Log Collection GS: The Basics

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode

This topic tells you how Log Collection works and how you deploy it; lists the supported collection protocols; describes the basic implementation; and illustrates how you configure and deploy Log Collection.

How Log Collection Works

The Log Collector service collects logs from event sources throughout the IT environment in an organization and forwards the logs to other Security Analytics components. The logs and the descriptive content are stored as meta data for use in investigations and reports.

Event sources are the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls. In most cases, your Information Technology (IT) team configures event sources to send their logs to the Log Collector service and the Security Analytics administrator configures the Log Collector service to poll event sources and retrieve their logs. As a result, the Log Collector receives all logs in their original form.

What Collection Protocols Are Supported

The Log Collector service supports the following collection protocols:

Collection ProtocolDescription
AWSCollects events from Amazon Web Services (AWS) CloudTrail.  Specifically CloudTrail records AWS API calls for an account
Check PointCollects events from Check Point event sources using OPSEC LEA.  OPSEC LEA is the Check Point Operations Security Log Export API that facilitates the extraction of logs.
FileCollects events from log files. Event sources generate log files that are transferred using a secure file transfer method to the Log Collector service.
NetflowAccepts events from Netflow v5 and Netflow v9. 
ODBCCollects events from event sources that store audit data in a database using the Open Database Connectivity (ODBC) software interface.
SDEECollects Intrusion Detection System (IDS) and Intrusion Prevention Service (IPS) messages.
SNMP TrapAccepts SNMP traps.
SyslogAccepts messages from event sources that issue syslog messages.
VMwareCollects events from a VMware virtual infrastructure.
WindowsCollects events from Windows machines that support the Microsoft Windows model. Windows 6.0 is an event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008.
Legacy WindowsCollects events from:
  • Older Windows versions such as Windows 2000 and Window 2003 and collects from Windows event sources that are already configured for enVision collection without having to reconfigure them.
  • NetApp ONTAP appliance event source so that you can now collect and parse NetApp evt files.

Note: You install the Security Analytics Legacy Windows Collector on a physical or virtual Windows 2008 R2 SP1 64-Bit server using the SALegacyWindowsCollector-version-number.exe. Please refer to the Microsoft Windows Legacy Windows Eventing Configuration Guide for detailed instructions on how to deploy the Legacy Windows Collector.

This topic describes basic, required tasks you need to complete to start collecting events using Security Analytics Log Collector service. Please refer to the Log Collection Deployment Guide for instructions on how to set up more elaborate deployments.

Basic Implementation

To implement Log Collection, you must:

  1. Set up a Log Collector locally on a Log Decoder (that is a Local Collector). You can also set up log collectors in as many remote locations (that is Remote Collectors)  as you need for your enterprise.
  2. Configure:
  • Security Analytics Log Collection to to collect events from event sources.
  • Events sources to send events to Security Analytics Log Collection service.

Roles of Local and Remote Collectors

A Local Collector (LC) is a Log Collector service running on a Log Decoder host.  In a local deployment scenario, the Log Collector service is deployed on a Log Decoder host, with the Log Decoder service. Log collection from various protocols like Windows, ODBC, and so on, is performed through the Log Collector service, and events are forwarded to the Log Decoder service. The Local Collector sends all collected event data to the Log Decoder service.

You must have at least one Local Collector to collect non-Syslog events.

A Remote Collector (RC), also referred to as a Virtual Log Collector (VLC), is a Log Collector service running on a stand-alone Virtual Machine. Remote Collectors are optional and they must send the events they collect to a Local Collector. Remote Collector deployment is ideal when you have to collect logs from remote locations. Remote Collectors compress and encrypt the logs before sending them to a Local Collector.

Deploying and Configuring Log Collection

The following figure illustrates the basic tasks you must complete to deploy and configure Log Collection. To deploy Log Collection, you need to set up a Local Collector. You can also deploy one or more Remote Collectors. After you deploy Log Collection, you need to configure the events sources in Security Analytics and on the events sources themselves. The following diagram shows the Local Collector with one remote collector that pushes events to the Local Collector.

Basic_LC_Deployment_Config1.png1. Set up Local and Remote Collectors.

The Local collector is the Log Collector service running on the Log Decoder host.

A Remote Collector is the Log Collector service running on a virtual machine or Windows server in a remote location.
Basic_LC_Deployment_Config2.png2. Configure event sources:
  • Configure collection protocols in Security Analytics.
  • Configure each event source to communicate with the Security Analytics Log Collector.

Adding Local Collector and Remote Collector to Security Analytics

The following procedure explains how to add a Local Collector and Remote Collector to Security Analytics.

  1. In the Security Analytics menu, select Administration > Services.
  2. Open the Add Service dialog by clicking > Log Collector.
  3. Define the details of the Log Collection service on a Local Collector or Remote Collector.

    Note: For a Remote Collector, you must select the Remote checkbox.

Configuring Log Collection

You choose the Log Collector, that is a Local Collector (LC) or Remote Collector (RC), for which you want to define parameters in the Services view. The following procedure explains how to navigate to the Services view, select a log collector service, and display the configuration parameter interface for that service.

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Collection service.
  3. Click under Actions and select View > Config to display the Log Collection configuration parameter tabs.
  4. Define global Log Collection parameters in the General tab.
  5. For a:
    • Local Collector, Security Analytics displays the Remote Collectors tab. Select the Remote Collectors from which the Local Collector pulls events in this tab.

    • Remote Collector, Security Analytics displays the Local Collectors. Select the Local Collectors to which the Remote Collector pushes events in this tab.
  6. Edit configuration files as text files in the Files tab.
  7. Define collection protocol parameters in the Event Sources tab.
  8. Define the lockbox, encryption keys, and certificates in the Settings tab.
  9. Define Appliance Service parameters in the Appliance Service Configuration tab.

Data Flow Diagram

You use the log data collected by the Log Collector service to monitor the health of your enterprise and to conduct investigations. The following figure shows you how data flows through Security Analytics Log Collection to Investigation.


You are here: Log Collection Getting Started Guide > The Basics