Migrate to the New-Scale Site Collectors Service

Site Collectors on the Exabeam Security Operations Platform offer several advantages over the legacy Site Collectors for the Exabeam Security Management Platform. These advantages include:

Simplified onboarding to quickly set up multiple collectors
UI-based management of Site Collectors to aid in monitoring and troubleshooting
Enhanced data handling for log formats (plain text or XML) such as is required for WELC
Extended log collection support such as for on-premises Oracle database servers and Windows Event Collector (WEC)
Multi-site deployment support for site-specific time zones and site names
Standardized metadata fields to allow easy identification of log sources
Operating system version support for:
- RedHat 7, 8, and 9
- Ubuntu 18.04, 20.04, 22.04, and 23.04.
(CentOS 7 and CentOS 8 are now end-of-life)

To take advantage of these features and integration with the Exabeam Security Operations Platform, it is recommended that you migrate any legacy Site Collectors.

To complete the migration, follow these steps:

Engage with Exabeam Support

Before you begin your migration, it is recommended to engage with our Support team.

Open a new support case with Exabeam support expressing your intent to migrate to the New-Scale Site Collectors.
Generate a support package. Support will use this to determine any ingress/egress filters and custom configurations.
On the server hosting your Site Collector, run the command for your version.
- For site collector versions before 2.1.11
```
sudo /opt/exabeam/bin/support-package.sh 
```
- For site collector version 2.1.11 and later
```
sudo /opt/exabeam/tools/support-package.sh 
```
The script will generate a zip file containing diagnostics related to your Site Collector.
Attach the package to your support case.
Proceed to Set up a New VM for the New-Scale Site Collectors.

Set up a New VM for the New-Scale Site Collectors

With this workflow, Exabeam handles the majority of the migration steps on your behalf including the setup of both the Site Collector core and the migration of the following collector agents:

Syslog Collector
Windows Active Directory Collector
Windows Event Log Collector
Windows File Collector

To get started with the New-Scale Site Collectors:

Determine the number of New-Scale Site Collectors you need to deploy based on the overall EPS that will be processed:
- 10k EPS @ 2.5KB average message size for common spec (4cpu, 16GB memory)
- 30k EPS @ 2.5KB average message size for enterprise spec (16cpu, 32GB memory）
Review the prerequisites and set up the VM that you will use to host each New-Scale Site Collector.
Caution
Ensure that you set up a dedicated VM for each new Site Collector. Do not run the same VM for both legacy Site Collectors and the new one.
Run the prechecks in the VM to ensure your system is ready for deployment.
Make sure you address any issues identified during the precheck verification process.
Provide the following information for Exabeam Support:
- IP address and hostname for each Site Collector
- Precheck output for each VM instance
- Number of site collectors needed and each type. For example:
  - Agent collectors (Windows Event Log Collector, Windows File Collector)
  - Server collectors (Syslog Collector)
  - Contextual collectors (Windows Active Directory Collector)
To install any additional site collector agents that are not automatically migrated (as described above), refer to the list of supported collectors.
Verify that the collectors are operational. The Overview page will display the ingestion status.
Exabeam allows a two-week validation period after migrating your collectors. During this time, you can review and address any issues related to the migrated collectors.
Note
If you encounter any challenges during the validation period or require additional time for validation and fixes, please reach out to your Exabeam representative.
After you have verified that all collectors are operational, please let your Exabeam technical contact (technical account manager or sales engineer) know you have finished and are ready to decommission your legacy Site Collector.
Proceed to Decommission the Legacy Site Collector.

Decommission the Legacy Site Collector

After verifying any new collectors are receiving logs, decommission the legacy Site Collector.

Stop ingestion for each agent collector (for example Winlogbeat, Filbert, GZBeat) using one of the following workflows. In most cases, you can stop the collector from the Collector Management page in Data Lake. However, if you don't have access to that page, you can also stop ingestion on the machine that hosts the collector.
- From the DL Collector Management page:
  1. Select the checkbox for the agent collector for which you want to stop the ingestion.
  2. Click on the Action button in the upper right corner.
  3. Select the Stop option.
  4. Verify the collector status.
    If a collector fails to stop for any reason, you can retry stopping it.
  5. Wait until the collectors stop successfully.
- Linux-based collectors:
  If you don't have access to the Collector Management page, use the CLI to halt ingestion. To use the CLI, you must have access to the machines where Site Collector agents are installed.
  1. Log in to the machine hosting the agent collector.
  2. Stop the agent collector using the systemctl command.
  3. Then stop the collector using the sc-stop script (located in /opt/exabeam/tools/sc-services-stop.sh).
- Windows-based collectors:
  Stop the agent collector from the UI (i.e., running Exabeam collectors).
Uninstall the agent collector:
To complete the uninstall process, you must have access to the machine that hosts the collector.
- Linux-based collectors:
  1. Log in to the machine hosting the collector.
  2. Search for the Exabeam_Collector_Manager folder.
  3. Inside the Exabeam_Collector_Manager, use the uninstall-exabeam-collector.sh script to uninstall the collectors.
  4. From the Collector Management page, verify that the collector is no longer shown. Alternatively, use the systemctl command.
- Windows-based collectors:
  1. Log in to the machine hosting the collector.
  2. Uninstall the running Exabeam collectors from the Windows apps.
  3. Remove all the registries of Exabeam.
  4. From the Collector Management page, verify that the collector is no longer shown.

For each collector, verify that the log messages in the queue have finished processing.

As an example, if you use Google Cloud Storage (default), use the following commands to view the number of events pending upload to Google Cloud Storage:

sudo /opt/kafka/bin/kafka-consumer-groups.sh --bootstrap-server localhost:9092 --describe --group group-gcs-gcs1
sudo /opt/kafka/bin/kafka-consumer-groups.sh --bootstrap-server localhost:9092 --describe --group group-gcs-gcs1 | awk ‘{s+=$5}END{print s}'

sudo /opt/kafka/bin/kafka-consumer-groups.sh --bootstrap-server localhost:9092 --describe --group group-gcs-gcs2
sudo /opt/kafka/bin/kafka-consumer-groups.sh --bootstrap-server localhost:9092 --describe --group group-gcs-gcs2 | awk ‘{s+=$5}END{print s}'

For additional operating system examples, see Inspect Logs in Other Scenarios.

When there are no pending events, Uninstall Exabeam Site Collector and remove it from the Collector Management page.
When you have completed, all actions, please let your Exabeam technical contact (technical account manager or sales engineer) know you have finished and are ready to decommission your Data Lake instance.

Legacy Exabeam Site Collector GuideExabeam Site Collector Administration Guide (Legacy)

Table of ContentsTable of Contents