Documentation - Exabeam Site Collector
- Exabeam Site Collector Network Ports
- Exabeam Site Collector Specifications
- Install Exabeam Site Collector
- Upgrade Exabeam Site Collector
- Advanced Exabeam Site Collector Customizations
- Configure Transport Layer Security (TLS) Syslog Ingestion
- Direct Kafka Input to Exabeam Site Collector
- Filter Incoming Syslog Events in Exabeam Site Collector
- Filtering Outbound Logs in Exabeam Site Collector
- Metadata Tags in Exabeam Site Collector Fields and Logs
- Add OpenVPN After Exabeam Site Collector Installation
- Supported Exabeam Site Collector Changes
- Troubleshoot for Exabeam Site Collector
- Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments
- Prerequisites
- Install Site Collector for Exabeam Data Lake On-premises Deployments
- Installing Site Collector for Exabeam Advanced Analytics On-premises Deployments
- Upgrade Site Collector for Exabeam Data Lake On-premises Deployments
- Upgrade Site Collector for Exabeam Advanced Analytics On-premises Deployments
- Migrate Legacy Site Collector to New Exabeam SaaS Site Collector
- Uninstall Exabeam Site Collector
- Supported Exabeam Site Collector Changes
- A. Glossary of Terms
Upgrade Exabeam Site Collector
Keep your site collectors up to date to take advantage of new features.
Follow the upgrade instructions that matches your deployment environment:
Prerequisites
Before upgrading your site collector, ensure prerequisites are met. Additional prerequisites may apply based on your deployment type.
If you are adding a syslog source in your deployment, install a load balancer with two site collectors behind it to mitigate any potential data loss
If Security Enhanced (SE) Linux is enabled, use
permissivemode to perform administrative tasks (such as installing, upgrading, and configuring) and then revert the mode after completing tasksThe
/tmppartition on the site collector host is executable for rootEnsure there is enough space for a site collector upgrade
Upgrade Site Collector Based on Deployment Environment Type
For on-premises and legacy deployments, see Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments.
Upgrade Exabeam Site Collector for SaaS with Exabeam Data Lake
The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam's SaaS Data Lake.
Ensure your environment has met all requirements before running a site collector upgrade.
In Data Lake, navigator to Settings > Collector Management > Collectors.
Click
to open the Collector Artifacts menu to get a list of Site collectors.
Download the Site Collector Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation packagge.
Place the files in the
/tmpdirectory of the site collector host.Start a terminal session to the site collector and initiate a screen session.
screen -LS [yourname]_[todaysdate]
Go to the
/tmpdirectory and unpack the downloaded files.cd /tmp tar -xzf <filename>.tar.gz
Go to the
Exabeam_Site_Collectordirectory.cd Exabeam_Site_Collector
Make the files executable.
chmod +x site-collector-installer.sh
Based on your deployment environment, please execute one of the following upgrade commands:
Upgrade site collector behind the proxy with OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector behind the proxy without OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector without proxy but with OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn
Upgrade site collector without proxy and without OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz
To verify that the site collector source has been upgraded, in Data Lake, navigate to Settings > Collector Management > Collectors to see the list of configured site collectors. The version should match the upgrade version.
Note
It is normal to find the Site Collector Data Forwarder service is shown as
Stoppedwhile another service is shown asRunning. To verify if there is on-going ingestion, one of these services will show non-zero messages in the graph.You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:
echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514
If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.
Upgrade Site Collector for Exabeam SaaS Advanced Analytics-only Deployments
The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam's SaaS Advanced Analytics and where there is no Exabeam Data Lake deployed.
Ensure your environment has met all requirements before running a site collector upgrade.
Download SaaS Site Collector installation files from the Exabeam Community.
Download your authentication file package using the following URL template based on your
<instanceID>.https://<instanceID>.aa.exabeam.com/api/setup/saas/authPackage
Place the files in the
/tmpdirectory of the site collector host.Start a terminal session to the site collector and initiate a screen session.
screen -LS [yourname]_[todaysdate]
Go to the
/tmpdirectory and unpack the downloaded files .cd /tmp tar -xzf <filename>.tar.gz
Go to the
Exabeam_Site_Collectordirectory.cd Exabeam_Site_Collector
Make the files executable.
chmod +x site-collector-installer.sh
Based on your deployment environment, please execute one of the following upgrade commands:
Upgrade site collector behind the proxy with OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector behind the proxy without OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector without proxy with OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn
Upgrade site collector without proxy and without OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz
You will not be able to view the status or health of the site collector in the Advanced Analytics console. The Status page is intended to show errors only and should not be used to verify throughput immediately after upgrading.
Site collector operational checks must be run at the site collector host. You can send a test message via syslog and confirm it arrived at the destination, using:
echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514
If the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.