we assume network isolation using subneting and/or firewalls are in place to secure communication between a log source and your Log Relay. There are a few exceptions to this assumption: In scenarios where it is typical to have data traverse the Internet, or in scenarios where a device only supports TLS-secured transport, the Log Relay config supports TLS ingestion. For Steps to enable SSL; see expansion below: |
| Expand | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||
Certificates When you install the Log Relay software, a self-signed certificate and its corresponding privatecorresponding private key are generated and placed inin /opt/armor/logrelay.pem andand /opt/armor/logrelay.key respectivelyrespectively. If the device sending logs requires strict SSL checks, you have a few options tooptions to satisfy this requirement: Exporting the Self-Signed Certificate You may export the certificate and add it to the trust store of the log source devicedevice (if supported). You copy the PEM certificate from the Log Relay server and then consult theconsult the vendor-supplied documentation to install a new trusted certificate. Using a Certificate from a Valid CA You can also generate a CSR and request a certificate from a CA the log source device already trustsalready trusts. UsingUsing openssl youyou can generate a new CSR. We recommend using a configuration fileconfiguration file to supply Subject Alternate Names (SANs) for the various DNS hostnames pointed at your Logyour Log Relay in addition to its IP address. logrealy.cnf
| Midnight |
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = <COUNTRY>
stateOrProvinceName = <STATE>
localityName = <CITY>
organizationName = <COMPANY_NAME>
commonName = <LOG_RELAY_IP_ADDRESS>
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <DNS_NAME_1>
DNS.2 = <DNS_NAME_2>
DNS.3 = <DNS_NAME_3> |
Fill in the values in angle brackets above with applicable values. For <COUNTRY> us the 2-
digit ISOdigit ISO country code. For <STATE>. you can use the 2-digit abbreviation or the full name of
your stateyour state or province.
If the IP address of the Log Relay changes frequently or you already use a DNS hostname as
thethe default
meansmeans of addressing the Log Relay, use the DNS hostname instead of the IP address
in <in <LOG_RELAY_IP_ADDRESS>.
Add any DNS hostnames that resolve to this Log Relay using
thethe alt_names
sectionsection of the config.
IfIf you're not using any SANs, remove
thethe [alt_names]
andand [req_ext]
sections sections and remove the
reference under
the [req]
sectionsection.
Then
use openssluse openssl to request the certificate:
| Code Block | theme | Midnight
|---|
openssl req -new rsa:2048 -key /opt/armor/logrelay.key -nodes -out logrelay.csr -config logrelay.cnf |
Note that you may need to run this command as root as the key is owned by the Log
Relay serviceRelay service account.
After you've generated your CSR and received the certificate from the CA, ensure that it is in
PEM formatPEM format and upload it to your Log Relay machine. Ensure that is accessible to the Log Relay
service accountservice account.
Once the file is uploaded and has the correct permissions, update the override environment
file tofile to point at the path of the new certificate. Create a file
atat /etc/sysconfig/armor-logstash.
overrideoverride with the following contents:
| Code Block | theme | Midnight
|---|
ARMOR_LOGSTASH_SSL_CERT='/path/to/cert.pem' |
If you used a key other than the one included with the Log Relay, you can specify it in this
file asfile as well:
| Code Block | ||
|---|---|---|
|
Update the Storage Only configuration to leverage the new certificate. Note that this key must not have a password and be in PKCS8 format. You can use file
permissions andpermissions and/or selinux policies to protect the key.
Update Storage Configuration Certificate
| Code Block | |
|---|---|
| Midnight |
To include the following lines in the "pipeline_storage_input_tcp" configuration
| Code Block |
|---|
ssl_enable => "true"
ssl_cert => "${ARMOR_LOGSTASH_SSL_CERT}"
ssl_key => "${ARMOR_LOGSTASH_SSL_KEY}"
ssl_verify => "false" |
The final version should be:
| Code Block |
|---|
input {
tcp {
id => "pipeline_storage_input_tcp"
port => 5141
codec => line
add_field => {
"type" => "storage"
"[logsource][relay_port]" => "5141"
}
ssl_enable => "true"
ssl_cert => "${ARMOR_LOGSTASH_SSL_CERT}"
ssl_key => "${ARMOR_LOGSTASH_SSL_KEY}"
ssl_verify => "false"
}
} |
After creating or updating these configuration files, restart the Log Relay service:
| Code Block | theme | Midnight
|---|
sudo systemctl restart armor-logstash.service |
Was this helpful?
Topics Discussed
...