This topic tells you how Log Collection works and how you deploy it; lists the supported collection protocols; describes the basic implementation; and illustrates how you configure and deploy Log Collection.
How Log Collection Works
The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other Security Analytics components. The logs and the descriptive content are stored as meta data for use in investigations and reports.
Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the Security Analytics administrator configures the Log Collector service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.
What Collection Protocols Are Supported
The Log Collector service supports the following collection protocols:
Collects events from Amazon Web Services (AWS) CloudTrail. Specifically CloudTrail records AWS API calls for an account.
For information on configuring and deploying a remote log collector in an AWS environment, see Step 1 - Log in to AWS and Create an Instance in the Configure and Deploy Remote Log Collector in AWS Guide.
|Check Point|| |
Collects events from Check Point event sources using OPSEC LEA. OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs.
Collects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.
Accepts events from Netflow v5 and Netflow v9.
|ODBC||Collects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface.|
For more information, see The Basics in the ODBC Collection Configuration Guide.
Collects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
|SNMP Trap||Accepts SNMP traps.|
For more information, see The Basics in the SNMP Collection Configuration Guide.
Accepts messages from event sources that issue syslog messages.
|VMware||Collects events from a VMware virtual infrastructure.|
For more information, see The Basics in the VMware Collection Configuration Guide.
Collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008.
For more information, see The Basics in the Windows Collection Configuration Guide.
|Windows Legacy|| |
Collects events from:
Note: You install the Security Analytics Windows Legacy Collector on a physical or virtual Windows 2008 R2 SP1 64-Bit server using the SALegacyWindowsCollector-version-number.exe. Please refer to the Windows Collection Configuration Guide for detailed instructions on how to deploy the Windows Legacy Collector.
This topic describes basic, required tasks you need to complete to start collecting events using Security Analytics Log Collector service. Please refer to the Log Collection Deployment Guide for instructions on how to set up more elaborate deployments.
To implement Log Collection, you must:
- Set up a Log Collector locally on a Log Decoder (that is a Local Collector). You can also set up log collectors in as many remote locations (that is Remote Collectors) as you need for your enterprise.
- Security Analytics Log Collection to to collect events from event sources
- Events sources to send events to Security Analytics Log Collection service.
Roles of Local and Remote Collectors
A Local Collector (LC) is a Log Collector service running on a Log Decoder host. In a local deployment scenario, the Log Collector service is deployed on a Log Decoder host, with the Log Decoder service. Log collection from various protocols like Windows, ODBC, and so on, is performed through the Log Collector service, and events are forwarded to the Log Decoder service. The Local Collector sends all collected event data to the Log Decoder service.
You must have at least one Local Collector to collect non-Syslog events.
A Remote Collector (RC), also referred to as a Virtual Log Collector (VLC), is a Log Collector service running on a stand-alone Virtual Machine. Remote Collectors are optional and they must send the events they collect to a Local Collector. Remote Collector deployment is ideal when you have to collect logs from remote locations. Remote Collectors compress and encrypt the logs before sending them to a Local Collector.
Deploying and Configuring Log Collection
The following figure illustrates the basic tasks you must complete to deploy and configure Log Collection. To deploy Log Collection, you need to set up a Local Collector. You can also deploy one or more Remote Collectors. After you deploy Log Collection, you need to configure the events sources in Security Analytics and on the events sources themselves. The following diagram shows the Local Collector with one remote collector that pushes events to the Local Collector.
The Local collector is the Log Collector service running on the Log Decoder host.
A Remote Collector is the Log Collector service running on a virtual machine or Windows server in a remote location.
- Configure collection protocols in Security Analytics.
- Configure each event source to communicate with the Security Analytics Log Collector.
Adding Local Collector and Remote Collector to Security Analytics
The following figure shows how to add a Local Collector and Remote Collector to Security Analytics.
Configuring Log Collection
You choose the Log Collector, that is a Local Collector (LC) or Remote Collector (RC), for which you want to define parameters in the Services view. The following figure shows how to navigate to the Services view, select a log collector service, and display the configuration parameter interface for that service.
1 Access the Services view
2 Select a Log Collection service.
4 Define global Log Collection parameters in the
5 For a:
- Local Collector, Security Analytics displays the Remote Collectors tab. Select the Remote Collectors from which the Local Collector pulls events in this tab.
- Remote Collector, Security Analytics displays the Local Collectors. Select the Local Collectors to which the Remote Collector pushes events in this tab.
6 Edit configuration files as text files in the Files tab
7 Define collection protocol parameters in the Event Sources tab.
8 Define the lockbox, encryption keys, and certificates in the Settings tab.
9 Define Appliance Service parameters in the Appliance Service Configuration tab.
Data Flow Diagram
You use the log data collected by the Log Collector service to monitor the health of your enterprise and to conduct investigations. The following figure shows you how data flows through Security Analytics Log Collection to Investigation.