Exabeam Site CollectorExabeam Site Collector Guide

Table of Contents

Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments

Configure and gather information as outlined in this section before attempting to install or upgrade your site collector.

Prerequisites

Ensure your environment met all requirements before running a site collector installation. Please review prerequisites listed in Install Exabeam Site Collector in addition to the following:

  • Have the following information for all log sources that will send data to the site collector:

    • Product and vendor

    • Hostname and IP address

    • Network zone of the log source

    • Ingest method and access port

    • Log throughput capacity in events per second (EPS)

    • Log storage capacity in GB

    • Associated site collector

  • Routes through firewalls and proxies are not supported in on-premises deployments

On-premises Instructions by Deployment

Select the instructions that best matches your deployment environment:

Install Site Collector for Exabeam Data Lake On-premises Deployments

Installing Site Collector for Exabeam Advanced Analytics On-premises Deployments

Upgrade Site Collector for Exabeam Data Lake On-premises Deployments

Upgrade Site Collector for Exabeam Advanced Analytics On-premises Deployments

Legacy Deployments

For site collectors in versions 1.0.0/1.0.3 and those before version 202004.1, use the following instructions to migrate services.

Warning

For CentOS deployments -- As CentOS 8.x will be reaching its end-of-life (December 31, 2021), we strongly recommend deploying site collectors on CentOS 7.x.

Install Site Collector for Exabeam Data Lake On-premises Deployments

For Data Lake in Appliance or Virtual Deployments Only

Follow these instructions for a fresh Exabeam Site Collector installation if your logs are to be sent to Exabeam Data Lake destination deployed on an appliance or virtual platform (excluding Exabeam SaaS Cloud).

  1. Ensure your environment has met all requirements before running a site collector installation.

  2. In Data Lake, navigate to Settings > Collector Management > Collectors.

  3. Click add collector to open the Collector Artifacts menu to get a list of Site collectors.

    data lake collector artifacts menu
  4. Download the Site Collector Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation package.

  5. Use scp (secure copy) to place the files in the /tmp directory of the site collector host. (For help with this command, run man scp.

    scp <source_host>:<directory>/<package_file> <site_collector>:<directory>/package_file>
  6. Start a new terminal session using the an account with administrator rights. Initiate a screen session. This is mandatory and will prevent accidental termination of your session.

    screen -LS [yourname]_[todaysdate]
  7. Go to the /tmp directory and unpack the installation package only.

    cd /tmp
    tar -xzf <install_filename>.tar.gz
  8. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector 
  9. Make the files executable.

    chmod +x site-collector-installer.sh
  10. Run following installation commands:

    sudo ./site-collector-installer.sh -v --dl-on-prem --config=/tmp/sc-auth-package.tgz
  11. Once installation is complete, the prompt will return Site collector installer complete.

  12. To verify that the site collector source has been installed, log into the Data Lake and navigate to Settings > Collector Management  > Collectors to see the list of configured collectors.

    site collector management UI

    Note

    It is normal to find the Site Collector Data Forwarder service is shown as Stopped while another service is shown as Running. To verify if there is on-going ingestion, one of these services will show non-zero messages in the graph.

    You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Installing Site Collector for Exabeam Advanced Analytics On-premises Deployments

Follow these instructions for a fresh Exabeam Site Collector installation if your logs are to be sent to Exabeam Advanced Analytics destination deployed on an appliance or virtual platform (excluding Exabeam SaaS). In this configuration, you will not be able to view the status or health of the site collector in the Advanced Analytics console.

  1. Ensure your environment has met all requirements before running a site collector installation.

  2. Download SaaS Site Collector installation files from the Exabeam Community.

  3. Place the files in the /tmp  directory of the site collector host.

  4. Start a new terminal session using the an account with administrator rights. Initiate a screen session. This is mandatory and will prevent accidental termination of your session.

    screen -LS [yourname]_[todaysdate]
  5. Go to the /tmp directory and unpack the downloaded file.

    cd /tmp
    tar -xzf <filename>.tar.gz
  6. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector 
  7. Make the files executable.

    chmod +x site-collector-installer.sh
  8. Based on your expected load, execute one of the following installation commands:

    1. Installing site collector without EPS limit

      sudo ./site-collector-installer.sh -v --aa-on-prem --aa-listener=<listener_ip>:514
    2. Installing site collector with EPS limit

      sudo ./site-collector-installer.sh -v --aa-on-prem --aa-listener=<listener_ip>:514 --eps-limit=2048
  9. Once installation is complete, the prompt will return Site collector installer complete.

