- Exabeam Site Collector
- Network Ports
- Install the Exabeam Site Collector
- Filtering Incoming Syslog Events in Exabeam Site Collector
- Filtering Outbound Logs in Exabeam Site Collector
- Supported Exabeam Site Collector Changes
- Troubleshoot the Exabeam Site Collector
- Get the Site Collector Support Packages
- Scenario 1: No logs are transmitted nor received
- Scenario 2: Kafka Google Cloud Storage (GCS) collectors have not appeared on Data Lake UI
- Scenario 3: If logs are not uploaded to GCS where logs are not on Data Lake
- Scenario 4: Unable to accept incoming syslog, active directory context, Splunk logs, or Incident Responder integrations
- Scenario 5: Unable to pull LDAP from SaaS
- Scenario 6: Cannot send after transport endpoint shutdown
- Scenario 7: Missing cert.tar.gz in authentication package (SaaS Data Lake only)
- Other scenarios
- Data Lake Site Collector Services
- How to Migrate to New Exabeam SaaS Site Collector
- How to Uninstall Exabeam Site Collector
Exabeam Site Collector
Exabeam SaaS Cloud uses site collectors to enable you to upload log data from your data centers or VPCs to Exabeam. Site collectors in the Exabeam SaaS Cloud were designed to support most data centers with a single Site Collector.
You can configure more than one site collector for your deployment. For example, if you need to collect logs from multiple data centers or VPCs and upload them to Exabeam.
When cloud collector agents are in use, data does not flow through a site collector.
Exabeam's non-Saas site collectors will no longer be supported as of September 1, 2020. Please migrate your site collectors to the Exabeam SaaS Site Collector before the deadline.
Site Collector Architecture
At a high level, Exabeam's site collector involves three main processes:
Data persistence and upload
First, Exabeam collects messages from external servers, systems, data centers, and other machines via syslog and/or Exabeam collectors (including Windows, File, and GZip).
For more information on configuring agent-based or server-side collectors, please refer to the Exabeam Collector Guide.
Then, the site collector queues the messages on disk before uploading to Exabeam SaaS Cloud. The site collector continuously upload messages from the queue to Exabeam SaaS Cloud. Data is encrypted in transit to the cloud and at rest (in the cloud). Data is compressed to 300-500% of the original source before uploading to Exabeam SaaS Cloud.
Finally, the cloud connectivity feature maintains a healthy connection to Exabeam SaaS Cloud to allow it to connect to customer assets such as AD for context and authentication, access API for log repositories, and any other Incident Responder actions.
The site collector includes the following:
Kafka for message bus
Logstash for message processing
OpenVPN for client connectivity
Zookeeper for Kafka management
Site Collector Specifications
The Exabeam SaaS Site Collector can be deployed in two capacities, Essential and Enterprise. Please review the specifications in the table below that applies to
Minimum CPU and Memory
4 CPU, 8 GB RAM
8 CPU, 16 GB RAM
16 CPU, 32 GB RAM
Additionally, please ensure the following storage requirements and permissions are met:
CentOS 7.x+/RedHat 7.x+
/tmpmust be a writeable location and allow for execution
/datais storage for Kafka data (sizing is based on the Site Collector Specifications above) with 300 GB or higher per EPS
Default local retention is 24 hours or available disk space in
(Up to 5k EPS)
The following table is a guide for the Essential type SaaS Collector. It is based on calculations for:
1500 bytes average message size
1.5 times of rated EPS per day to be stored locally
EPS rated for Essential Tiny, Small, Medium, and Large are 1k, 2k, 3.5k, 5k EPS respectively
Capacity specifications for Exabeam Enterprise site collectors are not shown and are calculated based on required retention and EPS rates.
OS partition cannot be smaller than 100GB.
Here are some deployment examples based on log ingestion rates:
CPU, Memory, and Storage
Essential Medium, 2.5k EPS
4 CPU, 8 GB RAM, 900 GB
Enterprise, 18k EPS
8 CPU, 16 GB RAM, 3800 GB
Enterprise, 108k EPS
4 site collectors with 16 CPU, 32 GB RAM, 6200 GB each
6 site collectors with 8 CPU, 16 GB RAM, 4200 GB each
firewalld is installed and present on the system.
firewalld service automatically installs if it is not already present on the system.