Install Exabeam Site Collector

The Exabeam Site Collector enables you to upload log data from your data centers or virtual private clouds (VPCs) to Exabeam. Site collectors are designed to support most data centers with a single site collector, along with on-premises deployments. Site collectors also scale such that you can install more site collectors as your log volume grows.

If you are installing a site collector with Exabeam Advanced Analytics in your deployment, you will not be able to view the health of the site collector as it will not appear or monitored in the Advanced Analytics user interface. The host will be running in unmanaged mode. Please implement a custom monitoring solution to track the health of the node.

Prerequisites

Here are the prerequisites common to all environments before installing a site collector. Additional prerequisites may apply based on your deployment type.

If there is a syslog source in your deployment, install a load balancer with two site collectors behind it to mitigate any potential data loss
Ensure you have SSH login access to the site collector host
If Security Enhanced (SE) Linux is enabled, use permissive mode to perform administrative tasks (such as installing, upgrading, and configuring) and then revert to enforcing mode after completing tasks
(Run getenforce command to confirm status.)
The site collector hostname A Record must be resolvable using a domain name service (DNS)
(Run ping [hostname] to confirm.)
If UDP is being used, the source IP must still be routable from the site collector
Determine which network zones will need to allow site collector traffic and the IP addresses and protocols that can be supported
The /tmp partition on the site collector host is executable for root
Ensure there is enough space and resources for site collector installation
Services:
- Network proxies are not supported where an on-premises endpoint is the log destination
- Proxies with authentication are not supported
- SSL authentication or interception is not supported
- NTP client must be active and synchronized
  To confirm the NTP status, run the timedatectl command.
- One site collector must have OpenVPN if your ingestion is to support LDAP polling, database logs, eStreamer logs and fetching by Advanced Analytics or Incident Responder accessing local endpoints
Data collecting:
- Use syslog, or secure syslog, over TCP where possible
- If you must use UDP for data transfer, still ensure the source host IP address is routable from Site Collector
- If syslog is not possible, determine the appropriate client, such as an Exabeam Log Collector, to support the collection method. See Exabeam Data Lake Collector Guide for more optionsExabeam Data Lake Collector Guide
Firewall:
- Allow traffic between source and destination ports that match your deploymentExabeam Site Collector Network Ports
- Allow Internet access at the site collector host
- Ensure firewalld service is running on the site collector host
  To confirm active (running) status, run the systemctl status firewalld command.
- Build firewall rules using FQDNs or domain wildcards
  Important
  Do not use IP addresses for access to the Exabeam SaaS Environment. They are dynamic and can change based upon location and scaling of the service.

Install Site Collector Based on Deployment Environment Type

Follow the installation instructions that matches your deployment environment:

Install a SaaS site collector with Data Lake in the environment
Install a SaaS site collector for Advanced Analytics -only deployments (site collector in an unmanaged node)

For on-premises deployments, see Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments.

Install Site Collector for Exabeam Data Lake SOC Platform

The following instructions are for a fresh Exabeam Site Collector installation so logs are sent to Data Lake on the Exabeam Security Operations Platform.

Complete the prerequisites to install Site Collector for Exabeam Data Lake SOC platform.
In Data Lake , navigate to Settings > SAAS Management > SaaS Site Collectors.
Download the SaaS Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation package.
Use scp (secure copy) to place the files in the /tmp directory of the site collector host. (For help with this command, run man scp.)
```
scp <source_host>:<directory>/<package_file> <site_collector>:<directory>/package_file>
```
Start a new terminal session using the an account with Administrator rights. Initiate a screen session. This is mandatory and will prevent accidental termination of your session.
```
screen -LS [yourname]_[todaysdate]
```
Go to the /tmp directory and unpack the installation package only.
```
cd /tmp
tar -xzf <install_filename>.tar.gz
```
Go to the Exabeam_Site_Collector directory.
```
cd Exabeam_Site_Collector
```
Make the files executable.
```
chmod +x site-collector-installer.sh
```

Based on your deployment environment, execute one of the following installation commands:

Install Site Collector with OpenVPN (default)

sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz --openvpn

Install Site Collector without OpenVPN

sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz

Install Site Collector with OpenVPN (when deployed behind a proxy)

sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz --openvpn --openvpn-port --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>

Important

The port value must be either 1194 or 443.

