Exabeam Site CollectorExabeam Site Collector Guide

Table of Contents

Install Exabeam Site Collector

The Exabeam Site Collector to lets you upload log data from your data centers or virtual private clouds (VPCs) to Exabeam. Site collectors are designed to support most data centers with a single site collector, along with on-premises deployments. You may install more site collectors as log volumes grow.

If you are installing a site collector with Exabeam Advanced Analytics in your deployment, you will not be able to view the health of the site collector as it will not appear or monitored in the Advanced Analytics user interface. The host will be running in unmanaged mode. Please implement a custom monitoring solution to track the health of the node.

Prerequisites

Here are the prerequisites common to all environments before installing a site collector. Additional prerequisites may apply based on your deployment type.

  • If there is a syslog source in your deployment, install a load balancer with two site collectors behind it to mitigate any potential data loss

  • Ensure you have SSH login access to the site collector host

  • If Security Enhanced (SE) Linux is enabled, use permissive mode to perform administrative tasks (such as installing, upgrading, and configuring) and then revert to enforcing mode after completing tasks

    (Run getenforce command to confirm status.)

  • Site collector hostname's A Record must be resolvable using a domain name service (DNS)

    (Run ping [hostname] to confirm.)

  • If UDP is being used, the source IP must still be routable from the site collector

  • Determine which network zones will need to allow site collector traffic and the IP addresses and protocols that can be supported

  • The /tmp partition on the site collector host is executable for root

  • Ensure there is enough space and resources for site collector installation

  • Services:

    • Network proxies are not supported where an on-premises endpoint is the log destination

    • Proxies with authentication are not supported

    • SSL authentication or interception is not supported

    • NTP client must be active and synchronized

      (Run timedatectl command to confirm.)

    • One site collector must have OpenVPN if your ingestion is to support LDAP polling, database logs, eStreamer logs and fetching by Advanced Analytics or Incident Responder accessing local endpoints

  • Data collecting:

    • Use syslog, or secure syslog, over TCP where possible

    • If you must use UDP for data transfer, still ensure the source host IP address is routable from Site Collector

    • If syslog is not possible, determine the appropriate client, such as an Exabeam Log Collector, to support the collection method. See Exabeam Data Lake Collector Guide for more optionsExabeam Data Lake Collector Guide

  • Firewall:

    • Allow traffic between source and destination ports that match your deployment

    • Internet access is allowed at the site collector host

    • firewalld service is running on the site collector host

      (Run systemctl status firewalld to confirm active (running) status.)

    • Firewall rules should be built using FQDNs or domain wildcards

      Important

      Do not use IP addresses for access to the Exabeam SaaS Environment. They are dynamic and can change based upon location and scaling of the service.

Install Site Collector Based on Deployment Environment Type

Follow the installation instructions that matches your deployment environment:

For on-premises deployments, see Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments.

Install Site Collector for Exabeam SaaS Data Lake

The following instructions are for a fresh Exabeam Site Collector installation so logs are sent to Exabeam's SaaS Data Lake .

Prerequisites

Ensure your environment meets all requirements before running a site collector installation. Please review prerequisites listed in Install Exabeam Site Collector in addition to the following:

  • If you have a proxy,

    • Ensure that the proxy does not require site collector traffic to be authenticated

    • Configure both HTTPS and OpenVPN routes for:

      • On-premises to SaaS for data flow

      • SaaS to on-premises via OpenVPN for data such as LDAP polling

        Note

        OpenVPN must be used for:

        1. Passing LDAP poll data

        2. Using a DBlog collector in your deployment

        3. Using eStreamer in your deployment

        4. Fetching any on-premises SIEM / sources by Advanced Analytics

        5. Connecting to on-premises endpoints by Incident Responder Actions

        Limitation:

        Only one OpenVPN connection can be active at a time. You need to have it installed onto more than one site collector (for active/standby option), disable the active service manually after installation.

        Use commands:

        sudo systemctl stop openvpn@<instanceID>
        sudo systemctl disable openvpn@<instanceID>
  1. In Data Lake, navigate to Settings > Collector Management > Collectors.

  2. Click add collector to open the Collector Artifacts menu to get a list of Site collectors.

    data lake collector artifacts menu
  3. Download the Site Collector Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation package.

  4. Use scp (secure copy) to place the files in the /tmp directory of the site collector host. (For help with this command, run man scp.)

    scp <source_host>:<directory>/<package_file> <site_collector>:<directory>/package_file>
  5. Start a new terminal session using the an account with Administrator rights. Initiate a screen session. This is mandatory and will prevent accidental termination of your session.

    screen -LS [yourname]_[todaysdate]
  6. Go to the /tmp directory and unpack the installation package only.

    cd /tmp
    tar -xzf <install_filename>.tar.gz
  7. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector
  8. Make the files executable.

    chmod +x site-collector-installer.sh
  9. Based on your deployment environment, execute one of the following installation commands:

    1. Installing site collector but with OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz --openvpn
    2. Installing site collector and without OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/s-auth-package.tgz
    3. Installing site collector behind the proxy with OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
    4. Installing site collector behind the proxy without OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
  10. Once installation is complete, the prompt returns Site collector installer complete.

  11. To verify that the site collector source has been installed, log into the Data Lake and navigate to Settings > Collector Management  > Collectors to see the list of configured collectors.

    site collector management UI

    Note

    It is normal to find the Site Collector Data Forwarder service is shown as Stopped while another service is shown as Running. To verify if there is on-going ingestion, one of these services will show non-zero messages in the graph.

    You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Install Site Collector for Exabeam SaaS Advanced Analytics-only Deployment

The following instructions are for a fresh Exabeam Site Collector installation so your logs are sent to Exabeam's SaaS Advanced Analytics and where there is no Exabeam Data Lake deployed. The ingestion status for this configuration can be found on the Status Page in the Exabeam SaaS Cloud.

Prerequisites

Ensure your environment has met all requirements before running a site collector installation. Please review prerequisites listed in Install Exabeam Site Collector in addition to the following:

  • If you have a proxy:

    • Ensure that the proxy does not require site collector traffic to be authenticated

    • Configure both HTTPS and OpenVPN routes for:

      • On-premises to the Exabeam SaaS Cloud for data flow

      • Exabeam SaaS Cloud to on-premises via OpenVPN for data such as LDAP polling

        Note

        OpenVPN must be used for:

        1. Passing LDAP poll data

        2. Using a DBlog collector in your deployment

        3. Using eStreamer in your deployment

        4. Fetching any on-premises SIEM / sources by Advanced Analytics

        5. Connecting to on-premises endpoints by Incident Responder Actions

        Limitation:

        Only one OpenVPN connection can be active at a time. You need to have it installed onto more than one site collector (for active/standby option), disable the active service manually after installation.

        Use commands:

        sudo systemctl stop openvpn@<instanceID>
        sudo systemctl disable openvpn@<instanceID>
  1. Download SaaS Site Collector installation files from the Exabeam Community.

  2. Download your authentication package file using the following URL template based on your <instanceID>.

    https://<instanceID>.aa.exabeam.com/api/setup/saas/authPackage
  3. Place the files in the /tmp  directory of the site collector host.

  4. Start a new terminal session using the an account with administrator rights. Initiate a screen session. This is mandatory and prevent termination of your session.

    screen -LS [yourname]_[todaysdate]
  5. Go to the /tmp directory and unpack the installation file only.

    cd /tmp
    tar -xzf <filename>.tar.gz
  6. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector 
  7. Make the files executable.

    chmod +x site-collector-installer.sh
  8. Based on your deployment environment, please execute one of the following installation commands:

    1. Installing site collector with OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz --openvpn
    2. Installing site collector and without OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz
    3. Installing site collector behind the proxy with OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
    4. Installing site collector behind the proxy without OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
  9. Once installation is complete, the prompt will return Site collector installer complete.

  10. Verification checks must be made via the SaaS Status Page. The Status page is intended to show errors only and should not be used to verify throughput immediately after installation.

    You can send a test message via syslog and confirm it arrived at the log destination after several minutes:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If no logs arrive at the destination after a few minutes or you cannot see a status for the site collector, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.