Skip to main content
Skip table of contents

Obtain Log Relay for Remote Log Collection

Topics Discussed

You can use this document to learn about the specific, high-level steps needed to obtain Log Relay, and send additional log types to Armor's Security Information & Event Management (SIEM).

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

Before you begin:

For Armor Enterprise Cloud users, you must already have a virtual machine in your account

For Armor Anywhere users, you must already have downloaded and installed the Armor Agent.

For introductory information on Log Relay, see Introduction to Log Relay.

Review Requirements


Requirement Type

Product Compatibility

Description

Supported Devices

  • Armor Enterprise Cloud

  • Armor Anywhere

Only Linux machines can be converted to Log Relays. Machines must be in an OK state to be converted.

To learn more about the health status of a virtual machine, see Health Overview Dashboard.

Log Relay will support receiving logs from devices such as WAFs or next-gen firewalls. The Armor Agent is not needed on devices to pass logs through a relay.

Pricing Information

  • Armor Enterprise Cloud

  • Armor Anywhere

While log collection is available to all users, there is a cost associated with sending and storing logs.

For pricing information, please contact your Account Manager.

Permissions

  • Armor Enterprise Cloud

  • Armor Anywhere

In order to use Log Relay, you must have the following permissions included in your account:

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

To learn more about permissions, see Roles and Permissions.

Log Retention Plan

  • Armor Enterprise Cloud

  • Armor Anywhere

  • Armor Enterprise Cloud virtual machines that are converted to a log relay device will be automatically enrolled in the Compliance Professional plan.

This plan:

  • Collects and stores your logs for 13 months at an additional cost.

  • Provides certain HIPAA and PCI compliance.

For pricing information, please contact your Account Manager.

Armor Anywhere agents that are converted to a log relay device will retain the default Log Management Essentials plan subscription. This plan collects and stores your logs for 30 days.

Firewall Rules

  • Armor Anywhere

Armor Anywhere users must add the following generic firewall rules:

Inbound:

  • Service/Purpose

    • Log Relay (Logstash)

  • Port

    • 5140/udp

    • 5141/tcp

  • Destination

    • The IP address for your virtual machine

Outbound:

  • Service/Purpose

    • Armor's logging service (ELK)

  • Port

    • 5443/tcp

    • 5400-5600/tcp (Reserved)

      • Armor reserves the right to utilize this port range for future expansion or service changes.

  • Destination

The above-mentioned ports do not provide security analytics. To receive security analytics for logs from supported remote log devices, you must add additional firewall rules; these additional ports are described in the configuration documents listed in Create and Configure Remote Log Sources.

For non-supported remote log sources, collected logs will not receive any security analytics.

To learn more about firewall rules, see Requirements for Armor Anywhere.


Obtain Log Relay


When you convert a virtual machine into a Log Relay device, your virtual machine / device will still contain the default Armor Agent components, such as FIM, Malware, Patching, etc.

Option 1: For Armor Anywhere Users
  1. In the Armor Management Portal (AMP), in the left-side navigation, click Infrastructure.

  2. Click Virtual Machines.

  3. Locate and hover over the desired virtual machine.

  4. Click the vertical ellipses.

  5. Click Convert to Log Relay.



  6. Review pricing information, and then click Convert VM to Log Relay.

    • You will be redirected to the Virtual Machines screen.

  7. Under Type, the virtual machine will be labeled as Log Relay. (By default, the Armor agent will update the virtual machine within 15 minutes.)

Option 2: For Armor Complete Users
  1. Use the PUT Assign Log Collector API call to add Log Relay to your account.

    In some cases, the terms Log Depot, Host Log Collector, or Log Relay may be used interchangeably.

METHOD / TYPE

PUT

API CALL / URL

/vms/core/{coreInstanceId}/profile 

PARAMETERS

You must enter your virtual machine's coreInstanceId.

To locate this ID, in AMP, access the Virtual Machine screen, click the desired virtual machine to expand, and then copy the Agent ID. The Agent ID is a combination of numbers and letters. 

FULL API CALL / URL

CODE
PUT https://api.armor.com//vms/core/1gfh39d-hdd78-dhd73-434/profil
  1. Contact Armor Support to add a custom file path via a host log collector.


After you have converted your virtual machine into a Log Relay device, see Create and Configure Remote Log Sources to learn how to create and configure a remote log source.

Troubleshooting

In general, if you are having issues adding Log Relay to a remote log device, consider that:

You need to update your permissions in AMP.

  • In AMP, you must have the following permissions added to your account:

    • Write Virtual Machine

    • Delete Log Management

    • Read Log Endpoints

    • Read Log Relays

    • Write Log Relays

    • Delete Log Relays

To add the above-mentioned AMP permissions to your account, see Roles and Permissions.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.