Skip to content

LogSentinel Collector Configuration

Configuration via UI

The LogSentinel Collector exposes a web-based UI on port 8080 that allows you to configure multiple sources quickly. The UI is sycnrhonized with the YAML configuration so you don't have to choose one over the other

Configuration file

Below is a full reference of the configuration options for the LogSentinel Collector. It can read

# ApplicationId, OrganizationId and secret obtained from the API credentials page in the dashboard. 
# The applicationId can be overridden per targetType

applicationId: ba2f0680-5424-11e8-b88d-6f2c1b6625e8
organizationId: ba2cbc90-5424-11e8-b88d-6f2c1b6625e8
secret: d8b63c3d82a6deb56b005a3b8617bf376b6aa6c181021abd0d37e5c5ac9911a1

# Supported collector types:
  # file - watches one or more files and sends each new line as a separate event
  # database - watches one or more tables using custom queries and sends events based on a comparison column (usually timestmap or sequential ID)
  # databaseLog - watches a database query log and sends each query as a seprate event 
  # directory - watches a given directory for changes (files created, deleted or modified) 
  # accessLogFile - watches an access log file and parses the standard access log format
  # mssqlAuditLog - watches MS SQL Server audit log (needs to be properly configured prior to starting the collector)
  # mssqlChangeTracking - watches MS SQL Server change tracking details and sends each change
  # linuxAuditLog - watches and parses the default Linux audit log file 
  # windowsEventLog - watches Windows event log and sends each entry
  # exchangeAdminLog - watches the admin log of Microsoft Exchange
  # axonDb - used to interact with AxonDB modifications to turn them into audit trail entries 
  # syslog - used to activate a syslog server that forwards syslog events to LogSentinel
  # sap - monitors directory for and handles SAP Security audit logs, which happen to be separated by a special separator (all logs are on the same line)
  # oracle - configures auditing and FGA on Oracle DB and watches the DBA_AUDIT_TRAIL and FGA_LOGS tables (extending the database collector)

# The base URL to connect to. Change only for on-premise deployments
logsentinelBaseUrl: https://api.logsentinel.com

# Keystore configurations. Use only if you need each request to be digitally signed.  
keystorePath: /path/to/keystore.jks
keystorePassword: password
keystoreAlias: alias

# Configure whether the MAC address of the machine is send as a parameter attached to each event
includeMacAddress: false

# Configure whether the local IP address of the machine is send as a parameter attached to each event
includeLocalIp: false

# Configure whether collectors that rely on timestamp to send events should start from events that 
# happen after the collector is installed, or historical events should be consumed and sent as well 
# (not applicable if historical data is not available) 
timestampInitialUseCurrent: true

# Allows trusting self-signed certificates provided by the LogSentinel service. 
# Use only for on-premise installations
trustSelfSignedCertificates: false

file:
  watchIntervalMillis: 30000 # period for checking the files for updates 
  watchFilePaths: # list of files to watch
    - /var/logs/system.log
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used
  separator: # if the file has columns, specify the column separator (;,\t)  
  csv: #true or false, whether the CSV syntax should be observed, e.g. escaping quotes;
  actionIdx: #0-based index of the action column
  actorIdx: #0-based index of the actor column
  entityTypeIdx: #0-based index of the entityType column
  entityIdIdx: #0-based index of the entityId column
  compressionType: #GLIB or ZLIP - used for reading compressed audit log files

databaseLog:
  watchIntervalMillis: 30000 # period for checking the files for updates 
  watchFilePaths: # list of files to watch
    - /var/logs/system.log
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used

linuxAuditLog:
  watchIntervalMillis: 30000 # period for checking the files for updates 
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used

accessLogFile:
  # the access log format in Common Log Format - https://en.wikipedia.org/wiki/Common_Log_Format
  accessLogFormat: format 
  accessLogIgnoredPaths: # option to ignore requests to a list of URIs 
    - path1
    - path2
  watchIntervalMillis: 30000 # period for checking the files for updates 
  watchFilePaths: # list of files to watch
    - /var/logs/system.log
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used

