- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Regenerate Certificates for Collectors
Site Collector Core (Nifi) generates security certificates for secure communication. If the security certificates expire within one year, the Windows Event Log Collector stops communicating with the Site Collector instance. To avoid disrupting collector operation, refresh the SSL/TLS certificates by using the following steps.
Upgrade the Site Collector version to 1.19.2 or later.
You can update the Windows certificate for Site Collector version 1.19.1 and later and the Linux certificate for Site Collector version 1.19.2 and later.
Log in to the VM on which Site Collector is installed and use the following command to generate new SSL certificates for Site Collector versions before Site Collector 2.2.
sudo /opt/exabeam/nifi/nifi_scripts/regenerate_certificate.sh
Refer to the following screenshot as an example of how the output may look like.
If you are using Site Collector version 2.2 and later, use the steps mentioned in the Generate TLS Certificate section to refresh the security certificates.
To refresh certificates to resume communication with Site Collector Core (Nifi), for Windows collectors including Windows Event Log collector, Windows File collector, and Windows Archive collector, run the following command in PowerShell on the Windows VM on which the collector is installed.
Note
You must be an administrator to run the command.
powershell.exe -NoLogo -ExecutionPolicy Bypass -Command "Invoke-WebRequest -OutFile 'windows_certificates_update.ps1' -Uri 'http://<SiteCollectorIP>:9875/?filename=windows_certificates_update.ps1'; .\windows_certificates_update.ps1 <SiteCollectorIP> -force"
Replace <SiteCollectorIP> with the private IP of the VM on which the Site Collector is installed.
Refer to the following screenshot as an example of how the output may look like to indicate that certificate update is successful.
If the above script does not download the certificates directly from the Site Collector instance, download the certificates directly from the user interface and copy them to the Windows server. Then, run the following script in the directory in which the certificates are placed.
powershell.exe -NoLogo -ExecutionPolicy Bypass -Command "Invoke-WebRequest -OutFile 'windows_certificates_update.ps1' -Uri 'http://<SiteCollectorIP>:9875/?filename=windows_certificates_update.ps1'; .\windows_certificates_update.ps1 <SiteCollectorIP> -force"
Replace <SiteCollectorIP> with the private IP of the VM on which the Site Collector is installed.
For the Linux based collectors such as, Linux File collector and Linux Archive collector, run the following command on the Linux machine on which collector is installed.
sudo -- sh -c 'curl -o linux_certifcates_update.sh http://<SiteCollectorIP>:9875/?filename=linux_certifcates_update.sh; chmod +x linux_certifcates_update.sh | bash -s; ./linux_certifcates_update.sh <SiteCollectorIP>'
Replace <SiteCollectorIP> with the private IP of the VM on which the Site Collector is installed.
Troubleshoot Common Issues
Scenario 1: If the regenerate_certificate script at /opt/exabeam/nifi/nifi_scripts/regenerate_certificate.sh fails because of incompatibility of specific CURL versions with Site Collector Core (Nifi) API, modify the script on your VM by updating the generate_nifi_token() function as follows.
generate_nifi_token() {
NIFI_WEB_UI_TOKEN=$(curl --silent $TLS_FLAG $CIPHERS_FLAG $CURVES_FLAG --fail -XPOST -k "$NIFI_API/access/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=$SINGLE_USER_CREDENTIALS_USERNAME&password=$SINGLE_USER_CREDENTIALS_PASSWORD" 2>&1)
NIFI_VERSION="2.0.0-SNAPSHOT"
return 0
}
Save the changes to generate and upload a new certificate, then restart your Site Collector instance.
Scenario 2: The regenerate_certificate.sh restarts Site Collector core. However if the certificate is already expired, restarting Site Collector core fails. In this case, restart the Nifi service using systemctl restart exabeam-ngsc.
Generate TLS Certificate for Release 2.2 and Later
If you use the Site Collector version 2.2, use the following steps to regenerate TLS certificates.
Generate CA Certificate and Server Certificate
To regenerate new certificates for Site Collector and upload the certificates to the Exabeam cloud, use the following steps.
Stop the site collector service.
sudo ./ngsccli sitecollector stop
Run the following command to regenerate the certificate.
sudo ./ngsccli certificate regenerate
The existing TLS certificates that Site Collector Core (NiFi) uses to receive data are replaced with the latest certificates.
Start the Site Collector service.
sudo ./ngsccli sitecollector start
Update the all the existing collectors that use certificates to send data.
Generate Server Certificate Only
If you have installed Site Collectors version 2.2 and want to retain the existing CA certificate, and generate only the server certificate, set the --newca flag to false. Refer to the following command.
sudo ./ngsccli certificate regenerate --newca=false
If you want to check the expiration of an existing CA certificate:
Check if the
ca.certfile is available in /opt/exabeam/auth/ssl/ngsc/.If the
ca.certfile is not available, it indicates that the Site Collector version is prior to version 2.2 and you must regenerate the CA certificate.To check the expiration of the CA certificate, use the following openssl command.
openssl x509 -in ca.pem -text -noout | grep "Not After"
Set Custom Expiration
The default expiration that is set for CA certificate is 10 years, and for server certificate is 2 years. To set custom expiration, use --ca-expiration and --cert-expiration flags to set expiration in years.
sudo ./ngsccli certificate regenerate --ca-expiration=5 --cert-expiration=1
Upload Certificates
If the automatic upload of certificates to the Exabeam cloud fails, to manually upload the certificates use the following command.
sudo ./ngsccli certificate upload