Log Collection: The Basics

Document created by RSA Information Design and Development Employee on Jul 23, 2016Last modified by RSA Information Design and Development Employee on Sep 14, 2016
Version 4Show Document
  • View in full screen mode

This topic tells you how Log Collection works and how you deploy it; lists the supported collection protocols; describes the basic implementation; and illustrates how you configure and deploy Log Collection.

How Log Collection Works

The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other Security Analytics components. The logs and the descriptive content are stored as meta data for use in investigations and reports.

Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the Security Analytics administrator configures the Log Collector service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.

What Collection Protocols Are Supported

The Log Collector service supports the following collection protocols:

Collection ProtocolDescription

Collects events from Amazon Web Services (AWS) CloudTrail.  Specifically CloudTrail records AWS API calls for an account.
For more information, see The Basics in the AWS (CloudTrail) Collection Configuration Guide.

Check Point

Collects events from Check Point event sources using OPSEC LEA.  OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs.
For more information, see The Basics in the Check Point Collection Configuration Guide.


Collects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.
For more information, see The Basics in the File Protocol Collection Configuration Guide.


Accepts events from Netflow v5 and Netflow v9. 
For more information, see The Basics in the Netflow Collection Configuration Guide.

ODBCCollects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface.
For more information, see The Basics in the ODBC Collection Configuration Guide.

Collects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
For more information, see The Basics in the SDEE Collection Configuration Guide.

SNMP TrapAccepts SNMP traps.
For more information, see The Basics in the SNMP Collection Configuration Guide.

Accepts messages from event sources that issue syslog messages.

VMwareCollects events from a VMware virtual infrastructure.
For more information, see The Basics in the VMware Collection Configuration Guide.

Collects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008.

For more information, see The Basics in the Windows Collection Configuration Guide.

Windows Legacy

Collects events from:

  • Older Windows versions such as Windows 2000 and Window 2003 and collects from Windows event sources that are already configured for enVision collection without having to reconfigure them.
  • NetApp ONTAP appliance event source so that you can now collect and parse NetApp evt files.
  • For more information, see The Basics in the Windows Legacy and NetApp Collection Configuration Guide.

Note: You install the Security Analytics Windows Legacy Collector on a physical or virtual Windows 2008 R2 SP1 64-Bit server using the SALegacyWindowsCollector-version-number.exe. Please refer to the Windows Collection Configuration Guide for detailed instructions on how to deploy the Windows Legacy Collector.

This topic describes basic, required tasks you need to complete to start collecting events using Security Analytics Log Collector service. Please refer to the Log Collection Deployment Guide for instructions on how to set up more elaborate deployments.

Basic Implementation

To implement Log Collection, you must:

  1. Set up a Log Collector locally on a Log Decoder (that is a Local Collector). You can also set up log collectors in as many remote locations (that is Remote Collectors)  as you need for your enterprise.
  2. Configure:

    • Security Analytics Log Collection to to collect events from event sources
    • Events sources to send events to Security Analytics Log Collection service.

Roles of Local and Remote Collectors

A Local Collector (LC) is a Log Collector service running on a Log Decoder host.  In a local deployment scenario, the Log Collector service is deployed on a Log Decoder host, with the Log Decoder service. Log collection from various protocols like Windows, ODBC, and so on, is performed through the Log Collector service, and events are forwarded to the Log Decoder service. The Local Collector sends all collected event data to the Log Decoder service.

You must have at least one Local Collector to collect non-Syslog events.

A Remote Collector (RC), also referred to as a Virtual Log Collector (VLC), is a Log Collector service running on a stand-alone Virtual Machine. Remote Collectors are optional and they must send the events they collect to a Local Collector. Remote Collector deployment is ideal when you have to collect logs from remote locations. Remote Collectors compress and encrypt the logs before sending them to a Local Collector.

Deploying and Configuring Log Collection

The following figure illustrates the basic tasks you must complete to deploy and configure Log Collection. To deploy Log Collection, you need to set up a Local Collector. You can also deploy one or more Remote Collectors. After you deploy Log Collection, you need to configure the events sources in Security Analytics and on the events sources themselves. The following diagram shows the Local Collector with one remote collector that pushes events to the Local Collector.

Set up Local and Remote Collectors.

The Local collector is the Log Collector service running on the Log Decoder host.

A Remote Collector is the Log Collector service running on a virtual machine or Windows server in a remote location.


Configure event sources:

  • Configure collection protocols in Security Analytics.
  • Configure each event source to communicate with the Security Analytics Log Collector.  

Adding Local Collector and Remote Collector to Security Analytics

The following figure shows how to add a Local Collector and Remote Collector to Security Analytics.


Access the Services view.


Open the Add Service dialog.



Define the details of the Log Collection service.

Select Test Connection to ensure that your Local or Remote Collector is added.

Configuring Log Collection

You choose the Log Collector, that is a Local Collector (LC) or Remote Collector (RC), for which you want to define parameters in the Services view. The following figure shows how to navigate to the Services view, select a log collector service, and display the configuration parameter interface for that service.


1 Access the Services view


2 Select a Log Collection service.

3 Click AdvcdExpandBtn.PNGunder Actions and select View > Config to display the Log Collection configuration parameter tabs.


4 Define global Log Collection parameters in the 
General tab.

5 For a:

  • Local Collector, Security Analytics displays the Remote Collectors tab. Select the Remote Collectors from which the Local Collector pulls events in this tab.
  • Remote Collector, Security Analytics displays the Local Collectors. Select the Local Collectors to which the Remote Collector pushes events in this tab.

6 Edit configuration files as text files in the Files tab

7 Define collection protocol parameters in the Event Sources tab.

8 Define the lockbox, encryption keys, and certificates in the Settings tab.

9 Define Appliance Service parameters in the Appliance Service Configuration tab.

Data Flow Diagram

You use the log data collected by the Log Collector service to monitor the health of your enterprise and to conduct investigations. The following figure shows you how data flows through Security Analytics Log Collection to Investigation.


You are here: Log Collection Getting Started > The Basics