- Site Collector Overview
- Get Started with Site Collectors
- Install Site Collector
- Set Up Collectors
- Sign Up for the Early Access Program: Site Collectors
- Set Up Archive Windows Collector
- Set Up Archive Linux Collector
- Set Up EStreamer Collector
- Set Up Fortinet Collector
- Set Up IBM Security QRadar Collector
- Set Up Kafka Collector
- Set Up Splunk Collector
- Set Up Linux File Collector
- Set Up Microsoft SQL Collector
- Set Up MySQL Collector
- Set Up Oracle Collector
- Set Up Syslog Collector
- Set Up Windows Active Directory Collector
- Set Up Windows Event Log Collector
- Set Up Windows File Collector
- Manage Site Collectors
- Site Collector Monitoring
- Troubleshoot the Site Collector
- Pre-checks failed during Site Collector installation and upgrade
- Site Collector UI shows the status INSTALLATION_ERROR
- Download Support Packages for Troubleshooting
- How to reboot the Virtual Machine (VM) successfully to apply security updates?
- What information must be added while creating a support ticket to resolve an issue?
- Site Collector UI is not displaying the heartbeats
- Splunk Collector can't be set up
- Splunk Collector is set up however, logs are not reaching DL/AA
- Only a few of the installed Splunk Collectors are processing logs or EPS has dropped by 50% as compared to last hour
- The Windows Active Directory Collector (formerly known as LDAP Collector) is set up, however, the context data is not reaching DL/AA
- The Windows Active Directory Collector (formerly known as LDAP Collector) is stuck in the ‘Update’ mode after deployment
- Installation is initiated; however, the collector shows the status as ‘Setting Up’ for some time
- Data Lake and Advanced Analytics Does Not Show Context Data
- Context Data from Windows Active Directory Collector is Segmented
- Minifi Permission Denied - Logback.xml File Missing and Config File Update - Failed Error Occurred while Installing the Windows Event Log Collector
- Where should I upload proxy certificates if I am running proxy with TLS interception?
- How to upgrade Linux collector instance?
Set Up Windows File Collector
Set up the Windows File Collector to retrieve logs natively from your Windows server, from most common text log files *.log, *.txt, and *.csv. The Windows File Collector is a set of Site Collector flows, pre-built processors, groups, custom processors, other components, and integrations that pull single-line logs and push the logs to Exabeam Security Operations Platform. The collector provides flexible template configuration capabilities to collect Windows events.
Tip
If you configure a Windows File Collector instance for a Site Collector instance which was created using a hostname, you may get a 'Request timed out' error while establishing communication with the host VM from a Windows VM. To avoid the 'Request timed out' error and ‘Setup error’, ensure that you complete the following steps on your Windows VM.
Type ping hostnname_of_site_collector in your Windows command prompt. If this command succeeds, proceed with installing a Windows File Collector for this Site Collector instance. If you get a ‘Request timed out’, or ‘Cannot resolve host’ or ‘Unknown host’ error, use the following steps.
Open the hosts file that maintains mapping between hostname and IP_address, located at: C:\Windows\System32\drivers\etc\hosts, using Notepad.
Add a new entry with your hostname and IP address at the end of the file for example, hostnname_of_site_collector ip_address
Save the hosts file.
Proceed to install a Windows File Collector instance for this Site Collector instance.
To set up a Windows File Collector:
Log in to the Exabeam Security Operations Platform with your registered credentials.
Navigate to Collectors > Site Collectors.
Ensure that Site Collector is installed and in running state.
On the Site Collector page, click the Collectors Library tab, then click Windows File.
In the Definition section, enter the required information as follows.
Collector Name – Site Collector generates a name for the Windows File collector based on your hostname.
Site Collector Instance – Select the site collector instance for which you want to set up the Windows File Collector.
Fetch Historical Data – Select this option for the collector to fetch log files that were created prior to the creation of the collector.
Click Next.
In the Data section, set up the Windows File template while configuring the collector. After you create a template, you can reuse the template for other collector instances or create a new template each time you set up a new Windows File Collector.
File Collector Template – Select a preconfigured template to filter logs, or, create a new template. Templates enable you to filter logs by file names.
To create a new Windows File template:
In the Templates list, click New File Collector Template.
In the Template Name field, specify a name for the new Windows File template.
In the Add File Paths section, for filtering logs, enable the log fields that you want to use by entering regex.
The collector supports searching for log files across subdirectories which brings comprehensive log file collection by traversing and retrieving logs from nested directory structures.
Include – Enter regex for the file names or paths to be included in log collection.
For example, you can enter a directory path with wildcard characters such as,
c:\exabeam\logs\*.logandc:\users\exabeam\*.txt.You can include wildcard characters such as,
/var/log/*.logand/opt/exabeam/logs/*.txtin your regex. Here are the examples of advanced log filtering.Example 1: If you include
C:\Users\exabeam\Desktop\*.login your regex, the collector searches for all files and subdirectories under C:\Users\exabeam\Desktop for files with the .log suffix.Example 2: If you include
C:\Users\exabeam\Desktop\log2\**.txt, the collector searches for all files and subdirectories under C:\Users\exabeam\Desktop\log2 for files with the .txt suffix.Example 3: If you include
C:\Users\exabeam\Desktop\log2\*in your regex, the configuration comprehensively processes all files and subdirectories within C:\Users\exabeam\Desktop\log2, and ensures that every file in the specified directory and its nested structures is included in the processing.Exclude – Enter regex for the file names or paths to be rejected while collecting logs. The collector collects all the security events from the specified log name excluding the events or file names listed in this section.
For example, you can enter regex for exclude condition for excluding files or folders in the context of include condition:
c:\exabeam\logs\*.txt. Based on this regex, the collector ignores .txt logs.
After setting the filters, click Create.
In the Installation section, copy the scripts and download certificates as follows.
Certificate – Click Download Certificate to download the certificates. After you download the certificates, ensure that you save the certificates in the same directory from where you execute the Windows File Collector installation command.
Install Script – Copy the Install script. Paste the script in the Powershell or cmd command line interface as an administrator where you put downloaded certificates. Then, run the copied command to install the Windows File collector.
Note
You can use one install script for installing Windows File Collector on multiple Windows machines. You can also install both Windows File Collector and Windows Event Log Collector on the same Windows server.
Uninstall Script – To uninstall the Windows File collector, copy and run the script using Powershell or cmd interface as an administrator. You must execute the script on the windows server. If a Windows Event Log Collector instances is already installed on the same server, it remains intact.
Verify that the Collector installed. After you run the Install script on your Windows server, you get a confirmation message about successful collector installation and the Collector instance is listed in the Overview section on the user interface.
The Windows File Collector is set up and is ready to pull logs from source files based on the template configuration from your Windows server.
After the Windows collector is set up, Site Collector Core starts pulling logs periodically based on your template configuration and uploads logs to Exabeam Security Operations Platform. If the Windows server is not available, Site Collector core resumes pulling logs from the place where it stopped.
In case of installation failure, the collector is disabled, and the configuration is saved. You can check the status of the collector on the user interface or using the support package.
Note
The supported versions of Windows operating system are Windows 10, Windows 11, Windows 2016 and Windows Server 2016 core, Windows 2019 and Windows Server 2019 core, and Windows 2022 and Windows Server 2022 core.