Introduction to Log Relay

 

Topics Discussed

You can use this document to learn about the basic, high-level steps needed to send additional log types to Armor, also known as remote log collection. To send these remote logs, you must obtain Log Relay.

Review the information outlined in this pre-configuration document, to verify that you can perform the required steps. Additional, detailed instructions are available to help you navigate each step.

At a high level, there are two steps to this process:

  • Step 1: Obtain Log Relay

  • Step 2: Configure a remote log source

The Log Relay service can only be installed on Linux machines.

Review Requirements


Requirement Type

Product Compatibility

Description

Supported Devices

  • Armor Enterprise Cloud

  • Armor Anywhere

Only Linux machines can be converted to Log Relays. Machines must be in an OK state to be converted.

To learn more about the health status of a virtual machine, see Health Overview Dashboard.

 

Log Relay will support receiving logs from devices such as WAFs or next-gen firewalls. The Armor Agent is not needed on devices to pass logs through a relay.

Pricing Information

  • Armor Enterprise Cloud

  • Armor Anywhere

While log collection is available to all users, there is a cost associated with sending and storing logs.

For pricing information, please contact your Account Manager.

Permissions

  • Armor Enterprise Cloud

  • Armor Anywhere

In order to use Log Relay, you must have the following permissions included in your account:

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

To learn more about permissions, see Roles and Permissions.

Log Retention Plan

  • Armor Enterprise Cloud

  • Armor Anywhere

  • Armor Enterprise Cloud virtual machines that are converted to a log relay device will be automatically enrolled in the Compliance Professional plan.

This plan:

  • Collects and stores your logs for 13 months at an additional cost.

  • Provides certain HIPAA and PCI compliance.

For pricing information, please contact your Account Manager.

 

Armor Anywhere agents that are converted to a log relay device will retain the default Log Management Essentials plan subscription. This plan collects and stores your logs for 30 days.

Firewall Rules

  • Armor Anywhere

Armor Anywhere users must add the following generic firewall rules:

Inbound:

  • Service/Purpose

    • Log Relay (Logstash)

  • Port

    • 5140/udp

    • 5141/tcp

  • Destination

    • The IP address for your virtual machine

 

Outbound:

  • Service/Purpose

    • Armor's logging service (ELK)

  • Port

    • 5443/tcp

    • 5400-5600/tcp (Reserved)

      • Armor reserves the right to utilize this port range for future expansion or service changes.

  • Destination

 

The above-mentioned ports do not provide security analytics. To receive security analytics for logs from supported remote log devices, you must add additional firewall rules; these additional ports are described in the configuration documents listed in Create and Configure Remote Log Sources.

 

For non-supported remote log sources, collected logs will not receive any security analytics.

To learn more about firewall rules, see Requirements for Armor Anywhere.

 

Obtain Log Relay


The Log Relay service runs on a virtual machine with the Armor Agent installed. When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc.


Option 1: Armor Enterprise Cloud

At a high level, to obtain Log Relay for your Armor Enterprise Cloud account, you must:

  • Create a virtual machine

  • Run an API call to install the Log Relay service onto your virtual machine.

 

Option 2: Armor Anywhere

At a high level, to obtain Log Relay for your Armor Anywhere account, you must:

  • Update your firewall rules, specifically for TCP

  • Create a virtual machine

  • Download and install the Armor Agent

  • Install the Log Relay service onto your virtual machine

    • A virtual machine with the Armor Agent installed can be converted into a Log Relay through the Armor Management Portal (AMP) as demonstrated in the accompanying screenshot:

  • Alternatively, a virtual machine with the Armor Agent installed can be converted into a Log Relay using the following commands:



Install Log Relay:

Linux: /opt/armor/armor relay install

 

Uninstall Log Relay:

Linux: /opt/armor/armor relay uninstall

 

Log Relay Help:

Linux: /opt/armor/armor relay help


Configure a remote log source (Remote Log Relay)


After you have obtained a Log Relay, you must access your remote log source's environment for additional configuration.

In general, you will need to configure the remote log source to upload logs via syslog (TCP/UDP) to the Log Relay and then the Log Relay will send the logs to the Armor datalake.

Armor currently supports logs collection from the following remote devices:

Log type

Additional information

Detailed instructions

AWS CloudTrail

For this log type, you must be able to:

  • Gather your AWS account information

  • Create a new trail and sync your AWS S3 bucket

Create a Remote Log Source - AWS CloudTrail

AWS GuardDuty

For this log type, you must be able to:

  • Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation

  • Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key)

  • Configure the AWS GuardDuty CloudFormation StackSet Template

Create a Remote Log Source - AWS GuardDuty

AWS VPC Flow Logs

For this log type, you must be able to:

  • Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation

  • Configure a Web ACL

  • Configure the AWS WAF CloudFormation Stack Template

Create Flow Connection - AWS VPC Flow Logs

AWS WAF

For this log type, you must be able to:

  • Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation

  • Configure the AWS VPC Flow Log CloudFormation Stack Template

Create a Remote Log Source - AWS WAF

Check Point

For this log type you must be able to:

  • Log into and pre-configure the Check Point box

  • Configure your Check Point device

Create a Remote Log Source - Check Point

Cisco ASA

For this log type, you must be able to:

  • Log into your Cisco ASA device

  • Access the privileged EXEC mode

Create a Remote Log Source - Cisco ASA

Cisco ISR

For this log type, you must be able to:

  • Log into your Cisco ISR device

  • Access the privileged EXEC mode

Create a Remote Log Source - Cisco ISR

Juniper

For this log type, you must be able to:

  • Log into your Juniper SRX device

  • Access the privileged EXEC mode

Create a Remote Log Source - Juniper

Fortinet FortiGate

For this log type, you must be able to:

  • Log into your Fortinet Security Gateway

  • Access the CLI Console

Create a Remote Log Source - Fortinet Security Gateway

Imperva Incapsula

For this log type, you must be able to:

  • Access the AWS console

  • Configure the IAM Role for an EC2 server or non-EC2 server

  • Log into your log relay server

Create a Remote Log Source - Imperva Incapsula

Palo Alto Firewall

For this log type, you must be able to:

  • Access the Palo Alto console

  • Configure your server and server profile

Create a Remote Log Source - Palo Alto Firewall

SonicWall

For this log type, you must be able to:

  • Log into the SonicWall console

  • Configure your SonicWall device

Create a Remote Log Source - SonicWall

Cylance

For this log type:

  • The user has a Log Relay device online

  • The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay

Create a Remote Log Source - Cylance

Storage Only

For this log type, you must be able to:

  • Configure your device or application for compliance log storage only

Create a Storage Only Log Source



Event Rate Limitations by Server Geometry


Appliance

Threshold

Minimum number of CPU cores

Suggested Memory in GB

 

Armor Log Relay

2,500 EPS or less

4

8

5,000 EPS or less

8

16

10,000 EPS or less

16

32


Related Documentation

For a detailed guide on how to obtain Log Relay, see Obtain Log Relay for Remote Log Collection.

Â