Log Collection Deployment: Access Local Collectors and Remote Collectors

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 10Show Document
  • View in full screen mode
  

This topic tells how to access Local Collectors and Remote Collectors so that you can configure them. You can access a Local Collector or Remote Collector by selecting the service that you want in the Administration > Services view. If you do not see a Local Collector or Remote Collector in the Services view, you need to add it.

After completing this procedure, you will have:

  • Added a Local Collector/Remote Collector service.
  • Added a Legacy Windows Remote service

Procedures

Add a Local Collector/Remote Collector

You add a Local Collector by adding the Log Collector service to a Log Decoder host in Security Analytics. 
You add a Remote Collector by adding the Log Collector service to a host in Security Analytics.

Note: The dialog boxes are identical for Local Collectors, Remote Collectors, and Legacy Windows Collectors.

AddRCLA1(simple).png

Access the Services view.

AddRCLA2(simple).png

Click Icon-Add.png to open the Add Service dialog and select Log Collector.

AddLCRC3(simple).png

Define the connection details of the Log Collector service on a Local Collector.

Click Test Connection. If the connection is valid you will see Test connection successful. If the connection fails you will see Fail. If it failed, make sure that the Log Decoder host is running and that you have entered the correct information on the Add Service dialog and click Save again.

To add a Local Collector or Remote Collector:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select Icon-Add.png in the toolbar.
    The Add Service dialog is displayed.

  3. In the Add Service dialog, provide the following information.

                                            
    FieldDescription
    ServiceSelect Log Collector as the service type.
    NameType name you want to assign to the service.
    HostSelect the log collector host that you added to the Hosts view where the corresponding log collector service resides.
    PortDefault port is 50001 for clear text and 56001 for SSL encrypted.
    SSLSelect SSL if you want Security Analytics to communicate with the host using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.
    (Optional)UsernameType the username of the Local Collector.
    (Optional) PasswordType the password of the Local Collector.
  4. Click Test Connection to determine if Security Analytics connects to the service.
  5. When the result is successful, click Save.
    If the test is unsuccessful, edit the service information and retry. 

Add a Legacy Windows Remote Collector

You add a Remote Collector by adding the Log Collector service to a remote host.

Note: Before you add a Legacy Windows Remote Collector, you must install the Security Analytics Legacy Windows Collector on a physical or virtual Windows 2008 SP1 64-bit server using the SALegacyWindowsCollector-version-number.exe. You download the SALegacyWindowsCollector-version-number.exe from Download Central (please refer to the SA-v10.6 Legacy Windows Update and Installation Instructions.)

AddRCLA1(simple).png

Access the Services view.

AddRCLA2(simple).png

Click Icon-Add.png to open the Add Service dialog and select Log Collector.

AddRCLA3(simple).png

Define the details of the Log Collection service on a Remote Collector. 

Click Test Connection. If the connection is valid you will see Test connection successful. If the connection fails you will see Fail.If it failed, make sure that the Log Decoder host is running and that you have entered the correct information on the Add Service dialog and click Save again.

To add a Remote Collector:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select Icon-Add.png in the toolbar.
    The Add Service dialog is displayed.
    AddLC.png
  3. In the Add Service dialog, provide the following information.

                                           
    FieldDescription
    ServiceSelect Log Collector as the service type.
    NameType the service name.
    HostSelect a remote host.
    PortDefault port is 50001 for clear text and 56001 for SSL encrypted.
    SSLSelect SSL if you want Security Analytics to communicate with the host using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.
    (Optional) UsernameType the username of the Remote Collector.
    (Optional) PasswordType the password of the Remote Collector.
  4. Click Test Connection to determine if Security Analytics connects to the service.
  5. When the result is successful, click Save.
    If the test is unsuccessful, edit the service information and retry. 

Provisioning Local Collectors and Remote Collectors

The Security Analytics server verifies if an appliance has a Log Decoder service. If there is a Log Decoder service, it becomes a Local Collector. If a Log Decoder service is missing, it becomes a Remote Collector. A local Log Collector has an Event Destination and by default goes to the Local Log Decoder service. A Remote Collector does not have an Event Destination. The Security Analytics server identifies a Legacy Windows Collector as a Remote Collector. 

Note: Remote Collector checkbox has been removed from the Edit Service dialog box. Security Analytics dynamically determines whether it is a Local or Remote Collector.

To edit a Local Collector or Remote Collector:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services view, select Icon-Add.png in the toolbar.
    The Edit Service dialog is displayed.
  3. In the Edit Service dialog, provide the following information.

                                           
    FieldDescription
    ServiceSelect Log Collector as the service type.
    HostSelect a Log Decoder host.
    NameType name you want to assign to the service.
    PortDefault port is 50001 for clear text and 56001 for SSL encrypted.
    SSLSelect SSL if you want Security Analytics to communicate with the host using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.
    (Optional) UsernameType the username of the Local Collector.
    (Optional) PasswordType the password of the Local Collector.
  4. Click Test Connection to determine if Security Analytics connects to the service.
  5. When the result is successful, click Save.
    If the test is unsuccessful, edit the service information and retry. 
Previous Topic:Procedures
You are here
Table of Contents > Log Collection Deployment Guide > Procedures > Access Local Collectors and Remote Collectors

Attachments

    Outcomes