Configuring The LogSentinel Agent¶
Installing the collector¶
Installing the collector is simple. It depends on whether you install it on a Linux or Windows machine, but it usually involves a short script or a one-click installer.
Installing on Linux¶
- Get the latest release of logsentinel-collector.jar and copy it to
- Get the logsentinel-collector.conf file and copy it to
- Add a
logsentinel-collector.yamlin the same directory. The file should contain the configuration of the collector (see the next section)
- Get the setup-collector.sh script and run it (works on CentOS/RHEL; we’ll soon add a similar script for Debian-based distros)
This should start the collector and configure it to run automatically on startup. You can start and stop it via
service logsentinel-collector start/stop
Installing on Windows¶
- Get the latest Windows installer
- Extract it and run the
install.bat(you need admin privileges)
- Customize the
logsentinel-collector.yamlfile in the installation directory
- Go to Services and start the LogSentinelcollector service
if you are going to collect Windows event logs from other machines, you need a series of permissions configurations described in detail here.
Configuring the collector¶
Configuring the collector is done via a straightforward YAML file. All properties are described here . Below is a sample setup that listens to a Windows log as well as a MS SQL Audit trail:
applicationId: ba2f0780-5424-11e8-b88d-6a2c1b6625c8 organizationId: ba2cdc90-5424-11e8-b88d-6a2c1b6625c8 secret: d8b63c3d82a6ded56b015a3b8617bf376b6aa6c181021abd0d37e5c5ac9941a1 includeMacAddress: false includeLocalIp: false timestampInitialUseCurrent: true windowsEventLog: - sendLogsRate: 30000 sourceTypes: - Application - Security mssqlAuditLog: - dbcConnectionString: jdbc:sqlserver://localhost:1434;integratedSecurity=true sendLogsRate: 30000 mssqlLogsPath: c:\logs\mssqltrail\
The logsentinel-collector can be installed on any machine and will forward any of the supported log records to LogSentinel SIEM. It is normally recommendedto install it on just one (or a few) dedicated machines, but this is not a hard requirement. This allows for integrating LogSentinel SIEM into any kind of organization, regardless of whether it relies on legacy systems or is building new ones. The collector can also work alongside existing log collection tools , so that you forward the most business critical events for secure storage and leave the rest of the logs in the existing, less secure solution.
Flexibility and integration-friendliness are key elements of an information security solution and we are happy to offer such a tool, bundled with support for our enterprise customers.