Exabeam Site CollectorExabeam Site Collector Guide

Table of Contents

Upgrade Exabeam Site Collector

Keep your site collectors up to date to take advantage of new features.

Follow the upgrade instructions that matches your deployment environment:

Prerequisites

Before upgrading your site collector, ensure prerequisites are met. Additional prerequisites may apply based on your deployment type.

  • If you are adding a syslog source in your deployment, install a load balancer with two site collectors behind it to mitigate any potential data loss

  • If Security Enhanced (SE) Linux is enabled, use permissive mode to perform administrative tasks (such as installing, upgrading, and configuring) and then revert the mode after completing tasks

  • The /tmp partition on the site collector host is executable for root

  • Ensure there is enough space for a site collector upgrade

Upgrade Site Collector Based on Deployment Environment Type

For on-premises and legacy deployments, see Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments.

Upgrade Exabeam Site Collector for SaaS with Exabeam Data Lake

The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam's SaaS Data Lake.

  1. Ensure your environment has met all requirements before running a site collector upgrade.

  2. In Data Lake, navigator to Settings > Collector Management > Collectors.

  3. Click add collector to open the Collector Artifacts menu to get a list of Site collectors.

    data lake collector artifacts menu
  4. Download the Site Collector Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation packagge.

  5. Place the files in the /tmp directory of the site collector host.

  6. Start a terminal session to the site collector and initiate a screen session.

    screen -LS [yourname]_[todaysdate]
  7. Go to the /tmp directory and unpack the downloaded files.

    cd /tmp
    tar -xzf <filename>.tar.gz
  8. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector
  9. Make the files executable.

    chmod +x site-collector-installer.sh
  10. Based on your deployment environment, please execute one of the following upgrade commands:

    1. Upgrade site collector behind the proxy with OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
    2. Upgrade site collector behind the proxy without OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
    3. Upgrade site collector without proxy but with OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn
    4. Upgrade site collector without proxy and without OpenVPN

      sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz
  11. To verify that the site collector source has been upgraded, in Data Lake, navigate to Settings > Collector Management  > Collectors to see the list of configured site collectors. The version should match the upgrade version.

    site collector management UI

    Note

    It is normal to find the Site Collector Data Forwarder service is shown as Stopped while another service is shown as Running. To verify if there is on-going ingestion, one of these services will show non-zero messages in the graph.

    You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Upgrade Site Collector for Exabeam SaaS Advanced Analytics-only Deployments

The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam's SaaS Advanced Analytics and where there is no Exabeam Data Lake deployed.

  1. Ensure your environment has met all requirements before running a site collector upgrade.

  2. Download SaaS Site Collector installation files from the Exabeam Community.

  3. Download your authentication file package using the following URL template based on your <instanceID>.

    https://<instanceID>.aa.exabeam.com/api/setup/saas/authPackage
  4. Place the files in the /tmp  directory of the site collector host.

  5. Start a terminal session to the site collector and initiate a screen session.

    screen -LS [yourname]_[todaysdate]
  6. Go to the /tmp directory and unpack the downloaded files .

    cd /tmp
    tar -xzf <filename>.tar.gz
  7. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector
  8. Make the files executable.

    chmod +x site-collector-installer.sh
  9. Based on your deployment environment, please execute one of the following upgrade commands:

    1. Upgrade site collector behind the proxy with OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
    2. Upgrade site collector behind the proxy without OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
    3. Upgrade site collector without proxy with OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn
    4. Upgrade site collector without proxy and without OpenVPN

      sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz
  10. You will not be able to view the status or health of the site collector in the Advanced Analytics console. The Status page is intended to show errors only and should not be used to verify throughput immediately after upgrading.

    Site collector operational checks must be run at the site collector host. You can send a test message via syslog and confirm it arrived at the destination, using:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.