- Exabeam Site Collector
- Exabeam Site Collector Network Ports
- Exabeam Site Collector Specifications
- Install Exabeam Site Collector
- Upgrade Exabeam Site Collector
- Advanced Exabeam Site Collector Customizations
- Supported Exabeam Site Collector Changes
- Configure Transport Layer Security (TLS) Syslog Ingestion
- Direct Kafka Input to Exabeam Site Collector
- Add a Secondary Syslog Destination
- Remove a Syslog Destination
- Filter Incoming Syslog Events in Exabeam Site Collector
- Filtering Outbound Logs in Exabeam Site Collector
- Metadata Collected by Site Collector and Supported Agents
- Add OpenVPN After Exabeam Site Collector Installation
- Supported Exabeam Site Collector Changes
- Troubleshoot for Exabeam Site Collector
- Scenario 1: Collector or its status does not appear in the console and no logs reach destination
- Scenario 2: Collector is healthy but no logs are transmitted or received
- Scenario 3: Exabeam Advanced Analyticsunable to pull LDAP data
- Scenario 4: Kafka Google Cloud Storage (GCS) collectors have not appeared on Data Lake
- Scenario 5: If logs are not uploaded to GCS where logs are not on Data Lake
- Scenario 6: Unable to accept incoming syslog, active directory context, Splunk logs, or Incident Responder integrations
- Scenario 7: Cannot send after transport endpoint shutdown
- Scenario 8: Too many arguments in command /tools/config.parser.sh
- Other scenarios
- Capture Site Collector Diagnostics Using Exabeam Support Package
- Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments
- Prerequisites
- Install Site Collector for Exabeam Data Lake On-premises Deployments
- Installing Site Collector for Exabeam Advanced Analytics On-premises Deployments
- Upgrade Site Collector for Exabeam Data Lake On-premises Deployments
- Upgrade Site Collector for Exabeam Advanced Analytics On-premises Deployments
- Uninstall Exabeam Site Collector
- Migrate to the New-Scale Site Collectors Service
- A. Glossary of Terms
Upgrade Exabeam Site Collector
Keep your site collectors up to date to take advantage of new features.
Follow the upgrade instructions that matches your deployment environment:
Prerequisites
Before upgrading your site collector, ensure prerequisites are met. Additional prerequisites may apply based on your deployment type.
If you are adding a syslog source in your deployment, install a load balancer with two site collectors behind it to mitigate any potential data loss
If Security Enhanced (SE) Linux is enabled, use
permissivemode to perform administrative tasks (such as installing, upgrading, and configuring) and then revert the mode after completing tasksThe
/tmppartition on the site collector host is executable for rootEnsure there is enough space for a site collector upgrade
Check the Supported Upgrade Paths to ensure your upgrade path is supported.
Upgrade Site Collector from the Data Lake UI
The Data Lake application offers a convenient user interface for upgrading site collectors, starting with versions 2.3 and above.
Navigate to Settings > Collector Management > Collectors.
The Collector Management page opens.
Select the checkbox for the collector that you want to upgrade, and then click Upgrade.
Verify that the appropriate version is selected in the Upgrade Version drop-down list, and then click Initiate Upgrade.
To confirm your understanding that the selected site collectors need to be restarted and proceed with the upgrade, click Continue.
Important
Do not close the Upgrade Progress window until a green check mark displays in the Status field to indicate that the upgrade is complete.
After the upgrade is complete, click Done.
Note
Upgrading Site Collector may affect custom filters. Hence ensure that you back up the configuration files (opt/logstash/config or opt/logstash/conf.d/syslog2kafka.conf) and reapply the configuration settings after upgrade.
Upgrade Site Collector from the Command Line Based on Deployment Environment Type
For on-premises and legacy deployments, see Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments.
Upgrade Site Collector for Exabeam Data Lake SOC Platform from the Command Line
The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam's SOC Platform Data Lake.
Ensure your environment has met all requirements before running a site collector upgrade.
In Data Lake, navigator to Settings > Collector Management > Collectors.
Click
to open the Collector Artifacts menu to get a list of Site Collectors.Download the Site Collector Auth Package and Site Collector Installation Package. These packages contain all required configurations and authentication data needed to access your SaaS tenant and installation package.
Place the files in the
/tmpdirectory of the site collector host.Start a terminal session to the site collector and initiate a screen session.
screen -LS [yourname]_[todaysdate]
Go to the
/tmpdirectory and unpack the downloaded files.cd /tmp tar -xzf <filename>.tar.gz
Go to the
Exabeam_Site_Collectordirectory.cd Exabeam_Site_Collector
Make the files executable.
chmod +x site-collector-installer.sh
Based on your deployment environment, please execute one of the following upgrade commands:
Upgrade site collector behind the proxy with OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector behind the proxy without OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector without proxy but with OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn
Upgrade site collector without proxy and without OpenVPN
sudo ./site-collector-installer.sh -v --dl-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz
To verify that the site collector source has been upgraded, in Data Lake, navigate to Settings > Collector Management > Collectors to see the list of configured site collectors. The version should match the upgrade version.
Note
It is normal to find the Site Collector Data Forwarder service is shown as
Stoppedwhile another service is shown asRunning. To verify if there is on-going ingestion, one of these services will show non-zero messages in the graph.You can also send a test message via syslog and confirm it arrived at the destination via Data Lake after several minutes:
echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514
If your site collector does not appear in the list and the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.
Upgrade Site Collector for Exabeam SaaS Advanced Analytics-only Deployments
The following instructions are for an Exabeam Site Collector upgrade if your logs are sent to Exabeam's SaaS Advanced Analytics and where there is no Exabeam Data Lake deployed.
Ensure your environment has met all requirements before running a site collector upgrade.
Download SaaS Site Collector installation files from the Exabeam Community.
Download your authentication file package using the following URL template based on your
<instanceID>.https://<instanceID>.aa.exabeam.com/api/setup/saas/authPackage
Place the files in the
/tmpdirectory of the site collector host.Start a terminal session to the site collector and initiate a screen session.
screen -LS [yourname]_[todaysdate]
Go to the
/tmpdirectory and unpack the downloaded files .cd /tmp tar -xzf <filename>.tar.gz
Go to the
Exabeam_Site_Collectordirectory.cd Exabeam_Site_Collector
Make the files executable.
chmod +x site-collector-installer.sh
Based on your deployment environment, please execute one of the following upgrade commands:
Upgrade site collector behind the proxy with OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector behind the proxy without OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --proxy=<proxy_host_ip|proxy_hostname> --proxy-port=<proxy_port>
Upgrade site collector without proxy with OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz --openvpn
Upgrade site collector without proxy and without OpenVPN
sudo ./site-collector-installer.sh -v --aa-saas --upgrade --config=/tmp/<instanceID>-auth-package.tgz
You will not be able to view the status or health of the site collector in the Advanced Analytics console. The Status page is intended to show errors only and should not be used to verify throughput immediately after upgrading.
Site collector operational checks must be run at the site collector host. You can send a test message via syslog and confirm it arrived at the destination, using:
echo "test message [date_time] from [hostname|host_ip]" | nc localhost 514
If the test message did not reach its destination, review the known common scenarios in Troubleshoot for Exabeam Site Collector that can be resolved immediately.