- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Set Up Archive Linux Collector
Set up the Archive Linux Collector to collect log events from archived log sources *.7z, *.arj, *.bzip2, *.cab, *.gzip, *.iso, *.lzh, *.rar, *.gz, *.tar, *.tar.gz, *.z, and *.zip. The Archive Linux Collector is a set of Site Collector flows, pre-built processors, groups, custom processors, and other components that pull logs in plain text format and push the logs to Exabeam Security Operations Platform. The collector provides flexible template configuration capabilities to collect Linux events.
Tip
If you configure a Archive Linux Collector instance for a Site Collector instance which was created using a hostname, you may get a 'Request timed out' error while establishing communication with the host VM from a Linux VM. To avoid the 'Request timed out' error and ‘Setup error’, ensure that you complete the following steps on your Linux VM.
Type ping hostnname_of_site_collector in your Linux command prompt. If this command succeeds, proceed with installing a Linux Collector for this Site Collector instance. If you get a ‘Request timed out’, or ‘Cannot resolve host’ or ‘Unknown host’ error, use the following steps.
Open the hosts file that maintains mapping between hostname and IP_address, located at: /etc/hosts, using Vi.
Add a new entry with your hostname and IP address at the end of the file for example, hostnname_of_site_collector ip_address
Save the hosts file.
Proceed to install the Archive Linux Collector instance for this Site Collector instance.
To set up the Archive Linux Collector:
Log in to the Exabeam Security Operations Platform with your registered credentials.
Navigate to Collectors > Site Collectors.
Ensure that Site Collector is installed and in running state.
On the Site Collector page, click the Collectors Library tab, then click Archive Linux.
In the Definition section, enter the required information as follows.
Collector Name – Site Collector generates a name for the Archive Linux collector based on your hostname.
Site Collector Instance – Select the site collector instance for which you want to set up the Archive Linux Collector. Only Site Collector instances on Site Collector version 1.17 and above are available.
Click Next.
In the Data section, set up the Linux template while configuring the collector. After you create a template, you can reuse the template for other collector instances or create a new template each time you set up a new Archive Linux Collector.
Archive Linux Template – Select a preconfigured template template to filter logs, or, create a new template. Templates enable you to filter logs by file names.
To create a new Archive Linux template:
In the Templates list, click New Linux Template.
In the Template Name field, specify a name for the new Linux template and click Next.
In the Add File Paths section, for filtering logs, enable the log fields that you want to use by entering regex. Supported file extension formats are *.7z, *.arj, *.bzip2, *.cab, *.gzip, *.iso, *.lzh, *.rar, *.gz, *.tar, *.tar.gz, *.z, and *.zip.
Include – Enter regex for the file names or paths to be included in log collection.
Exclude – Enter regex for the file names or paths to be rejected while collecting logs. The collector collects all the security events from the specified log name excluding the events or file names listed in this section.
In the Installation section, copy the scripts and download certificates as follows.
Certificate – Click Download Certificates to download the certificates. After you download the certificates, ensure that you save the certificates in the same directory from where you execute the installation command.
Install Script – Copy the Install script. Paste the script in the Powershell or cmd command line interface as an administrator where you put downloaded certificates. Then, run the copied command to install the Linux collector.
Note
You can use one install script for installing Archive Linux Collector on multiple Linux machines.
Uninstall Script – To uninstall the Archive Linux collector, copy and run the script using Powershell or cmd interface as an administrator. You must execute the script on the Linux server.
Verify that the Collector installed. After you run the Install script on your Linux server, you get a confirmation message about successful collector installation and the Collector instance is listed in the Overview section on the user interface.
The Archive Linux Collector is set up and is ready to pull Linux events from your archived log files, *.7z, *.arj, *.bzip2, *.cab, *.gzip, *.iso, *.lzh, *.rar, *.gz, *.tar, *.tar.gz, *.z, and *.zip.
After the Linux collector is set up, Site Collector Core starts pulling logs periodically based on your template configuration and uploads logs to Exabeam Security Operations Platform. If the Linux server is not available, Site Collector core resumes pulling logs from the place where it stopped.
In case of installation failure, the collector is disabled, and the configuration is saved. You can check the status of the collector on the user interface or using the support package.
Note
The Archive Linux Collector works on virtual machines that meet the minimum hardware specifications and that have Bash installed. The collector supports the following operating systems.
Linux Full Client (LFC) Red Hat Enterprise Linux versions 7, 8, and 9, CentOS versions 7, 8, and 9, and Ubuntu versions 18.04 LTS, 20.04 LTS, 22.04 LTS
Linux Application Client (LAC) Red Hat Enterprise Linux versions 7, 8, and 9, CentOS versions 7, 8, and 9, and Ubuntu versions 18.04 LTS, 20.04 LTS, 22.04 LTS