Install Site Collector without OpenVPN (when deployed behind a proxy)

sudo ./site-collector-installer.sh -v --dl-saas --config=/tmp/saas-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>

Once installation is complete, the prompt returns Site collector installer complete.
To verify that the site collector source has been installed, log into the Data Lake and navigate to Settings > Collector Management  > Collectors to see the list of configured collectors.
Note
It is normal to find the Site Collector Data Forwarder service is shown as Stopped while another service is shown as Running. To verify if there is on-going ingestion, one of these services will show non-zero messages in the graph.
You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:
```
echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514
```
If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Prerequisites to Install Site Collector for Exabeam Data Lake SOC Platform

Ensure that your environment meets the needs listed in Install Exabeam Site Collector . In addition, if you use a proxy between the site collector and the Data Lake, you must also observe the following prerequisites:

Ensure that the proxy does not require site collector traffic to be authenticated
Configure both HTTPS and OpenVPN routes for:
- On-premises to Cloud for data flow
- Cloud to on-premises via OpenVPN for data such as LDAP polling
  Note
  Use OpenVPN for:
  Passing LDAP poll data
  Passing LDAP poll data
  Using eStreamer in your deployment
  Fetching any on-premises SIEM / sources by Advanced Analytics
  Connecting to on-premises endpoints by Incident Responder Actions
  Limitation:
  Only one OpenVPN connection can be active at a time. Install OpenVPN on more than one site collector for active/standby option. Disable the active OpenVPN service after installation.
  Use commands:
```
sudo systemctl stop openvpn@<instanceID>
sudo systemctl disable openvpn@<instanceID>
```

Install Site Collector for Exabeam SaaS Advanced Analytics-only Deployment

The following instructions are for a fresh Exabeam Site Collector installation so your logs are sent to Exabeam's SaaS Advanced Analytics and where there is no Exabeam Data Lake deployed. The ingestion status for this configuration can be found on the Status Page in the Exabeam SaaS Cloud.

Prerequisites

Ensure your environment has met all requirements before running a site collector installation. Please review prerequisites listed in Install Exabeam Site Collector in addition to the following:

If you have a proxy:
- Ensure that the proxy does not require site collector traffic to be authenticated
- Configure both HTTPS and OpenVPN routes for:
  - On-premises to the Exabeam SaaS Cloud for data flow
  - Exabeam SaaS Cloud to on-premises via OpenVPN for data such as LDAP polling
    Note
    OpenVPN must be used for:
    1. Passing LDAP poll data
    2. Using a DBlog collector in your deployment
    3. Using eStreamer in your deployment
    4. Fetching any on-premises SIEM / sources by Advanced Analytics
    5. Connecting to on-premises endpoints by Incident Responder Actions
    Limitation:
    Only one OpenVPN connection can be active at a time. You need to have it installed onto more than one site collector (for active/standby option), disable the active service manually after installation.
    Use commands:
    sudo systemctl stop openvpn@<instanceID> sudo systemctl disable openvpn@<instanceID>

Download SaaS Site Collector installation files from the Exabeam Community.
Download your authentication package file using the following URL template based on your <instanceID>.
```
https://<instanceID>.aa.exabeam.com/api/setup/saas/authPackage
```
Place the files in the /tmp  directory of the site collector host.
Start a new terminal session using the an account with administrator rights. Initiate a screen session. This is mandatory and prevent termination of your session.
```
screen -LS [yourname]_[todaysdate]
```
Go to the /tmp directory and unpack the installation file only.
```
cd /tmp
tar -xzf <filename>.tar.gz
```
Go to the Exabeam_Site_Collector directory.
```
cd Exabeam_Site_Collector 
```
Make the files executable.
```
chmod +x site-collector-installer.sh
```

Based on your deployment environment, please execute one of the following installation commands:

Installing site collector with OpenVPN

sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz --openvpn

Installing site collector and without OpenVPN

sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz

Installing site collector behind the proxy with OpenVPN

sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>

Installing site collector behind the proxy without OpenVPN

sudo ./site-collector-installer.sh -v --aa-saas --config=/tmp/saas-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>

Once installation is complete, the prompt will return Site collector installer complete.
Verification checks must be made via the SaaS Status Page. The Status page is intended to show errors only and should not be used to verify throughput immediately after installation.
You can send a test message via syslog and confirm it arrived at the log destination after several minutes:
```
echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514
```
If no logs arrive at the destination after a few minutes or you cannot see a status for the site collector, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.

Legacy Exabeam Site Collector GuideExabeam Site Collector Administration Guide (Legacy)

Table of ContentsTable of Contents