directory:
  watchDirPath: /var/logs # directory to watch for changes
  sendLogsRate: 30000
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used
  useDocumentApi: false # whether to use the document API (more conventient for tracking documents) 
  sendHash: false # whether to send just the hash of the file rather than the whole body
  maxFileSize: 0 # the max allowed file size to send to the server; otherwise a hash is sent; 0 means no limit (not that there's a server limit)
  skipActorId: false # whether no attempt is made to extract the actorId for each even (auditing functionality must be turned on)
  sendInBatches: true # whether to send the data in batches or in real time as events come

database:
  jdbcConnectionString: jdbc:mysql://192.168.1.101/db # database connection string
  jdbcUsername: root # database username
  jdbcPassword: pass # database password
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used
  watchSqlQueries: # list of queries to be executed against the database
    - sql: select * from logs # SQL query
      # which column is used for comparing entries. Only entries with value 
      # of this column above the value of the last sent event will be processed
      criteriaColumn: timestamp
      actorDisplayNameColumn: actorDisplayName # column to get the actorDisplayName
      actorIdColumns: actorId # comma separated columns that comprise the actorId
      actionColumn: action # column to be used for the action
      entityIdColumn: entityId # column to be used for entityId
      entityTypeColumn: entityType # column to be used for entityType
      entityTypeValue: entityType # a hardcoded value for entityType (alternative to specifying a column)
      actionValue: action # a hardcoded value for the action (alternative to specifying a column)
    - sql: select * from events
      criteriaColumn: timestamp2
      actorDisplayNameColumn: actorDisplayName2
      actorIdColumns: actorId2 #comma separated
      actionColumn: action2
      entityIdColumn: entityId2
      entityTypeColumn: entityType2
      entityTypeValue: entityType2
      actionValue: action2
oracle:
  jdbcConnectionString: jdbc:oracle:thin:@192.168.1.110:1521:orcl # database connection string
  jdbcUsername: SYS AS SYSDBA # database username
  jdbcPassword: pass # database password
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    fgaPolicies: # Fine Grained Auditing policies
      - objectSchema: TESTUSER #schema
        objectName: PERSONS #table name
        policyName: testPolicy #policy name, necessary
        auditCondition: Age != 0,
        auditColumn: City,
        enabled: true
        statementTypes: SELECT, INSERT, UPDATE, DELETE
    auditPolicies: # Standard audit policies
      # available audit options see with SELECT * FROM SYS.STMT_AUDIT_OPTION_MAP
      - userName: testUser # user to which the policy applies, leave empty to apply for all users
        auditOption: UPDATE TABLE # Action that will be audited
      - auditOption: SELECT TABLE 


windowsEventLog:
   sourceTypes: # list of windows event log types (Application, Security, System)
     - Application
     - Security
   sources: # an optional whitelist of event log sources to be processed. 
     - Source1
     - Source2
   excludedSources: # a blacklist of event sources not to be processed. Alternative to specifying "sources"
     - ExecludedSource1
   sendLogsRate: 30000 # how often is data sent to the LogSentinel service
   mode: NATIVE # Defines whether to use the NATIVE Win32 API (default) or PowerShell commands (specified by POWERSHELL value)
   remote: # connect to a remote event log. Leave user, domain and password blank to use current user  
     user: 
     domain: 
     password:
     server: # ip address or domain name
     authMethod: # auth constant, starting from 0 https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags
   applicationId: ... # override the default applicationId to send events to a custom one
   name: ... # a human-readable name for this config, useful when multiple configurations per type are used


exchangeAdminLog:
   exchangeUrl: # url of the exchange server
   username: # username to connect with
   password: # password to connect with (if username and password are not specified, the currenet account is used)
   dateFormat: # override the default date format if needed in order to parse the dates
   sendLogsRate: 30000 # how often is data sent to the LogSentinel service
   applicationId: ... # override the default applicationId to send events to a custom one
   name: ... # a human-readable name for this config, useful when multiple configurations per type are used

