Skip to content

Configuring The LogSentinel Collector

Installing the collector

Installing the collector is simple. It depends on whether you install it on a Linux or Windows machine, but it usually involves a short script or a one-click installer.

Installing on Linux

  1. Get the latest Linux package
  2. Extract it to /var/logsentinel/
  3. Give the necessary permissions to the .sh files and the logsentinel-collector.jar file via chmod +x *.sh and chmod +x logsentinel-collector.jar
  4. Run the setup-collector-[distro].sh for your Linux distribution (supported distros are CentOS/RHEL-based ones and Debian-based ones). Use sudo for running the script.
  5. Make sure the current Java version is Java 11 by typing > java -version. If it's not, update it with > sudo update-alternatives --config java

Installing on Windows

  1. Get the latest Windows installer
  2. Extract it and run the install.bat (you need admin privileges)
  3. Optionally, customize the logsentinel-collector.yaml file in the installation directory
  4. Go to Services and start the LogSentinelcollector service


if you are going to collect Windows event logs from other machines, you need a series of permissions configurations described in detail here.

Configuring the collector

Configuring the collector is done via a UI or a straightforward YAML file.

You can open the UI at http://localhost:8070

The UI makes changes directly to the YAML file and changes in the YAML file are reflected in the UI to avoid any discrepancies.

By default there are no user credentials and access is unauthenticated. This is not recommended for production setups. User can be configured via the YAML file.

All properties are described here . Below is a sample setup that listens to a Windows log as well as a MS SQL Audit trail:

    dataSourceId: ba2f0780-5424-11e8-b88d-6a2c1b6625c8
    organizationId: ba2cdc90-5424-11e8-b88d-6a2c1b6625c8
    secret: d8b63c3d82a6ded56b015a3b8617bf376b6aa6c181021abd0d37e5c5ac9941a1

    includeMacAddress: false
    includeLocalIp: false
    timestampInitialUseCurrent: true

        - sendLogsRate: 30000
            - Application
            - Security

        - dbcConnectionString: jdbc:sqlserver://localhost:1434;integratedSecurity=true
          sendLogsRate: 30000
          mssqlLogsPath: c:\logs\mssqltrail\


The logsentinel-collector can be installed on any machine and will forward any of the supported log records to LogSentinel SIEM. It is normally recommendedto install it on just one (or a few) dedicated machines, but this is not a hard requirement. This allows for integrating LogSentinel SIEM into any kind of organization, regardless of whether it relies on legacy systems or is building new ones. The collector can also work alongside existing log collection tools , so that you forward the most business critical events for secure storage and leave the rest of the logs in the existing, less secure solution.

Flexibility and integration-friendliness are key elements of an information security solution and we are happy to offer such a tool, bundled with support for our enterprise customers.