- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Manage Templates
Template management facilitates easy and faster log onboarding that involves collection of logs from a variety of log sources, and specific applications, filtering out the unrelated other sources. Through Template Manager, you can manage the Windows Event Log Collector templates separately as a standalone entity.
Template manager enables you to:
Manage log collection templates
Assign a specific template to a collector or multiple collectors
Analyze template modification activities
View a statistics on template management activities
To create a Windows template:
Log in to the Exabeam Security Operations Platform with your registered credentials.
Navigate to Collectors > Site Collectors.
Click Template Manager.
To create a new template to define a log collection policy (template) for you Windows log sources, click New Template.
On the New Windows Template page, enter the following information.
Template Name – Specify a name for the new Windows template.
Windows Log Category – For filtering logs, enable the log fields that you want to use and select the appropriate option: All, Range, and Exclude.
All – Click All to filter all types of logs irrespective of the value. The collector collects all events for the specified Windows Log name and for all DNS servers.
Range – Click Range and specify a range in the box that appears next. The collector collects security events based on the defined range.
Exclude – Click Exclude and specify a value for the events to be rejected while log collection in the box that appears next. The collector collects all the security events from the specified Windows Log name excluding the events listed in this section.
New Windows Log Condition – Click to add a new condition.
You can add custom Windows log names or conditions that your environment has. To obtain a list of existing log names, refer to the Microsoft Windows PowerShell command in Microsoft documentation.
Click Create.
The template that you created is listed in the Template Manager section. Proceed to install the Windows Event Log Collector instance or to apply the template you created to existing Windows Event Log Collector instances.
After you create a template, you can edit the template and apply the template to a Windows collector instance. Applying a new template removes the previously assigned template of a Windows collector instance.
Update a Template
Using Template Manager, you can edit settings for a template that is applied to multiple agent collectors.
To update a template assigned to multiple agent collectors, use the following steps.
In Template Manager, select the template that you want to update.
Click Edit.
Based on the template type you can update the include and exclude regex patterns, or log conditions.
Click Update.
The changes are applied to the template that is assigned to multiple agent collectors.
Note
While editing a template that is applied to multiple agent collectors, ensure that the template is being used by less than 30 agent collectors. Updating a template applied to 20 agent collectors, via Template Manager, take approximately 5 minutes.
Delete Multiple Templates
Template Manager enables you to delete multiple templates that are not assigned to any collector instance, in one go.
To delete multiple templates in one go, use the following steps.
In Template Manager, select the template type of which you want to delete the templates. The template types include: Windows, Windows File, Linux File, Archive Windows, and Archive Linux.
In the list of templates of the selected template type, select the templates that you want to delete. Ensure that you view the Applied To column which indicates if the template is assigned to any of the collectors.
To delete the selected templates that are not assigned to any collector, click Delete.
In the confirmation message, after verifying the list of templates to be deleted, click Delete.
The templates are deleted.
Refer to the following short video for a quick reference.