mssqlAuditLog:
  jdbcConnectionString: jdbc:mysql://192.168.1.101/ # database connection string
  jdbcUsername: sa # database username
  jdbcPassword: pass # database password
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events for
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used
  # path where the MS SQL Server audit log file is stored. 
  # See https://github.com/LogSentinel/logsentinel-agent/blob/master/MS_SQL_README.md)
  mssqlLogsPath: c:\auditlog\ 

mssqlChangeTracking:
  jdbcConnectionString: jdbc:mysql://192.168.1.101/ # database connection string
  jdbcUsername: sa # database username
  jdbcPassword: pass # database password
  sendLogsRate: 30000 # how often is data sent to the LogSentinel service
  applicationId: ... # override the default applicationId to send events to a
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used
  databases: # list of databases for which changes have to be tracked
    - db1
    - db2
  # tables for which changes should be ignored (use the full table name, including database and schema)
  ignoredTables: 
    - db1.dbo.table1
    - db2.dbo.table3
  # tables for which changes should be monitored. If not specified, all tables are monitored. 
  includedTables: 
    - db1.dbo.table1
    - db2.dbo.table3

axonDB:
  trackingToken: 0 # AxonDB tracking token
  action: LOG_AXON # Hardcoded action value
  batchEnabled: false # Use batch queries
  batchInterval: 10000 # Batch interval in case batch queries are enabled
  applicationId: ... # override the default applicationId to send events to a custom one
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used

email:
    #imap url - replace <username> and <password> with real ones. Replace imap.gmail.com for other providers
    # Make sure Imap server accepts requests from outside (gmail does not by default)
    imapInboxUrl: imap://<username>:<password>@imap.gmail.com/INBOX
    actionRegex: .*  # regex extracting action from subject or body
    actionRegexSubject: true # search action in subject or body
    entityIdRegex: .* # regex extracting entityId from subject or body
    entityIdRegexSubject: false # search entityId in subject or body
    entityTypeRegex: .* # regex extracting entityType from subject or body
    entityTypeRegexSubject: false # search entityType in subject or body
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used

syslog:
    ipToApplicationId: # a map of source IPs to applicationIds

sapSecurityAuditLog:
    watchIntervalMillis: 30000 # period for checking the files for updates 
    watchFilePaths: # list of files to watch
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    separator: # specify the special log separator
    compressionType: #GLIB or ZLIP - used for reading compressed audit log files

sapReadAccessLog:
    jdbcConnectionString: jdbc:mssql://192.168.1.101/db # database connection string
    jdbcUsername: root # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    applicationId: ... # override the default applicationId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used

cdc:
  # Full documentation for supported databases can be found here:
  # https://debezium.io/docs/connectors/mysql/
  # https://debezium.io/docs/connectors/postgresql/
  # https://debezium.io/docs/connectors/oracle/
  # https://debezium.io/docs/connectors/sqlserver/

  # regexes to extract actor, action, entityId and entityType from stringified data provided by debezium
  actorRegex: .*
  actionRegex: .*
  entityIdRegex: .*
  entityTypeRegex: .*
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used

  # supported databases are MYSQL, ORACLE, POSTGRES, MSSQL
  database: MYSQL
  offsetFilename: offset.txt #path to file that stores current processed state
  databaseHost: localhost
  databasePort: 3306
  databaseDbname: test # database name
  databaseUser: user
  databasePassword: password
  databaseServerName: serverName # logical name, used to distingush different debezium instances (if any)
  databaseHistoryFilename: history.txt # file where the connector will write and recover DDL statements
  tableWhiteList: table1 # tables that will be monitored (only for some databases)

  # Additional properties supported by debezium can be placed here. Not supported keys are ignored
  # Can override existing hardcoded values of properties offset.flush.interval.ms and server.id
  additionalProperties:
    key1: value1