Log Management Collection Hosts

Log Management provides the ability to create collection sources in addition to the default Windows event log and syslog sources. Log Management pairs a collection source to a single host in your environment. You must create a collection policy before you can create a collection source. You can only create one collection source per host.

  • The Alert Logic console displays hosts in your network to which you deployed the Alert Logic agent for the purpose of collecting logs.
  • The collection source defines how Alert Logic collects log messages.
  • Alert Logic recommends that you create credentials and schedules for collection sources when you create a collection policy.

The Log Management Hosts page

The Hosts page lists the hosts and appliances in the selected deployment to which you provisioned agents. From the Hosts page you can view host information and apply an updates policy to ensure the host always has the most recent agent installed.

To access the Hosts page, click CONFIGURATION, click a deployment for which you want to configure log collection, and then click Hosts.

View log host information

Hosts are uniquely identifiable log generating devices registered with the Alert Logic console.

Click a log host to view the following information:

  • Host Details
  • Metadata History
  • Status History

The log host status indicates whether a host is online or offline. If a host is offline, you cannot create a new collection source for the host. For more information, see Create log sources for hosts

Edit an updates policy for a log host

An updates policy schedules hosts to update to the latest version of the agent software at the agent's specified check-in. By default, Alert Logic assigns the Default Update Policy, which sends software updates to your hosts as they become available. If the maintenance strategy for your organization requires a scheduled maintenance window, you can change the frequency of the update by either selecting another policy with a different update frequency, or creating a new updates policy.

If you update, archive, or delete any collection, policies, or alert rule configurations, you could break interconnected configurations.

To edit an updates policy for a log host:

  1. Click the pencil icon () on the log host that you want to edit.
  2. In the Host Name field, enter a descriptive name.
  3. Select or create an updates policy.
  1. In the Tags field, type one or more easily filtered tags, separated by commas.
  2. Click SAVE.

Create log sources for hosts

You cannot create more than one remote collection source (Windows, flat-file, syslog, CloudTrail, and S3) on a single host.

After you provision and install the Alert Logic agent, the agent configures a default collection source for each log host in your system. You must create and configure log sources, with existing collection policies, to configure collection of specified logs.

To access the Hosts page, click CONFIGURATION, click a deployment for which you want to configure log collection, and then click Log Sources.

For more information about configuring log sources, see Log Management Collection Sources.

Create a Windows event log collection source for a log host

You must create a collection policy before you can create a collection source.

For more information, see Create a Windows event log collection policy.

To create a Windows event log collection source for a log host:

  1. Access the Log Sources page.
  2. Click the Add icon ().
  3. To create a collection source for a log host, the log host must be online. If you do not see an option to create a collection source, the log host is offline. To sort the list of log hosts by online status, in the Status column, click Status.

  4. From Source Log Type, select Windows Event Log.
  5. In the Source Name field, type a descriptive name.
  6. In Enable Collection, keep the default selection Enabled.
  7. In Collection Method, select Use an existing Policy, and then click Select a Policy.
  8. In Collection Alerts, click the field and select one or multiple alert options.
  9. From Time Zone, select a time zone.
  10. In the Tags field, type one or more easily filtered tags, separated by commas.
  11. Click SAVE.

Create a flat-file collection source for a log host

You must create a collection policy before you can create a collection source.

For more information, see Create a flat file collection policy.

To create a flat-file collection source for a log host:

  1. Access the Log Management Sources page.
  2. Click Sources.
  3. Click the Add icon ().
  4. To create a collection source for a log host, the log host must be online. If you do not see an option to create a collection source, the log host is offline. To sort the list of log hosts by online status, in the Status column, click Status.

  5. From Source Log Type, select Flat-File Collection.
  6. In the Source Name field, type a descriptive name.
  7. Select Enable to Enable Collection.
  8. Under Collection Method, select Use an Agent.
  9. From the drop-down menu, select a host.
  10. In Collection Policy, select Use an existing Policy, and then select a policy from the drop-down menu.
  11. Under Collection Alerts, click the field and select one or more alert options.
  12. From Time Zone, select a time zone.
  13. In the Tags field, type an easily filtered tag.
  14. Click SAVE.

Archive and restore log hosts

To safeguard against permanent loss of data, Log Management provides the archive and restore features. To archive a log host, you must archive all source data streams associated with the host.

If you want to delete an entry in hosts, you must remove any entries elsewhere in the Alert Logic console.

  1. In Network IDS, delete the entry under Protected Hosts.
  2. In Log Management, archive the entry under Log Sources.
  3. In either Network IDS or Log Management, archive the Host under Hosts.

You cannot archive a log host or collection source that stops log collection.

If the archive feature issues an Internal Server Error, edit the log host to make the object valid, and then in the left navigation, under Collection, click Sources. Next, you must archive any sources associated with the log host.

For more information, see Archive a collection source.

If the restore feature is unavailable, edit the log host to make the object valid.

Archive a log host

Archive a log source to visibly remove the log host entry from the Alert Logic console.

To archive a log host:

  1. Access the Hosts page.
  2. Click the desired log host, and then click the box icon ().
  3. Click ARCHIVE.

You cannot archive a log host or collection source that stops log collection.

If the archive feature issues an Internal Server Error, edit the log host to make the object valid, and then in the left navigation, under Collection, click Sources. Next, you must archive any sources associated with the log host.

For more information, see: Archive a collection source.

Restore an archived log host

To restore an archived log host:

  1. Access Hosts page.
  2. Above the log host table, click to select the Show Archive slider.
  3. Place your cursor over the desired log host and click Restore.
  4. Click RESTORE.

If the restore feature is unavailable, edit the log host to make the object valid.

Mass edit log hosts

Mass edit provides the option to edit the updates policies and tags for all the log hosts, filtered log hosts, or specific log hosts you select. Also, mass edit contains a mass archive feature.

You cannot archive a log host or collection source that will stop log collection.

If the archive feature issues an Internal Server Error, edit the log host to make the object valid.

If the restore feature is unavailable, edit the log host to make the object valid.

To mass edit all log hosts:

  1. Access Hosts page.
  2. Click the gear icon ().
  3. Select Mass Edit.
  4. In Apply changes to, select All Hosts.
  5. In Updates, select the updates policy to use.
  6. From Tags, select a tag option, and then in the Tags field, enter the applicable tags.
  7. From Archive Hosts, select an option.

If the restore feature is unavailable, edit the log host to make the object valid.

  1. Click SAVE.

To mass edit only filtered log hosts:

  1. Access Hosts page.
  2. Click the gear icon ().
  3. Select Mass Edit.
  4. In Apply changes to, select Only Filtered Hosts.
  5. In Updates, select the updates policy to use.
  6. From Tags, select a tag option, and then in the Tags field, enter the applicable tags.
  7. From Archive Hosts, select an option.

If the restore feature is unavailable, edit the log host to make the object valid.

  1. Click SAVE.