Log Manager Collection: Hosts

Log Manager provides the ability to create collection sources in addition to the default Windows event log and syslog sources. Log Manager pairs a collection source to a single host in your environment. You must create a collection policy before you can create a collection source. You can only create one collection source per host.

  • Hosts are uniquely identifiable log generating devices registered within the Alert Logic console.
  • The collection source defines how Log Manager collects log messages.
  • Alert Logic recommends that you create credentials and schedules for collection sources when you create a collection policy.

Access the Log Manager hosts page

To access the Log Manager hosts and sources page, click CONFIGURATION, and then click Deployments. From the Deployments page, click the Manual Deployments tile, and then click Hosts.

View log host information

Hosts are uniquely identifiable log generating devices registered with the Alert Logic console.

Click a log host to view the following information:

  • Host Details
  • Metadata History
  • Status History

The log host status indicates whether a host is online or offline. If a host is offline, you cannot create a new collection source, see Create collection sources for log hosts

Edit an updates policy for a log host

If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.

To edit an updates policy for a log host:

  1. Click the pencil icon () on the log host that you want to edit.
  2. In the Host Name field, enter a descriptive name.
  3. Select or create an updates policy.
  1. In the Tags field, type one or more easily filtered tags, separated by commas.
  2. Click SAVE.

Create collection sources for log hosts

You cannot create more than one remote collection source (Windows, flat-file, syslog, CloudTrail, and S3) on a single host.

After you provision and install the Alert Logic agent on your target host, the agent automatically creates an associated log source in the Alert Logic console and configures it with the default collection configuration policy for that log source type. You must create and configure new collection sources with existing collection policies to meet more specific requirements.

Create a Windows event log collection source for a log host

You must create a collection policy before you can create a collection source.

For more information, see Create a Windows event log collection policy.

To create a Windows event log collection source for a log host:

  1. Access the Log Sources page.
  2. Click the Add icon ().
  3. To create a collection source for a log host, the log host must be online. If you do not see an option to create a collection source, the log host is offline. To sort the list of log hosts by online status, in the Status column, click Status.

  4. From Source Log Type, select Windows Event Log.
  5. In the Source Name field, type a descriptive name.
  6. In Enable Collection, keep the default selection Enabled.
  7. In Collection Method, select Use an existing Policy, and then click Select a Policy.
  8. In Collection Alerts, click the field and select one or multiple alert options.
  9. From Time Zone, select a time zone.
  10. In the Tags field, type one or more easily filtered tags, separated by commas.
  11. Click SAVE.

Create a flat-file collection source for a log host

You must create a collection policy before you can create a collection source.

For more information, see Create a Flat File collection policy.

To create a flat-file collection source for a log host:

  1. Access the Log Manager Log Sources page.
  2. Click Sources.
  3. Click the Add icon ().
  4. To create a collection source for a log host, the log host must be online. If you do not see an option to create a collection source, the log host is offline. To sort the list of log hosts by online status, in the Status column, click Status.

  5. From Source Log Type, select Flat-File Collection.
  6. In the Source Name field, type a descriptive name.
  7. Select Enable to Enable Collection.
  8. Under Collection Method, select Use an Agent.
  9. From the drop-down menu, select a host.
  10. In Collection Policy, select Use an existing Policy, and then select a policy from the drop-down menu.
  11. Under Collection Alerts, click the field and select one or more alert options.
  12. In the Tags field, type an easily filtered tag.
  13. Click SAVE.

Create a syslog collection source for a log host

Log Manager accepts syslog files without additional configuration.

For more information about collection sources, see Log Manager Collection Sources.

Archive and restore log hosts

To safeguard against permanent loss of data, Log Manager provides the archive and restore features. To archive a log host, you must archive all source data streams associated with the host.

If you want to delete an entry in hosts, you must remove any entries elsewhere in the Alert Logic console.

  1. In Threat Manager, delete the entry under Protected Hosts.
  2. In Log Manager, archive the entry under Log Sources.
  3. In either Threat Manager or Log Manager, archive the Host under Hosts.

You cannot archive a log host or collection source that stops log collection.

If the archive feature issues an Internal Server Error, edit the log host to make the object valid, and then in the left navigation, under Collection, click Sources. Next, you must archive any sources associated with the log host.

For more information, see Archive a collection source.

If the restore feature is unavailable, edit the log host to make the object valid.

Archive a log host

Archive a log source to visibly remove the log host entry from the Alert Logic console. To restore a log host, see Restore an archived log host.

To archive a log host:

  1. Access the Hosts page.
  2. Click the desired log host, and then click the box icon ().
  3. Click ARCHIVE.

You cannot archive a log host or collection source that stops log collection.

If the archive feature issues an Internal Server Error, edit the log host to make the object valid, and then in the left navigation, under Collection, click Sources. Next, you must archive any sources associated with the log host.

For more information, see: Archive a collection source.

Restore an archived log host

To restore an archived log host:

  1. Access Hosts page.
  2. Above the log host table, click to select the Show Archive slider.
  3. Place your cursor over the desired log host and click Restore.
  4. Click RESTORE.

If the restore feature is unavailable, edit the log host to make the object valid.

Mass edit log hosts

Mass edit provides the option to edit the updates policies and tags for all the log hosts, filtered log hosts, or specific log hosts you select. Also, mass edit contains a mass archive feature.

You cannot archive a log host or collection source that will stop log collection.

If the archive feature issues an Internal Server Error, edit the log host to make the object valid.

If the restore feature is unavailable, edit the log host to make the object valid.

To mass edit all log hosts:

  1. Access Hosts page.
  2. Click the gear icon ().
  3. Select Mass Edit.
  4. In Apply changes to, select All Hosts.
  5. In Updates, select the updates policy to use.
  6. From Tags, select a tag option, and then in the Tags field, enter the applicable tags.
  7. From Archive Hosts, select an option.

If the restore feature is unavailable, edit the log host to make the object valid.

  1. Click SAVE.

To mass edit only filtered log hosts:

  1. Access Hosts page.
  2. Click the gear icon ().
  3. Select Mass Edit.
  4. In Apply changes to, select Only Filtered Hosts.
  5. In Updates, select the updates policy to use.
  6. From Tags, select a tag option, and then in the Tags field, enter the applicable tags.
  7. From Archive Hosts, select an option.

If the restore feature is unavailable, edit the log host to make the object valid.

  1. Click SAVE.

Related topics