LogSentinel Agent Overview

The Sentinel Trails listening agent is an open source component that gets installed on target machines to listen to a configured set of log sources. It can be installed on Linux and Windows and supports the following types of sources:

  • Log files an arbitrary text file can be collected and sent, line by line, to the Sentinel Trails service. These typically application logs and logs by systems like application servers, accounting software, CRMs, ERPs (e.g. SAP), big data processing (e.g. Hadoop), or any other non-standard software

  • Database logs files - if database query logs are enabled, the agent listens to newly issued queries and sends them to the Sentinel Trails service

  • Database tables - if you store audit trail inside relational database tables, you can configure queries that periodically fetch new entries and send them to the Sentinel Trails service

  • MS SQL audit trail – if MS SQL audit trail is enabled, the agent can be configured to listen to it and forward the events

  • MS SQL change tracking – if MS SQL change tracking is enabled, the agent can be configured to listen to it and forward the change events

  • Oracle audit trail – if Oracle audit trail is enabled, the agent can be configured to listen to it and forward the events

  • Access logs – the standard web server access log files can be parsed and sent to Sentinel Trails

  • Linux audit log – the native linux audit log file can be tailed and forwarded to Sentinel Trails

  • Windows event logs – the Windows event logs (including all categories – Application, Security, System) can be read continuously as sent to Sentinel Trails

  • Directory changes - any changes in a directory (new files, removal of files, modification of files) can be tracked using this agent configuration.

  • PostgreSQL - the agent can collect the audit logs generated by pgaudit

  • MySQL - the agent can collect the audit logs generated by the audit log plugin

  • Teradata - if auditing is enabled on Teradata, the agent can query the logs and forward them

  • Hadoop - the agent can parse and forward Hadoop security logs

  • AxonDB logs – AxonDB is a special type of non-relational database. We support its custom log format.

Any combination of the above can be configured. Note that for some target types the agent can be installed on a different machine than the actual log source. For example, in case of database tables or database audit trail, the agent can be installed on another machine that connects to the database server via a database connection string and credentials.

Full configuration details can be seen here .

All communication between the agent and the Sentinel Trails service is encrypted .

Configuration and installation is done through scripts provided by us and you can follow the steps here:

In order to find existing logs and tables to monitor and send to SentinelTrails, you can use our free and open source scan-logs script

Below is an overview of how the agent fits into the architecture:

https://d381qa7mgybj77.cloudfront.net/wp-content/uploads/2018/11/Sentinel_trails_overview-708x1024.png