Skip to content

Configuring The LogSentinel Agent

Installing the collector

Installing the collector is simple. It depends on whether you install it on a Linux or Windows machine, but it usually involves a short script or a one-click installer.

Installing on Linux

  1. Get the latest release of logsentinel-collector.jar and copy it to /var/logsentinel/logsentinel-collector.jar
  2. Get the logsentinel-collector.conf file and copy it to /var/logsentinel/logsentinel-collector.conf
  3. Add a logsentinel-collector.yaml in the same directory. The file should contain the configuration of the collector (see the next section)
  4. Get the setup-collector.sh script and run it (works on CentOS/RHEL; we’ll soon add a similar script for Debian-based distros)

This should start the collector and configure it to run automatically on startup. You can start and stop it via service logsentinel-collector start/stop

Installing on Windows

  1. Get the latest Windows installer
  2. Extract it and run the install.bat (you need admin privileges)
  3. Customize the logsentinel-collector.yaml file in the installation directory
  4. Go to Services and start the LogSentinelcollector service

Note

if you are going to collect Windows event logs from other machines, you need a series of permissions configurations described in detail here.

Configuring the collector

Configuring the collector is done via a straightforward YAML file. All properties are described here . Below is a sample setup that listens to a Windows log as well as a MS SQL Audit trail:


    applicationId: ba2f0780-5424-11e8-b88d-6a2c1b6625c8
    organizationId: ba2cdc90-5424-11e8-b88d-6a2c1b6625c8
    secret: d8b63c3d82a6ded56b015a3b8617bf376b6aa6c181021abd0d37e5c5ac9941a1

    includeMacAddress: false
    includeLocalIp: false
    timestampInitialUseCurrent: true

    windowsEventLog:
        - sendLogsRate: 30000
          sourceTypes: 
            - Application
            - Security

    mssqlAuditLog:
        - dbcConnectionString: jdbc:sqlserver://localhost:1434;integratedSecurity=true
          sendLogsRate: 30000
          mssqlLogsPath: c:\logs\mssqltrail\

Conclusion

The logsentinel-collector can be installed on any machine and will forward any of the supported log records to LogSentinel SIEM. It is normally recommendedto install it on just one (or a few) dedicated machines, but this is not a hard requirement. This allows for integrating LogSentinel SIEM into any kind of organization, regardless of whether it relies on legacy systems or is building new ones. The collector can also work alongside existing log collection tools , so that you forward the most business critical events for secure storage and leave the rest of the logs in the existing, less secure solution.

Flexibility and integration-friendliness are key elements of an information security solution and we are happy to offer such a tool, bundled with support for our enterprise customers.