Create and Configure Remote Log Sources

Topics Discussed

You can use this document to learn how to create and configure a remote Log Relay device.

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:

Write Virtual Machine
Delete Log Management
Read Log Endpoints
Read Log Relays
Write Log Relays
Delete Log Relays

Before you begin, you must first convert a virtual machine into a Log Relay device. To learn more, see Obtain Log Relay for Remote Log Collection.

For introductory information on Log Relay, see Introduction to Log Relay.

Create and Configure a Remote Log Source

Based on your specific log type, review the following options to create and configure a remote log source:

Log type	Additional information	Detailed instructions
AWS CloudTrail	For this log type, you must be able to: Gather your AWS account information Create a new trail and sync your AWS S3 bucket	AWS CloudTrail
AWS GuardDuty	For this log type, you must be able to: Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key) Configure the AWS GuardDuty CloudFormation StackSet Template	AWS GuardDuty
AWS VPC Flow Logs	For this log type, you must be able to: Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation Configure a Web ACL Configure the AWS WAF CloudFormation Stack Template	Create Flow Connection - AWS VPC Flow Logs
AWS WAF	For this log type, you must be able to: Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation Configure the AWS VPC Flow Log CloudFormation Stack Template	AWS WAF
Check Point	For this log type you must be able to: Log into and pre-configure the Check Point box Configure your Check Point device	Create a Remote Log Source - Check Point
Cisco ASA	For this log type, you must be able to: Log into your Cisco ASA device Access the privileged EXEC mode	Create a Remote Log Source - Cisco ASA
Cisco ISR	For this log type, you must be able to: Log into your Cisco ISR device Access the privileged EXEC mode	Create a Remote Log Source - Cisco ISR
Juniper	For this log type, you must be able to: Log into your Juniper SRX device Access the privileged EXEC mode	Create a Remote Log Source - Juniper
Fortinet FortiGate	For this log type, you must be able to: Log into your Fortinet Security Gateway Access the CLI Console	Create a Remote Log Source - Fortinet Security Gateway
Imperva Incapsula	For this log type, you must be able to: Access the AWS console Configure the IAM Role for an EC2 server or non-EC2 server Log into your log relay server	Create a Remote Log Source - Imperva Incapsula
Palo Alto Firewall	For this log type, you must be able to: Access the Palo Alto console Configure your server and server profile	Create a Remote Log Source - Palo Alto Firewall
SonicWall	For this log type, you must be able to: Log into the SonicWall console Configure your SonicWall device	Create a Remote Log Source - SonicWall
Cylance	For this log type: The user has a Log Relay device online The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay	Create a Remote Log Source - Cylance
Storage Only	For this log type, you must be able to: Configure your device or application for compliance log storage only	Create a Storage Only Log Source

Troubleshooting

In general, if you are having issues adding Log Relay to a remote log device, consider that:

You need to update your permissions in AMP.

In AMP, you must have the following permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays

To add the above-mentioned AMP permissions to your account, see Roles and Permissions.

Additional troubleshooting information is located in the specific remote log source documentation.