Log Collection Through The Armor Agent

 

Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:

  • Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.

  • Greater context to aid in more effective detection, alerting and response.

  • Ability to meet compliance mandates through the storing of log data for up to 13 months.

ARMOR AGENT FOR SERVERS can be configured to collect logs from the following sources:

Microsoft IIS

 

 

 

Armor Agent - Collecting Linux and Windows Standard Logs


Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).

 

Install Logging:

Windows: C:\.armor\opt\armor.exe logging install Linux: /opt/armor/armor logging install

 

Uninstall Logging:

Windows: C:\.armor\opt\armor.exe logging uninstall Linux: /opt/armor/armor logging uninstall

 

Logging Help

Windows: C:\.armor\opt\armor.exe logging help Linux: /opt/armor/armor logging help

 

Add new paths to filebeat config

Remove paths from filebeat config

List added config paths

Sync filebeat config

Add new paths to filebeat config

 

Remove paths from filebeat config

 

List added config paths

 

Sync filebeat config

 

Add winlogbeat event logs

 

Remove winlogbeat event logs

 

List Event logs

 

Sync event logs

 

Command Usage:

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

COMMAND

ARGUMENTS 

RESULT

COMMAND

ARGUMENTS 

RESULT

  • iis-enable

  • apache-enable

  • nginx-enable

 

Enables filebeat IIS/apache/nginx.  When run, module yml file will change from disabled state to enable state.

  • iis-disable

  • apache- disable

  • nginx- disable

 

Disables Filebeat IIS/apache/nginx.  When run the module yml file will change from enable state to disable mode.

  • iis-add-access-paths

  • apache-add-access-paths

  • nginx-add-access-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'access_paths' section.

  • iis-remove-access-paths 

  • apache-remove-access-paths

  • nginx-remove-access-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'access_paths' section.

  • iis-add-error-paths

  • apache-add-error-paths

  • nginx-add-error-paths

path1, path2, path3

Includes the argument paths in module yml file under the 'error_paths' section.

  • iis-remove-error-paths

  • apache-remove-error-paths

  • nginx-remove-error-paths

path1, path2, path3

Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.

  • iis-sync-config

  • apache-sync-config

  • nginx-sync-config

 

The command sync the module yml file on vm with latest changes which are required.

  • iis-describe-config

  • apache-describe-config

  • nginx-describe-config

 

The command displays current access & error paths which are configured in module yml file.

 

Users can add as many paths in a single command as needed by must be comma-separated.

  • Linux example (multiple/one path):

  • Windows example (multiple/one path):

 

Examples: Below is example usage for logging apache and similarly for iis and ngix module.

Command Usage:



Default Logging Configuration for the Armor Agent


Windows

The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:

Sysmon Id's

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255

Security Event Id's

1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4740, 4794, 4798, 4799, 5140, 7034, 7045, 33205



Linux

The Armor Agent forwards the following log files for Linux servers:

CentOS/RHEL

Ubuntu/Debian

CentOS/RHEL

Ubuntu/Debian

  • /var/log/secure

  • /var/log/messages

  • /var/log/yum.log

  • /var/log/auth.log

  • /var/log/syslog

 

 

 

Log and Data Management Home