Skip to content

Configuring The LogSentinel Collector

Installing the collector

Installing the collector is simple. It depends on whether you install it on a Linux or Windows machine, but it usually involves a short script or a one-click installer.

Installing on Linux

  1. Get the latest Linux package
  2. Extract it to /var/logsentinel/
  3. Give the necessary permissions to the .sh files and the logsentinel-collector.jar file via chmod +x *.sh and chmod +x logsentinel-collector.jar
  4. Run the setup-collector-[distro].sh for your Linux distribution (supported distros are CentOS/RHEL-based ones and Debian-based ones). Use sudo for running the script.
  5. Make sure the current Java version is Java 11 by typing > java -version. If it's not, update it with > sudo update-alternatives --config java

Here's a sample script to show the sequence of steps:

Debian-based

wget https://s3-eu-west-1.amazonaws.com/logsentinel-sandbox-public/logsentinel-collector-linux-installer.zip
sudo apt-get install unzip
sudo unzip logsentinel-collector-linux-installer.zip -d ~/
sudo mv ~/linux-installer /var/logsentinel/
cd /var/logsentinel/
sudo chmod +x *.sh
sudo ./setup-collector-debian.sh 

You can then check the logs via journalctl -u logsentinel-collector.service

CentOS-based

wget https://s3-eu-west-1.amazonaws.com/logsentinel-sandbox-public/logsentinel-collector-linux-installer.zip
sudo unzip logsentinel-collector-linux-installer.zip -d ~/
sudo mv ~/linux-installer /var/logsentinel/
cd /var/logsentinel/
sudo chmod +x *.sh
# Run this on Amazon Linux 2
sudo amazon-linux-extras install java-openjdk11
sudo ./setup-collector-centos.sh 

You can then check the logs via less /var/log/logsentinel-collector.log

Installing on Windows

  1. Get the latest Windows installer
  2. Extract it and run the install.bat (you need admin privileges)
  3. Optionally, customize the logsentinel-collector.yaml file in the installation directory
  4. Go to Services and start the LogSentinelcollector service

Note

if you are going to collect Windows event logs from other machines, you need a series of permissions configurations described in detail here.

Configuring the collector

Configuring the collector is done via a UI or a straightforward YAML file.

You can open the UI at http://localhost:8070

The UI makes changes directly to the YAML file and changes in the YAML file are reflected in the UI to avoid any discrepancies.

By default there are no user credentials and access is unauthenticated. This is not recommended for production setups. User can be configured via the YAML file.

All properties are described here . Below is a sample setup that listens to a Windows log as well as a MS SQL Audit trail:

    organizationId: ba2cdc90-5424-11e8-b88d-6a2c1b6625c8
    secret: d8b63c3d82a6ded56b015a3b8617bf376b6aa6c181021abd0d37e5c5ac9941a1

    includeMacAddress: false
    includeLocalIp: false
    timestampInitialUseCurrent: true

    windowsEventLog:
        - name: Windows logs
          dataSourceId: ba2f0780-5424-11e8-b88d-6a2c1b6625c8
          sendLogsRate: 30000
          sourceTypes: 
            - Application
            - Security

    mssqlAuditLog:
        - name: MS SQL Audit Log
          dataSourceId: aa2f0780-5424-11e8-b88d-6a2c1b6625c9
          jdbcConnectionString: jdbc:sqlserver://localhost:1434;integratedSecurity=true
          sendLogsRate: 30000
          mssqlLogsPath: c:\logs\mssqltrail\

Working behind a proxy

If a proxy server is needed for succsesful outbound connections, it can be configured in /var/logsentinel/logsentinel-collector.conf by appending the following to JAVA_OPTS:

-Dhttp.proxyHost=your.proxy.host -Dhttp.proxyPort=8080

Failover

The collector can be run in a failover mode. A spare collector with identical configuration can be configured to poll the main one and take over in case the main one fails. Use the mainCollectorUrl property to enable that mode (see configuration

Conclusion

The logsentinel-collector can be installed on any machine and will forward any of the supported log records to LogSentinel SIEM. It is normally recommendedto install it on just one (or a few) dedicated machines, but this is not a hard requirement. This allows for integrating LogSentinel SIEM into any kind of organization, regardless of whether it relies on legacy systems or is building new ones. The collector can also work alongside existing log collection tools , so that you forward the most business critical events for secure storage and leave the rest of the logs in the existing, less secure solution.

Flexibility and integration-friendliness are key elements of an information security solution and we are happy to offer such a tool, bundled with support for our enterprise customers.