- Exabeam Site Collector
- Exabeam Site Collector Network Ports
- Exabeam Site Collector Specifications
- Install Exabeam Site Collector
- Upgrade Exabeam Site Collector
- Advanced Exabeam Site Collector Customizations
- Supported Exabeam Site Collector Changes
- Configure Transport Layer Security (TLS) Syslog Ingestion
- Direct Kafka Input to Exabeam Site Collector
- Add a Secondary Syslog Destination
- Remove a Syslog Destination
- Filter Incoming Syslog Events in Exabeam Site Collector
- Filtering Outbound Logs in Exabeam Site Collector
- Metadata Collected by Site Collector and Supported Agents
- Add OpenVPN After Exabeam Site Collector Installation
- Supported Exabeam Site Collector Changes
- Troubleshoot for Exabeam Site Collector
- Scenario 1: Collector or its status does not appear in the console and no logs reach destination
- Scenario 2: Collector is healthy but no logs are transmitted or received
- Scenario 3: Exabeam Advanced Analyticsunable to pull LDAP data
- Scenario 4: Kafka Google Cloud Storage (GCS) collectors have not appeared on Data Lake
- Scenario 5: If logs are not uploaded to GCS where logs are not on Data Lake
- Scenario 6: Unable to accept incoming syslog, active directory context, Splunk logs, or Incident Responder integrations
- Scenario 7: Cannot send after transport endpoint shutdown
- Scenario 8: Too many arguments in command /tools/config.parser.sh
- Other scenarios
- Capture Site Collector Diagnostics Using Exabeam Support Package
- Install and Upgrade Exabeam Site Collector for On-premises and Legacy Deployments
- Prerequisites
- Install Site Collector for Exabeam Data Lake On-premises Deployments
- Installing Site Collector for Exabeam Advanced Analytics On-premises Deployments
- Upgrade Site Collector for Exabeam Data Lake On-premises Deployments
- Upgrade Site Collector for Exabeam Advanced Analytics On-premises Deployments
- Uninstall Exabeam Site Collector
- Migrate to the New Scale Site Collectors Service
- A. Glossary of Terms
Migrate to the New Scale Site Collectors Service
Site Collectors on the Exabeam Security Operations Platform offer several advantages over the legacy Site Collectors for the Exabeam Security Management Platform. These advantages include:
Simplified onboarding to quickly set up multiple collectors
UI-based management of Site Collectors to aid in monitoring and troubleshooting
Enhanced data handling for log formats (plain text or XML) such as is required for WELC
Extended log collection support such as for on-premises Oracle database servers and Windows Event Collector (WEC)
Multi-site deployment support for site-specific time zones and site names
Standardized metadata fields to allow easy identification of log sources
Operating system version support for:
RedHat 7, 8, and 9
Ubuntu 18.04, 20.04, 22.04, and 23.04.
(CentOS 7 and CentOS 8 are now end-of-life)
To take advantage of these features and integration with the Exabeam Security Operations Platform, it is recommended that you migrate any legacy Site Collectors.
To complete the migration, follow these steps:
Set up a New VM for the New Scale Site Collector Core
Ensure that you set up a dedicated VM for the new Site Collector. Do not run the same VM for both the legacy Site Collector and the new one.
Review the VM prerequisites and then Set up a Virtual Machine on your Cloud Platform.
The easiest method of deployment is to use the OVA. However, if you need custom installation options, you can use the OS-specific workflows.
Set up the desired collectors, including any of the following types:
Verify that the collectors are operational. The Overview page will display the ingestion status.
Proceed to Decommission the Legacy Site Collector.
Decommission the Legacy Site Collector
After verifying any new collectors are receiving logs, decommission the legacy Site Collector.
Stop the service from sending logs to Site Collector.
Stop ingestion for each agent collector (for example Winlogbeat, Filbert, GZBeat) using one of the following workflows. In most cases, you can stop the collector from the Collector Management page in Data Lake. However, if you don't have access to that page, you can also stop ingestion on the machine that hosts the collector.
From the DL Collector Management page:
Select the checkbox for the agent collector for which you want to stop the ingestion.
Click on the Action button in the upper right corner.
Select the Stop option.
Verify the collector status.
If a collector fails to stop for any reason, you can retry stopping it.
Wait until the collectors stop successfully.
Linux-based collectors:
If you don't have access to the Collector Management page, use the CLI to halt ingestion. To use the CLI, you must have access to the machines where Site Collector agents are installed.
Log in to the machine hosting the agent collector.
Stop the agent collector using the
systemctlcommand.Then stop the collector using the
sc-stopscript (located in/opt/exabeam/tools/sc-services-stop.sh).
Windows-based collectors:
Stop the agent collector from the UI (i.e., running Exabeam collectors).
Uninstall the agent collector:
To complete the uninstall process, you must have access to the machine that hosts the collector.
Linux-based collectors:
Log in to the machine hosting the collector.
Search for the
Exabeam_Collector_Managerfolder.Inside the
Exabeam_Collector_Manager, use theuninstall-exabeam-collector.shscript to uninstall the collectors.From the Collector Management page, verify that the collector is no longer shown. Alternatively, use the systemctl command.
Windows-based collectors:
Log in to the machine hosting the collector.
Uninstall the running Exabeam collectors from the Windows apps.
Remove all the registries of Exabeam.
From the Collector Management page, verify that the collector is no longer shown.
For each collector, verify that the log messages in the queue finish processing.
As an example, if you use Google Cloud Storage (default), use the following commands to view the number of events pending upload to Google Cloud Storage:
For additional operating system examples, see Inspect Logs in Other Scenarios.
When there are no pending events, Uninstall Exabeam Site Collector and remove it from the Collector Management page.