  10. Site collector operational checks must be run at the site collector host. You can send a test message via syslog and confirm it arrived at the destination, using:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If no logs arrive at the destination after a few minutes, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Upgrade Site Collector for Exabeam Data Lake On-premises Deployments

For Data Lake in Appliance or Virtual Deployments Only

The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam Data Lake deployed on Exabeam hardware or virtual platform (excluding Exabeam SaaS).

  1. Ensure your environment has met all requirements before running a site collector upgrade.

  2. In Data Lake, navigate to Settings > Collector Management > Collectors.

  3. Click add collector to open the Collector Artifacts menu to get a list of Site collectors.

    data lake collector artifacts menu
  4. Download the Site Collector Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation package.

  5. Place the files in the /tmp directory of the site collector host.

  6. Start a terminal session to the site collector and initiate a screen session.

    screen -LS [yourname]_[todaysdate]
  7. Go to the /tmp directory and unpack the downloaded files.

    cd /tmp
    tar -xzf <filename>.tar.gz
  8. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector
  9. Make the files executable.

    chmod +x site-collector-installer.sh
    
  10. Run following upgrade commands:

    sudo ./site-collector-installer.sh -v --dl-on-prem --upgrade --config=/tmp/sc-auth-package.tgz.tgz
  11. To verify that the site collector source has been upgraded, log into the Data Lake and navigate to Settings > Collector Management  > Collectors to see the list of configured collectors.

    site collector management UI

    Note

    It is normal to find the Site Collector Data Forwarder service is shown as Stopped while another service is shown as Running. One of these services will show non-zero messages in the graph if there is ongoing ingestion, which would be the indicator to verify with.

    You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Upgrade Site Collector for Exabeam Advanced Analytics On-premises Deployments

For Advanced Analytics in Appliance or Virtual Deployments, in Unmanaged Mode Only

The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam Advanced Analytics deployed on Exabeam hardware or virtual platform (excluding Exabeam SaaS Cloud).

  1. Ensure your environment has met all requirements before running a site collector upgrade.

  2. Download SaaS Site Collector installation files from the Exabeam Community.

  3. Place the files in the /tmp  directory of the site collector host.

  4. Start a terminal session to the site collector and initiate a screen session.

    screen -LS [yourname]_[todaysdate]
  5. Go to the /tmp directory and unpack the downloaded files.

    cd /tmp
    tar -xzf <filename>.tar.gz
  6. Go to the Exabeam_Site_Collector directory.

    cd Exabeam_Site_Collector
  7. Make the files executable.

    chmod +x site-collector-installer.sh
  8. Based on your expected load, execute one of the following upgrade commands:

    1. Upgrade site collector without EPS limit

      sudo ./site-collector-installer.sh -v --aa-on-prem --upgrade --aa-listener=<listener_ip>:514
    2. Upgrade site collector with EPS limit

      sudo ./site-collector-installer.sh -v --aa-on-prem --upgrade --aa-listener=<listener_ip>:514 --eps-limit=2048
  9. Site collector operational checks must be run at the site collector host. You can send a test message via syslog and confirm it arrived at the destination, using:

    echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514

    If the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Migrate Legacy Site Collector to New Exabeam SaaS Site Collector

For site collectors in versions 1.0.0/1.0.3 and those before version 202004.1, the following instructions will guide you through redirecting feeds and agents in a step-wise manner to mitigate data loss. Please have a operating site collector host before attempting a migration.

Warning

Exabeam recommends that upgrading your site collector happen at a different host than the legacy site collector. This ensures there is no data loss in the transition. Otherwise, expect loss of data during the time between the shutdown of the legacy site collector and when the new site collector starts receiving data.

Exabeam recommends installing the new site collector on a host that is not running the existing site collector, using the following procedure:

  1. Deploy a new site collector onto the dedicated host.Install the Exabeam Site Collector

  2. If there is a syslog source, we highly recommend that you install a load balancer to work with the new site collector to ensure high availability.

  3. Switch syslog traffic to the new site collector or load balancer. Verify that messages pending in Kafka were successfully sent. Please ensure you have removed port forwarding rules for ports 5514 and 5515. Use ports 514 and 515 for Syslog ingestion.

  4. Turn off Logstash services on the old site.

  5. Direct feeds from agent collectors, if any, to the new site collector and restart them. Verify that messages pending in Kafka were successfully sent.

  6. Let the old site collector continue to run so all remaining messages process to completion. Verify that messages pending in Kafka were successfully sent. The lag queue in Kafka must be 0.

  7. Turn off the old site collector.

If you do not have an available host to install that is not currently running the existing site collector, you must first uninstall the legacy site collector and then install the new site collector.