Introduction to Log Relay
Â
Topics Discussed
You can use this document to learn about the basic, high-level steps needed to send additional log types to Armor, also known as remote log collection. To send these remote logs, you must obtain Log Relay.
Review the information outlined in this pre-configuration document, to verify that you can perform the required steps. Additional, detailed instructions are available to help you navigate each step.
At a high level, there are two steps to this process:
Step 1: Obtain Log Relay
Step 2: Configure a remote log source
The Log Relay service can only be installed on Linux machines.
Review Requirements
Requirement Type | Product Compatibility | Description |
Supported Devices |
| Only Linux machines can be converted to Log Relays. Machines must be in an OK state to be converted. To learn more about the health status of a virtual machine, see Health Overview Dashboard. Â Log Relay will support receiving logs from devices such as WAFs or next-gen firewalls. The Armor Agent is not needed on devices to pass logs through a relay. |
Pricing Information |
| While log collection is available to all users, there is a cost associated with sending and storing logs. For pricing information, please contact your Account Manager. |
Permissions |
| In order to use Log Relay, you must have the following permissions included in your account:
To learn more about permissions, see Roles and Permissions. |
Log Retention Plan |
|
This plan:
For pricing information, please contact your Account Manager. Â Armor Anywhere agents that are converted to a log relay device will retain the default Log Management Essentials plan subscription. This plan collects and stores your logs for 30 days. |
Firewall Rules |
| Armor Anywhere users must add the following generic firewall rules: Inbound:
 Outbound:
 The above-mentioned ports do not provide security analytics. To receive security analytics for logs from supported remote log devices, you must add additional firewall rules; these additional ports are described in the configuration documents listed in Create and Configure Remote Log Sources.  For non-supported remote log sources, collected logs will not receive any security analytics. To learn more about firewall rules, see Requirements for Armor Anywhere. |
Â
Obtain Log Relay
The Log Relay service runs on a virtual machine with the Armor Agent installed. When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc.
Option 1: Armor Enterprise Cloud
At a high level, to obtain Log Relay for your Armor Enterprise Cloud account, you must:
Create a virtual machine
Run an API call to install the Log Relay service onto your virtual machine.
Â
Option 2: Armor Anywhere
At a high level, to obtain Log Relay for your Armor Anywhere account, you must:
Update your firewall rules, specifically for TCP
Create a virtual machine
Download and install the Armor Agent
Install the Log Relay service onto your virtual machine
A virtual machine with the Armor Agent installed can be converted into a Log Relay through the Armor Management Portal (AMP) as demonstrated in the accompanying screenshot:
Alternatively, a virtual machine with the Armor Agent installed can be converted into a Log Relay using the following commands:
Install Log Relay:
Linux: /opt/armor/armor relay install
Â
Uninstall Log Relay:
Linux: /opt/armor/armor relay uninstall
Â
Log Relay Help:
Linux: /opt/armor/armor relay help
Configure a remote log source (Remote Log Relay)
After you have obtained a Log Relay, you must access your remote log source's environment for additional configuration.
In general, you will need to configure the remote log source to upload logs via syslog (TCP/UDP) to the Log Relay and then the Log Relay will send the logs to the Armor datalake.
Armor currently supports logs collection from the following remote devices:
Log type | Additional information | Detailed instructions |
AWS CloudTrail | For this log type, you must be able to:
| |
AWS GuardDuty | For this log type, you must be able to:
| |
AWS VPC Flow Logs | For this log type, you must be able to:
| |
AWS WAF | For this log type, you must be able to:
| |
Check Point | For this log type you must be able to:
| |
Cisco ASA | For this log type, you must be able to:
| |
Cisco ISR | For this log type, you must be able to:
| |
Juniper | For this log type, you must be able to:
| |
Fortinet FortiGate | For this log type, you must be able to:
| |
Imperva Incapsula | For this log type, you must be able to:
| |
Palo Alto Firewall | For this log type, you must be able to:
| |
SonicWall | For this log type, you must be able to:
| |
Cylance | For this log type:
| |
Storage Only | For this log type, you must be able to:
|
Event Rate Limitations by Server Geometry
Appliance | Threshold | Minimum number of CPU cores | Suggested Memory in GB |
 Armor Log Relay | 2,500 EPS or less | 4 | 8 |
5,000 EPS or less | 8 | 16 | |
10,000 EPS or less | 16 | 32 |
Related Documentation
For a detailed guide on how to obtain Log Relay, see Obtain Log Relay for Remote Log Collection.
Â