Documentation - Exabeam Site Collector
- Network Ports
- Install the Exabeam Site Collector
- Filtering Incoming Syslog Events in Exabeam Site Collector
- Filtering Outbound Logs in Exabeam Site Collector
- How to Direct Kafka Input to Exabeam Site Collector
- Supported Exabeam Site Collector Changes
- Troubleshoot the Exabeam Site Collector
- Capture Site Collector Diagnostics Using Exabeam Support Package
- Scenario 1: No logs are transmitted nor received
- Scenario 2: Kafka Google Cloud Storage (GCS) collectors have not appeared on Data Lake UI
- Scenario 3: If logs are not uploaded to GCS where logs are not on Data Lake
- Scenario 4: Unable to accept incoming syslog, active directory context, Splunk logs, or Incident Responder integrations
- Scenario 5: Unable to pull LDAP from SaaS
- Scenario 6: Cannot send after transport endpoint shutdown
- Scenario 8: Too many arguments in command /tools/config.parser.sh
- Other scenarios
- How to Migrate to New Exabeam SaaS Site Collector
- How to Uninstall Exabeam Site Collector
- Exabeam Site Collector Services
How to Uninstall Exabeam Site Collector
There may be need to remove the pre-existing Exabeam Site Collector (SC) deployment entirely. To uninstall the SC, SSH to the host and apply the following command:
sudo ./site-collector-installer.sh -v --uninstall # Or, uninstall in silent mode sudo ./site-collector-installer.sh -v --uninstall -a
How to Uninstall a Legacy Site Collector
Once your Exabeam Site Collector has been established, you can uninstall legacy site collectors. During the uninstall process, there is a risk of data loss if ingest queues are not empty. Stop sending logs to site collectors being removed. The following steps will mitigate data loss and uninstall your legacy SC:
Verify that the queues do not have data. If the queues are empty, the
LAGcolumn will show0. If there is data, wait a few minutes for remainder logs to clear the queue. Re-verify that ingestion queues are empty of data. Do not proceed to the next step until the queues are empty.sudo -u kafka /opt/kafka/bin/kafka-consumer-groups.sh --bootstrap-server localhost:9092 --describe --group gcs | awk '{s+=$5}END{print s}'Use the following commands to stop services. Services must be fully stopped before proceeding to the next uninstall steps.
systemctl stop kafka systemctl stop logstash systemctl stop zookeeper
Remove Kafka.
yum remove kafka
Remove Logstash.
yum remove logstash
Remove Zookeeper.
yum remove zookeeper
Check remaining folders for Logstash and Kafka (if they still exist).
rm -rf /opt/kafka rm -rf /opt/logstash
Remove common packages.
yum remove java-1.8.0-openjdk logrotate iperf3
Remove Logstash and Kafka users.
userdel kafka userdel logstash
Remove Openvpn.
yum remove openvpn rm -rf /etc/openvpn
Remove
/tmpLogstash files.# Check logstash folders in /tmp mkdir logstash-files mv logstash* logstash-files
Remove offline repository definitions.
rm /etc/yum.repos.d/
Remove the
/opt/exabeamfolder.rm -rf /opt/exabeam
Remove firewall rules.
Check existing firewall rules.
firewall-cmd --list-all
Remove ports and forwarding rules.
firewall-cmd --zone=public --remove-port=9093/tcp --permanent firewall-cmd --zone=public --remove-port=514/tcp --permanent firewall-cmd --zone=public --remove-port=515/tcp --permanent firewall-cmd --zone=public --remove-port=9300/tcp --permanent firewall-cmd --remove-forward-port=port=514:proto=udp:toport=5514 --permanent firewall-cmd --remove-forward-port=port=514:proto=tcp:toport=5514 --permanent firewall-cmd --remove-forward-port=port=515:proto=tcp:toport=5515 --permanent firewall-cmd --zone="public" --remove-forward-port=port=443:proto=tcp:toport=443:toaddr=10.0.0.16 --permanent firewall-cmd --reload
Verify firewall rules have been removed. The list returned from the following command should not show rules removed in the previous step.
firewall-cmd --list-all
Remove
sysctlforwarding configuration in the file/etc/sysctl.conf.# Remove the line net.ipv4.ip_forward = 1