Introduction to Log Relay

Topics Discussed

You can use this document to learn about the basic, high-level steps needed to send additional log types to Armor, also known as remote log collection. To send these remote logs, you must obtain Log Relay.

Review the information outlined in this pre-configuration document, to verify that you can perform the required steps. Additional, detailed instructions are available to help you navigate each step.

At a high level, there are two steps to this process:

Step 1: Obtain Log Relay
Step 2: Configure a remote log source

The Log Relay service can only be installed on Linux machines.

Review Requirements

Requirement Type	Product Compatibility	Description
Supported Devices	Armor Enterprise Cloud Armor Anywhere	Only Linux machines can be converted to Log Relays. Machines must be in an OK state to be converted. To learn more about the health status of a virtual machine, see Health Overview Dashboard. Log Relay will support receiving logs from devices such as WAFs or next-gen firewalls. The Armor Agent is not needed on devices to pass logs through a relay.
Pricing Information	Armor Enterprise Cloud Armor Anywhere	While log collection is available to all users, there is a cost associated with sending and storing logs. For pricing information, please contact your Account Manager.
Permissions	Armor Enterprise Cloud Armor Anywhere	In order to use Log Relay, you must have the following permissions included in your account: Write Virtual Machine Delete Log Management Read Log Endpoints Read Log Relays Write Log Relays Delete Log Relays To learn more about permissions, see Roles and Permissions.
Log Retention Plan	Armor Enterprise Cloud Armor Anywhere	Armor Enterprise Cloud virtual machines that are converted to a log relay device will be automatically enrolled in the Compliance Professional plan. This plan: Collects and stores your logs for 13 months at an additional cost. Provides certain HIPAA and PCI compliance. For pricing information, please contact your Account Manager. Armor Anywhere agents that are converted to a log relay device will retain the default Log Management Essentials plan subscription. This plan collects and stores your logs for 30 days.
Firewall Rules	Armor Anywhere	Armor Anywhere users must add the following generic firewall rules: Inbound: Service/Purpose Log Relay (Logstash) Port 5140/udp 5141/tcp Destination The IP address for your virtual machine Outbound: Service/Purpose Armor's logging service (ELK) Port 5443/tcp 5400-5600/tcp (Reserved) Armor reserves the right to utilize this port range for future expansion or service changes. Destination 52.38.171.243 52.26.92.237 35.155.168.100 (1d.log.armor.com) The above-mentioned ports do not provide security analytics. To receive security analytics for logs from supported remote log devices, you must add additional firewall rules; these additional ports are described in the configuration documents listed in Create and Configure Remote Log Sources. For non-supported remote log sources, collected logs will not receive any security analytics. To learn more about firewall rules, see Requirements for Armor Anywhere.

Obtain Log Relay

The Log Relay service runs on a virtual machine with the Armor Agent installed. When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc.

Option 1: Armor Enterprise Cloud

At a high level, to obtain Log Relay for your Armor Enterprise Cloud account, you must:

Create a virtual machine
Run an API call to install the Log Relay service onto your virtual machine.

Option 2: Armor Anywhere

At a high level, to obtain Log Relay for your Armor Anywhere account, you must:

Update your firewall rules, specifically for TCP
Create a virtual machine
Download and install the Armor Agent
Install the Log Relay service onto your virtual machine
- A virtual machine with the Armor Agent installed can be converted into a Log Relay through the Armor Management Portal (AMP) as demonstrated in the accompanying screenshot:
Alternatively, a virtual machine with the Armor Agent installed can be converted into a Log Relay using the following commands:

Install Log Relay:

CODE

Linux: /opt/armor/armor relay install

Uninstall Log Relay:

CODE

Linux: /opt/armor/armor relay uninstall

Log Relay Help:

CODE

Linux: /opt/armor/armor relay help

Configure a remote log source (Remote Log Relay)

After you have obtained a Log Relay, you must access your remote log source's environment for additional configuration.

In general, you will need to configure the remote log source to upload logs via syslog (TCP/UDP) to the Log Relay and then the Log Relay will send the logs to the Armor datalake.

Armor currently supports logs collection from the following remote devices:

Log type	Additional information	Detailed instructions
AWS CloudTrail	For this log type, you must be able to: Gather your AWS account information Create a new trail and sync your AWS S3 bucket	Create a Remote Log Source - AWS CloudTrail
AWS GuardDuty	For this log type, you must be able to: Update your AWS permissions for GuardDuty, Lambda, CloudWatch, and CloudFormation Retrieve your AWS credentials (AWS account number / account ID, AWS Access Key, AWS Secret Key) Configure the AWS GuardDuty CloudFormation StackSet Template	Create a Remote Log Source - AWS GuardDuty
AWS VPC Flow Logs	For this log type, you must be able to: Update your AWS permissions for VPC, Lambda, CloudWatch, and CloudFormation Configure a Web ACL Configure the AWS WAF CloudFormation Stack Template	Create Flow Connection - AWS VPC Flow Logs
AWS WAF	For this log type, you must be able to: Update your AWS permissions for WAF, Lambda, CloudWatch, and CloudFormation Configure the AWS VPC Flow Log CloudFormation Stack Template	Create a Remote Log Source - AWS WAF
Check Point	For this log type you must be able to: Log into and pre-configure the Check Point box Configure your Check Point device	Create a Remote Log Source - Check Point
Cisco ASA	For this log type, you must be able to: Log into your Cisco ASA device Access the privileged EXEC mode	Create a Remote Log Source - Cisco ASA
Cisco ISR	For this log type, you must be able to: Log into your Cisco ISR device Access the privileged EXEC mode	Create a Remote Log Source - Cisco ISR
Juniper	For this log type, you must be able to: Log into your Juniper SRX device Access the privileged EXEC mode	Create a Remote Log Source - Juniper
Fortinet FortiGate	For this log type, you must be able to: Log into your Fortinet Security Gateway Access the CLI Console	Create a Remote Log Source - Fortinet Security Gateway
Imperva Incapsula	For this log type, you must be able to: Access the AWS console Configure the IAM Role for an EC2 server or non-EC2 server Log into your log relay server	Create a Remote Log Source - Imperva Incapsula
Palo Alto Firewall	For this log type, you must be able to: Access the Palo Alto console Configure your server and server profile	Create a Remote Log Source - Palo Alto Firewall
SonicWall	For this log type, you must be able to: Log into the SonicWall console Configure your SonicWall device	Create a Remote Log Source - SonicWall
Cylance	For this log type: The user has a Log Relay device online The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay	Create a Remote Log Source - Cylance
Storage Only	For this log type, you must be able to: Configure your device or application for compliance log storage only	Create a Storage Only Log Source

Event Rate Limitations by Server Geometry

Appliance	Threshold	Minimum number of CPU cores	Suggested Memory in GB
Armor Log Relay	2,500 EPS or less	4	8
	5,000 EPS or less	8	16
	10,000 EPS or less	16	32

Related Documentation

For a detailed guide on how to obtain Log Relay, see Obtain Log Relay for Remote Log Collection.