Remote Log Collection Policy
The 'Remote Collection' policy is similar to the 'Flat-File' policy except this is configured to collect logs from an endpoint with no agent installed, using agent installed on another endpoint. Additional information required for this policy includes IP or domain address of the endpoint from which the logs are to be collected, username and password to access the log and connection protocol. The administrator can create a schedule to collects the logs.
To create a remote log collection policy
- Open the Collection Policies interface by clicking the 'Navigational Menu' button from the top right, choosing 'Agents' from the options and then clicking 'Collection Policies'.
- Click the 'Add' button at the bottom of the 'Collection Policies' screen at the left.
The configuration screen for creating a new policy will be displayed.
- Choose 'remote collection' from the 'Policy Type' drop-down.
The configuration screen for remote collection policy will be displayed.
- Enter a name for the new policy in the 'Policy Name' field
Next you need to configure the details defining the source of log collection and the schedule for log collection.
To configure the details for the new policy
- Click the 'Details' stripe
- Source File Patch - Enter the location of the log file in the remote endpoint that the agent from another endpoint should collect and forward to NxSIEM server.
- Type - Select the type of address to be entered for the remote endpoint. The options available are 'IP' and 'Domain'. Enter the address of the remote endpoint as per the chosen type in the field that appears below the 'Type' field.
- Time Type - Select the time stamp that the agent should use for the logs, whether to use host machine's time stamp or the log's own time stamp
- Time Format - Select the time format to be used, from the drop-down.
- Time Type - Select the time stamp that the agent should use for the logs. The optiion avawhether host machine's time stamp or the log's own time stamp.
- Username - Enter the username of an administrative account for the agent to log-in to the remote endpoint, in order to access the log files.
- Password - Enter the password for the administrative account.
- Protocol - Select the type of protocol to be used for the agent to connect to the remote endpoint to collect the logs.
- Event Group - Select the 'Event Group' for which the log should be collected. The options available are:
- Firewall and UTM
- Application
- Endpoint Security
- Data Protection
- Network Intrusion Detection & Protection
- Network Monitoring
- Event Type - Choose the product for which the logs are to be collected, based on the chosen event group.
To create a schedule
- Click the 'Schedule' stripe
The 'Timing' section allows you to define the period for log collection.
- Occurs - Select the period for log collection from the drop-down. The options available are:
- Hourly
- Daily
- Weekdays
- Weekend
- Weekly
- Monthly
- Reoccurs every - Enter the frequency for log collection at the chosen days. For example, if you select 'Daily' and enter 2, then the agent will collect the logs once in every 2 days
- Occurs At - Enter the exact time at which the log should be collected.
The 'Duration' section allows you to define the start and end months for the period of log collection.
- Start - Select the start month from the drop-down
- End - Select the end month from the drop-down
The Blackout feature is not available for the 'Remote Collection' policy.
- Click the 'Submit' button to save your changes.
The policy will be added to NxSIEM and will be available for deployment to endpoints. Refer to the section 'Configuring Log Collection Policies' for more details on deploying the newly created policy onto customer's endpoints.