- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Apply Antivirus Exclusions
- Migrate to the New-Scale Site Collectors Service
- Modify Collector Configuration
- Modify a Site Collector Instance
- Manage Templates
- Monitor Log Sources
- Add Filters to Set Egress Log Filtering Conditions
- New Site Collector Management Service NGSCD
- Regenerate Certificates for Collectors
- Upgrade the Site Collector
- Upgrade the Site Collector Specifications
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Migrate to the New-Scale Site Collectors Service
Site Collectors on the New-Scale Security Operations Platform offer several advantages over the legacy Site Collectors for the Exabeam Security Management Platform. These advantages include:
Simplified onboarding to quickly set up multiple collectors
UI-based management of Site Collectors to aid in monitoring and troubleshooting
Enhanced data handling for log formats (plain text or XML) such as is required for WELC
Extended log collection support such as for on-premises Oracle database servers and Windows Event Collector (WEC)
Multi-site deployment support for site-specific time zones and site names
Standardized metadata fields to allow easy identification of log sources
Operating system version support for:
RedHat 7, 8, and 9
Ubuntu 18.04, 20.04, 22.04, and 23.04.
(CentOS 7 and CentOS 8 are now end-of-life)
To take advantage of these features and integration with the New-Scale Security Operations Platform, it is recommended that you migrate any legacy Site Collectors.
To complete the migration, follow these steps:
Engage with Exabeam Support
Before you begin your migration, it is recommended to engage with our Support team.
Open a new support case with Exabeam support expressing your intent to migrate to the New-Scale Site Collectors.
Generate a support package. Support will use this to determine any ingress/egress filters and custom configurations.
On the server hosting your Site Collector, run the command for your version.
The script will generate a zip file containing diagnostics related to your Site Collector.
Attach the package to your support case.
Proceed to Set up a New VM for the New-Scale Site Collectors.
Set up a New VM for the New-Scale Site Collectors
With this workflow, Exabeam handles the majority of the migration steps on your behalf including the setup of both the Site Collector core and the migration of the following collector agents:
Syslog Collector
Windows Active Directory Collector
Windows Event Log Collector
Windows File Collector
To get started with the New-Scale Site Collectors:
Determine the number of New-Scale Site Collectors you need to deploy based on the overall EPS that will be processed:
10k EPS @ 2.5KB average message size for common spec (4cpu, 16GB memory)
30k EPS @ 2.5KB average message size for enterprise spec (16cpu, 32GB memory)
Review the prerequisites and set up the VM that you will use to host each New-Scale Site Collector.
Caution
Ensure that you set up a dedicated VM for each new Site Collector. Do not run the same VM for both legacy Site Collectors and the new one. Running multiple Site Collectors on the same VM results in a port conflict.
Run the prechecks in the VM to ensure your system is ready for deployment.
Make sure you address any issues identified during the precheck verification process.
Provide the following information for Exabeam Support:
IP address and hostname for each Site Collector
Precheck output for each VM instance
Number of site collectors needed and each type. For example:
Agent collectors (Windows Event Log Collector, Windows File Collector)
Server collectors (Syslog Collector)
Contextual collectors (Windows Active Directory Collector)
To install any additional site collector agents that are not automatically migrated (as described above), refer to the list of supported collectors.
Verify that the collectors are operational. The Overview page will display the ingestion status.
Exabeam allows a two-week validation period after migrating your collectors. During this time, you can review and address any issues related to the migrated collectors.
Note
If you encounter any challenges during the validation period or require additional time for validation and fixes, please reach out to your Exabeam representative.
After you have verified that all collectors are operational, please let your Exabeam technical contact (technical account manager or sales engineer) know you have finished and are ready to decommission your legacy Site Collector.
Proceed to Decommission the Legacy Site Collector.
Decommission the Legacy Site Collector
After verifying any new collectors are receiving logs, decommission the legacy Site Collector.
Caution
For performance optimization, run the legacy and new scale collectors on separate VMs. It is not recommended to run legacy and new scale agent and server-side collectors on the same VM to prevent performance issues for both legacy and new scale collectors.
For the agent collectors such as Windows Event Log Collector, Windows File Collector, and Windows Archive Collector, there may not be port conflicts, however, it is not recommended to run the legacy and new scale collectors on the same VM.
Run legacy and new scale agent collectors on separate VMs to avoid uncertainties and potential performance issues.
For server-side collectors such as Syslog, Splunk, MSSQL, and MySQL, it is not recommended to run the legacy and new scale collectors on the same VM.
Run legacy and new scale server-side collectors on separate VMs to prevent configuration-related conflicts.
Set up a separate VM for each new Site Collector. Do not use the same VM for both legacy and new scale Site Collectors.
Stop ingestion for each agent collector (for example Winlogbeat, Filbert, GZBeat) using one of the following workflows. In most cases, you can stop the collector from the Collector Management page in Data Lake. However, if you don't have access to that page, you can also stop ingestion on the machine that hosts the collector.
From the DL Collector Management page:
Select the checkbox for the agent collector for which you want to stop the ingestion.
Click on the Action button in the upper right corner.
Select the Stop option.
Verify the collector status.
If a collector fails to stop for any reason, you can retry stopping it.
Wait until the collectors stop successfully.
Linux-based collectors:
If you don't have access to the Collector Management page, use the CLI to halt ingestion. To use the CLI, you must have access to the machines where Site Collector agents are installed.
Log in to the machine hosting the agent collector.
Stop the agent collector using the
systemctlcommand.Then stop the collector using the
sc-stopscript (located in/opt/exabeam/tools/sc-services-stop.sh).
Windows-based collectors:
Stop the agent collector from the UI (i.e., running Exabeam collectors).
Uninstall the agent collector:
To complete the uninstall process, you must have access to the machine that hosts the collector.
Linux-based collectors:
Log in to the machine hosting the collector.
Search for the
Exabeam_Collector_Managerfolder.Inside the
Exabeam_Collector_Manager, use theuninstall-exabeam-collector.shscript to uninstall the collectors.From the Collector Management page, verify that the collector is no longer shown. Alternatively, use the systemctl command.
Windows-based collectors:
Log in to the machine hosting the collector.
Uninstall the running Exabeam collectors from the Windows apps.
Remove all the registries of Exabeam.
From the Collector Management page, verify that the collector is no longer shown.
For each collector, verify that the log messages in the queue have finished processing.
As an example, if you use Google Cloud Storage (default), use the following commands to view the number of events pending upload to Google Cloud Storage:
For additional operating system examples, see Inspect Logs in Other Scenarios.
When there are no pending events, Uninstall Exabeam Site Collector and remove it from the Collector Management page.
When you have completed all actions, please let your Exabeam technical contact (technical account manager or sales engineer) know you have finished and are ready to decommission your Data Lake instance.