Log Collection Through The Armor Agent
Armor can ingest logs from most sources. The logs are stored and can be correlated and analyzed against threat intelligence feeds from Armor and other third parties. Armor provides advanced log search and data visualization capabilities through the Armor Management Portal. The benefits of Armor's log and data management add-on include:
Enhanced security posture through the analysis and correlation of log information with other Armor telemetry sources.
Greater context to aid in more effective detection, alerting and response.
Ability to meet compliance mandates through the storing of log data for up to 13 months.
ARMOR AGENT FOR SERVERS can be configured to collect logs from the following sources:
Armor Agent - Collecting Linux and Windows Standard Logs
Use the following commands to manage the Logging service - Filebeat and Winlogbeat (for Windows only).
Install Logging:
Windows: C:\.armor\opt\armor.exe logging install
Linux: /opt/armor/armor logging install
Uninstall Logging:
Windows: C:\.armor\opt\armor.exe logging uninstall
Linux: /opt/armor/armor logging uninstall
Logging Help
Windows: C:\.armor\opt\armor.exe logging help
Linux: /opt/armor/armor logging help
Default Logging Configuration for the Armor Agent
Windows
The Armor Agent forwards logs from the System and Security event types. The specific event id's kept are as follows:
Sysmon Id's
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 255
Security Event Id's
1102, 4624, 4625, 4648, 4649, 4657, 4688, 4697, 4698, 4719, 4720, 4722, 4723, 4724, 4725, 4726, 4732, 4733, 4738, 4740, 4794, 4798, 4799, 5140, 7034, 7045, 33205
Linux
The Armor Agent forwards the following log files for Linux servers:
CentOS/RHEL | Ubuntu/Debian |
---|---|
|
|