Log Collection Through The Armor Agent

Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:

Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
Greater context to aid in more effective detection, alerting and response.
Ability to meet compliance mandates through the storing of log data for up to 13 months.

ARMOR AGENT FOR SERVERS can be configured to collect logs from the following sources:

Apache Server

Microsoft IIS

NGINX

Armor Anywhere

MSSQL

Sysmon

Armor Agent - Collecting Linux and Windows Standard Logs

Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).

Install Logging:

Windows: C:\.armor\opt\armor.exe logging install
Linux: /opt/armor/armor logging install

Uninstall Logging:

Windows: C:\.armor\opt\armor.exe logging uninstall
Linux: /opt/armor/armor logging uninstall

Logging Help

Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help

Add new paths to filebeat config

/opt/armor/armor logging add-file-paths <paths to file locations>

Remove paths from filebeat config

/opt/armor/armor logging remove-file-paths <paths to file locations>

List added config paths

/opt/armor/armor logging describe-file-paths

Sync filebeat config

/opt/armor/armor logging sync-file-paths

Add new paths to filebeat config

C:\.armor\opt\armor.exe logging add-file-paths <paths to file locations>

Remove paths from filebeat config

C:\.armor\opt\armor.exe logging remove-file-paths <paths to file locations>

List added config paths

C:\.armor\opt\armor.exe logging describe-file-paths

Sync filebeat config

C:\.armor\opt\armor.exe logging sync-file-paths

Add winlogbeat event logs

C:\.armor\opt\armor.exe logging add-event-logs <name> <comma separated event ids>
Please note <comma separated event ids> is optional

Remove winlogbeat event logs

 C:\.armor\opt\armor.exe logging remove-event-logs <name> <comma separated event ids>
Please note <comma separated event ids> is optional

List Event logs

C:\.armor\opt\armor.exe logging describe-event-logs

Sync event logs

C:\.armor\opt\armor.exe logging sync-event-logs

Command Usage:

armor logging command [arguments...]

The following arguments are possible parameters for the Logging CLI feature. This allows customers to manage filebeat modules on Virtual Machines.

COMMAND	ARGUMENTS	RESULT

COMMAND	ARGUMENTS	RESULT
iis-enable apache-enable nginx-enable		Enables filebeat IIS/apache/nginx. When run, module yml file will change from disabled state to enable state.
iis-disable apache- disable nginx- disable		Disables Filebeat IIS/apache/nginx. When run the module yml file will change from enable state to disable mode.
iis-add-access-paths apache-add-access-paths nginx-add-access-paths	path1, path2, path3	Includes the argument paths in module yml file under the 'access_paths' section.
iis-remove-access-paths apache-remove-access-paths nginx-remove-access-paths	path1, path2, path3	Removes the argument paths in module yml file under the 'access_paths' section.
iis-add-error-paths apache-add-error-paths nginx-add-error-paths	path1, path2, path3	Includes the argument paths in module yml file under the 'error_paths' section.
iis-remove-error-paths apache-remove-error-paths nginx-remove-error-paths	path1, path2, path3	Removes the argument paths in module yml file under the 'error_paths' section. Removes the argument paths in module yml file under the 'error_paths' section.
iis-sync-config apache-sync-config nginx-sync-config		The command sync the module yml file on vm with latest changes which are required.
iis-describe-config apache-describe-config nginx-describe-config		The command displays current access & error paths which are configured in module yml file.

Users can add as many paths in a single command as needed by must be comma-separated.

Linux example (multiple/one path):
- /opt/armor/armor logging add-file-paths "/var/log/thing,/var/log/stuff/log,/path/to/log"
- /opt/armor/armor logging add-file-paths /var/log/thing
Windows example (multiple/one path):
- C:\.armor\opt\armor.exe logging add-file-paths "C:\var\log\thing,D:\path\to\log"
- C:\.armor\opt\armor.exe logging add-file-paths C:\var\log\thing

Examples: Below is example usage for logging apache and similarly for iis and ngix module.

Command Usage:

armor logging apache-enable

armor logging apache-disable

armor logging apache-add-access paths <required paths needs to add here>

armor logging apache-remove-access paths <required paths needs to add here>

armor logging apache-add-error paths <required paths needs to add here>

armor logging apache-remove-error paths <required paths needs to add here>

armor logging apache-sync-config

armor logging apache-describe-config

Default Logging Configuration for the Armor Agent

Windows

The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:

Sysmon Id's

1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255

Security Event Id's

1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4740, 4794, 4798, 4799, 5140, 7034, 7045, 33205

Linux

The Armor Agent forwards the following log files for Linux servers:

CentOS/RHEL	Ubuntu/Debian

CentOS/RHEL	Ubuntu/Debian
/var/log/secure /var/log/messages /var/log/yum.log	/var/log/auth.log /var/log/syslog

Log and Data Management Home

Knowledge Base

Log Collection Through The Armor Agent

Armor Agent - Collecting Linux and Windows Standard Logs

Default Logging Configuration for the Armor Agent

Sysmon Id's

Security Event Id's

Related content