Armor Agent - Collecting Linux and Windows Standard Logs
Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).
Install Logging:
Windows: C:\.armor\opt\armor.exe logging install
Linux: /opt/armor/armor logging install
Uninstall Logging:
Windows: C:\.armor\opt\armor.exe logging uninstall
Linux: /opt/armor/armor logging uninstall
Logging Help
Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help
Filebeat Sync Configuration Commands for Linux
Add new paths to filebeat config
/opt/armor/armor logging add-file-paths <paths to file locations>
|
Remove paths from filebeat config
/opt/armor/armor logging remove-file-paths <paths to file locations>
|
List added config paths
/opt/armor/armor logging describe-file-paths
|
Sync filebeat config
/opt/armor/armor logging sync-file-paths
|
Filebeat Sync Configuration Commands for Windows
Add new paths to filebeat config
C:\.armor\opt\armor.exe logging add-file-paths <paths to file locations>
Remove paths from filebeat config
C:\.armor\opt\armor.exe logging remove-file-paths <paths to file locations>
List added config paths
C:\.armor\opt\armor.exe logging describe-file-paths
Sync filebeat config
C:\.armor\opt\armor.exe logging sync-file-paths
Add winlogbeat event logs
C:\.armor\opt\armor.exe logging add-event-logs <add events>
Remove winlogbeat event logs
C:\.armor\opt\armor.exe logging remove-event-logs <add events>
List Event logs
C:\.armor\opt\armor.exe logging describe-event-logs
Sync event logs
C:\.armor\opt\armor.exe logging sync-event-logs
Logging Command Usage
Command Usage:
armor logging command [arguments...]
The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.
COMMAND | ARGUMENTS | RESULT |
---|
iis-enable apache-enable nginx-enable
| | Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state. |
iis-disable apache- disable nginx- disable
| | Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode. |
iis-add-access-paths apache-add-access-paths nginx-add-access-paths
| path1, path2, path3 | Includes the argument paths in module yml file under the 'access_paths' section. |
| path1, path2, path3 | Removes the argument paths in module yml file under the 'access_paths' section. |
iis-add-error-paths apache-add-error-paths nginx-add-error-paths
| path1, path2, path3 | Includes the argument paths in module yml file under the 'error_paths' section. |
| path1, path2, path3 | Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section. |
iis-sync-config apache-sync-config nginx-sync-config
| | The command sync the module yml file on vm with latest changes which are required. |
iis-describe-config apache-describe-config nginx-describe-config
| | The command displays current access & error paths which are configured in module yml file. |
Users can add as many paths in a single command as needed by must be comma-separated.
Examples: Below is example usage for logging apache and similarly for iis and ngix module.
Command Usage:
armor logging apache-enable
armor logging apache-disable
armor logging apache-add-access paths <required paths needs to add here>
armor logging apache-remove-access paths <required paths needs to add here>
armor logging apache-add-error paths <required paths needs to add here>
armor logging apache-remove-error paths <required paths needs to add here>
armor logging apache-sync-config
armor logging apache-describe-config
Default Logging Configuration for the Armor Agent
Windows
The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:
Sysmon Id's
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255
Security Event Id's
1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4740, 4794, 4798, 4799, 5140, 7034, 7045, 33205
Linux
The Armor Agent forwards the following log files for Linux servers: