Collecting Remote Files¶
Collecting files from multiple servers (and endpoints in general) has allways been a challenge. Overall, there are several approaches:
- Push over syslog or other standard protocol
- Agent installed on each server to send logs to a collector/manager
- Collector to reach out over standard protocols and fetch files
- Shared folders between the server and the collector
- Regularly copying files to a machine, where a collector has access
For Windows, remote event log collection is supported and that makes thing easier, but not all applications write to the event log. Text files are still a thing and so other options must be considered. For Linux syslog is a more standard approach, but it requries additional configuration and possibly installing additional software.
LogSentinel Collector supports all of the above options. We support the third option (collector reaching out to fetch files) in the following ways:
tail -fover SSH for Linux
Get-Content -Tailwith PowerShell remoting over SSH
- FTP tailing (continously downloading the log file over FTP)
This allows us to provide uninvasive and easy to configure log collection without the need to install 3rd party softawre or do forwarding configurations. It has its challenges (disconnects and imeouts), which we address in our collector.
In order to a remote log faile tailing to work, authentication credentials need to be configured. We recommend creating a dedicated read-only account with access only to the specified log files.