- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- How to regenerate certificates for Site Collector Core
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Set Up SSL Interception
SSL interception enables you to inspect encrypted traffic for enhancing network security. SSL interception helps in threat detection and prevention, data loss prevention, managing applications and ensuring compliances. Setting up an SSL interception includes configuring your network and VM to decrypt and inspect SSL/TLS traffic.
Before installing a Site Collector instance, to appropriately configure SSL Interception, provide certificates to be used for:
Site Collector installation through proxy
Site Collector upgrade
Site Collector data flows
Site Collector management flows
To set up an SSL interception:
Use the folder located on the VM at
/opt/exabeam_prep/ssl/
for importing Certificate Authorities (CAs) files in PEM format with extensions *.crt or *.pem to the Site Collector Core for the Core to trust LDAP or Proxy server certificates and validate them completely.When you restart Site Collector Core these CA files are imported to the local truststore based on the OS version, therefore the Site Collector Core services trust more servers with self-signed certificates.
Note
You must add a CA file to the folder only if you want to use Proxy with TLS inspections. For simple proxy, CA file is not required. If you want to use Proxy TLS, ensure that CA certificate is applied to the VM first so that you can request for the Site Collector Core installer package and begin installation.
If you are preparing your VM for the first time for Site Collector installation, create the folder
/opt/exabeam_prep/ssl/
and save the CA files in this folder. Then deploy the Site Collector Core.If you have Site Collector Core version 1.4 or earlier, create the folder
/opt/exabeam_prep/ssl/
, and save the CA files in this folder. Upgrade the NGSC Core using the Site Collector user interface.If you have Site Collector Core version 1.5 and above, the folder
/opt/exabeam_prep/ssl/
is available on the Site Collector Core VM already. Save the CA .crt and .pem files in this folder and restart the Site Collector Core using the Site Collector user interface or using the following command:sudo /opt/exabeam/nifi/nifi_scripts/ngsc_restart.sh
To verify that the CA files are imported to the Site Collector Core check exabeam-ngsc service journal or logs using the following command:
journalctl -eu exabeam-ngsc
The log contains the list of the files that are imported as follows.
Jan 13 21:21:00 ngsc-ihor-test add_ca_cert.sh[10886]: Certum_Trusted_Root_CA.crt
The log also displays the exact number of certs that are imported.
Jan 13 21:21:01 ngsc-ihor-test add_ca_cert.sh[10886]: 1 added, 0 removed; done.
By importing the CA files, you have completed the SSL interception configuration.