Configuring The LogSentinel Collector¶
Installing the collector¶
Installing the collector is simple. It depends on whether you install it on a Linux or Windows machine, but it usually involves a short script or a one-click installer.
Installing on Linux¶
- Get the latest Linux package
- Extract it to
- Give the necessary permissions to the .sh files and the logsentinel-collector.jar file via
chmod +x *.shand
chmod +x logsentinel-collector.jar
- Run the
setup-collector-[distro].shfor your Linux distribution (supported distros are CentOS/RHEL-based ones and Debian-based ones). Use
sudofor running the script.
- Make sure the current Java version is Java 11 by typing
> java -version. If it's not, update it with
> sudo update-alternatives --config java
Here's a sample script to show the sequence of steps:
wget https://s3-eu-west-1.amazonaws.com/logsentinel-sandbox-public/logsentinel-collector-linux-installer.zip sudo apt-get install unzip sudo unzip logsentinel-collector-linux-installer.zip -d ~/ sudo mv ~/linux-installer /var/logsentinel/ cd /var/logsentinel/ sudo chmod +x *.sh sudo ./setup-collector-debian.sh
You can then check the logs via
journalctl -u logsentinel-collector.service
wget https://s3-eu-west-1.amazonaws.com/logsentinel-sandbox-public/logsentinel-collector-linux-installer.zip sudo unzip logsentinel-collector-linux-installer.zip -d ~/ sudo mv ~/linux-installer /var/logsentinel/ cd /var/logsentinel/ sudo chmod +x *.sh # Run this on Amazon Linux 2 sudo amazon-linux-extras install java-openjdk11 sudo ./setup-collector-centos.sh
You can then check the logs via
Installing on Windows¶
- Get the latest Windows installer
- Extract it and run the
install.bat(you need admin privileges)
- Optionally, customize the
logsentinel-collector.yamlfile in the installation directory
- Go to Services and start the LogSentinelcollector service
if you are going to collect Windows event logs from other machines, you need a series of permissions configurations described in detail here.
Configuring the collector¶
Configuring the collector is done via a UI or a straightforward YAML file.
You can open the UI at http://localhost:8070
The UI makes changes directly to the YAML file and changes in the YAML file are reflected in the UI to avoid any discrepancies.
By default there are no user credentials and access is unauthenticated. This is not recommended for production setups. User can be configured via the YAML file.
All properties are described here . Below is a sample setup that listens to a Windows log as well as a MS SQL Audit trail:
organizationId: ba2cdc90-5424-11e8-b88d-6a2c1b6625c8 secret: d8b63c3d82a6ded56b015a3b8617bf376b6aa6c181021abd0d37e5c5ac9941a1 includeMacAddress: false includeLocalIp: false timestampInitialUseCurrent: true windowsEventLog: - name: Windows logs dataSourceId: ba2f0780-5424-11e8-b88d-6a2c1b6625c8 sendLogsRate: 30000 sourceTypes: - Application - Security mssqlAuditLog: - name: MS SQL Audit Log dataSourceId: aa2f0780-5424-11e8-b88d-6a2c1b6625c9 jdbcConnectionString: jdbc:sqlserver://localhost:1434;integratedSecurity=true sendLogsRate: 30000 mssqlLogsPath: c:\logs\mssqltrail\
The collector can be run in a failover mode. A spare collector with identical configuration can be configured to poll the main one and take over in case the main one fails. Use the
mainCollectorUrl property to enable that mode (see configuration
The logsentinel-collector can be installed on any machine and will forward any of the supported log records to LogSentinel SIEM. It is normally recommendedto install it on just one (or a few) dedicated machines, but this is not a hard requirement. This allows for integrating LogSentinel SIEM into any kind of organization, regardless of whether it relies on legacy systems or is building new ones. The collector can also work alongside existing log collection tools , so that you forward the most business critical events for secure storage and leave the rest of the logs in the existing, less secure solution.
Flexibility and integration-friendliness are key elements of an information security solution and we are happy to offer such a tool, bundled with support for our enterprise customers.