LogSentinel Agent Overview¶
The Sentinel Trails listening agent is an open source component that gets installed on target machines to listen to a configured set of log sources. It can be installed on Linux and Windows and supports the following types of sources:
Log files an arbitrary text file can be collected and sent, line by line, to the Sentinel Trails service. These typically application logs and logs by systems like application servers, accounting software, CRMs, ERPs (e.g. SAP), big data processing (e.g. Hadoop), or any other non-standard software
Database logs files - if database query logs are enabled, the agent listens to newly issued queries and sends them to the Sentinel Trails service
Database tables - if you store audit trail inside relational database tables, you can configure queries that periodically fetch new entries and send them to the Sentinel Trails service
MS SQL audit trail – if MS SQL audit trail is enabled, the agent can be configured to listen to it and forward the events
MS SQL change tracking – if MS SQL change tracking is enabled, the agent can be configured to listen to it and forward the change events
Oracle audit trail – if Oracle audit trail is enabled, the agent can be configured to listen to it and forward the events
Access logs – the standard web server access log files can be parsed and sent to Sentinel Trails
Linux audit log – the native linux audit log file can be tailed and forwarded to Sentinel Trails
Windows event logs – the Windows event logs (including all categories – Application, Security, System) can be read continuously as sent to Sentinel Trails
Directory changes - any changes in a directory (new files, removal of files, modification of files) can be tracked using this agent configuration.
PostgreSQL - the agent can collect the audit logs generated by pgaudit
MySQL - the agent can collect the audit logs generated by the audit log plugin
Teradata - if auditing is enabled on Teradata, the agent can query the logs and forward them
Hadoop - the agent can parse and forward Hadoop security logs
AxonDB logs – AxonDB is a special type of non-relational database. We support its custom log format.
Any combination of the above can be configured. Note that for some target types the agent can be installed on a different machine than the actual log source. For example, in case of database tables or database audit trail, the agent can be installed on another machine that connects to the database server via a database connection string and credentials.
All communication between the agent and the Sentinel Trails service is encrypted .
Configuration and installation is done through scripts provided by us and you can follow the steps here:
In order to find existing logs and tables to monitor and send to SentinelTrails, you can use our free and open source scan-logs script
Below is an overview of how the agent fits into the architecture: