Deploy Collectors with Log Forwarder for Linux

Deploy Collectors with Log Forwarder for Linux

The Lumu Log Forwarder Agent is available for Linux-based operating systems. In this article, you will find the installation procedures, both automatic and manual, for all the supported distributions.

Log Forwarder is designed to streamline the data collection processes from third party data collection services. While not as optimized as a fully-fledged Virtual Appliance deployment, it is a great alternative for fast and accessible deployment.

Using Log Forwarder, you can configure collectors quickly and easily, as well as receiving reports from said collectors to a centralized location for comprehensive analysis and monitoring.

The Log Forwarder Agent supports the following providers for data collection, both in Linux and Windows:
  • Sophos SG
  • Sophos XG
  • Cisco Meraki
  • Sonic Wall
  • Fortinet
  • Watchguard
  • Barracuda

You will find vendor-specific documentation to configure each of these solutions at the end of this article, under the "Vendor-specific Configuration" header.

Supported Distributions

These are the distributions supported by the Lumu Log Forwarder Agent for Linux as well as the supported versions of each. If you are using a version or distribution not found on this list, it will be under your own responsibility, as Lumu will only provide official support to the ones listed in this article:

Distribution Version
Ubuntu
  • 24.04 LTS
  • 22.04 LTS
  • 20.04 LTS
RHEL
  • 9.2
  • 8.4

Installer Setup

You can quickly set up the Lumu Log Forwarder Agent for Linux using the provided installer. This is the fastest and easiest way to use the Lumu Log Forwarder Agent on your Linux environments. It is the recommended installation method.

1. First, download the installer from the Lumu Portal. Open the ‘Collectors’ drop-down, and select ‘Log Forwarders’. Once there, click on ‘Download for’ and select Linux. You will see a menu that will allow you to download the installer.

2. Once downloaded, you must carry out some preparations before running the installer. First, you must set it to executable mode. To do so, run the following commands in the terminal:

# Make script executable
chmod +x /path/to/lumu_linux_forwarder_installer_latest.sh

# Run the script and install the agent
sudo ./path/to/lumu_linux_agent_forwarder_latest.sh --install

3. Now, you must run the installer. This is the first screen you will see once you run the installer:


A basic installation procedure must make use of the ‘install’ or ‘license’ options.

4. Enter -i or --install. This will install the Lumu Log Forwarder Agent on your Linux-based system.


  • Optionally, you can install and activate the agent with a single command. To do so, enter -l LICENSE or --license LICENSE as shown in the menu. LICENSE being the activation code found in the Lumu Portal.Once activated, the Lumu Agent for Linux will be running on your system.
The highlighted area is your license key. You will need it for the Agent activation step further below.

Manual Installation - Ubuntu

This is the manual installation procedure of the Lumu Log Forwarder Agent for Linux in supported Ubuntu environments.

Install using the apt repository

1. Update the apt package index and install packages to allow apt to use a repository over HTTPS:

sudo apt update
sudo apt install ca-certificates curl gnupg

2. Add Lumu’s official GPG key:

# Create /etc/apt/keyrings if it doesn't exist
sudo install -m 0755 -d /etc/apt/keyrings

# Download and install GPG key
curl -fsSL https://packages.lumu.io/ubuntu/ubuntu.pub.key | sudo gpg --dearmor -o /etc/apt/keyrings/lumu.gpg

# Grant read permissions to all users
sudo chmod a+r /etc/apt/keyrings/lumu.gpg

If you get an error stating that “no alternative certificate subject name matches target host name” and “curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it” it is due to a bug occurring on cURL between versions 7.12.0 to 8.0.1 that doesn’t allow requests to TLS domains with wildcard certificates. You can learn more about this bug on cURL’s official statement. We suggest using Wget as a workaround. To do so, use the following command:

```
wget -q -O - https://packages.lumu.io/ubuntu/ubuntu.pub.key | sudo gpg --dearmor -o /etc/apt/keyrings/lumu.gpg
```

3. Use the following command to set up the repository:

echo \
"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/lumu.gpg] "$(. /etc/os-release && echo "https://packages.lumu.io/ubuntu/$VERSION_CODENAME")" \
"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
sudo tee /etc/apt/sources.list.d/lumu.list > /dev/null

4. Update the apt package index and install the lumu-forwarder-agent package.

# Update repositories
sudo apt update
# Install the agent
sudo apt install lumu-forwarder-agent

Manual Installation - RHEL

This is the manual installation procedure of the Lumu Log Forwarder Agent for Linux in supported RHEL environments.

Install using the rpm repository

1. Install the yum-utils package (which provides the commands to manage your YUM repositories), and set up the repository.

If your system language is set to Spanish, please add LANG=C.UTF-8 to every yum-related command, e.g. LANG=C.UTF-8 sudo dnf config-manager --add-repo ...

sudo yum -y install yum-utils
sudo yum-config-manager --add-repo https://packages.lumu.io/rhel/lumu.repo

2. Install the Lumu Linux Log Forwarder Agent.

sudo yum install -y lumu-forwarder-agent

Due to the design and security policies of RHEL-based systems, all TCP and UDP ports must be manually managed by the system administrator. This means that if you add a new log collector, be sure to open the port on which this new collector will listen for logs.You can do this with the following commands:

sudo firewall-cmd --zone=public --permanent --add-port <your port>/<tcp or udp>
sudo firewall-cmd --reload
# Confirm that firewall rule was added
sudo firewall-cmd --list-all

Activate the Lumu Log Forwarder Agent for Linux

Once you have installed the agent, you must activate it. This step is identical for all distributions

Run the following command with the activation code that corresponds to the assigned group.

sudo -u lumu log-forwarder-support –activate <Activation Code Here>

If the activation was carried out correctly, you should see the following message:

Activation successful!

Otherwise, please consult this article’s Command Quick Reference for Agent Support section.

Uninstalling the Lumu Log Forwarder for Linux

Using the installer

Regardless of whether or not you installed the Lumu Log Forwarder Agent using our installer, you can remove it and its repository from your system through the installer by using the -u or --uninstall option.

sudo ./lumu_linux_forwarderagent_installer_latest.sh --uninstall

You must run the installer as root:

Ubuntu Uninstall

This is the manual uninstallation procedure of the Lumu Log Forwarder Agent, its repository, and key on a system using the APT package manager. Use it if you prefer to uninstall it manually.

1. Remove the lumu-forwarder-agent package.

sudo apt remove --purge -y lumu-forwarder-agent

2. Remove the lumu repository file.

sudo rm -f /etc/apt/sources.list.d/lumu.list

3. Remove the lumu repository public GPG key.

sudo rm -f /etc/apt/keyrings/lumu.gpg

4. Finally, update your apt package index.

sudo apt update

RHEL Uninstall

This is the manual uninstallation procedure of the Lumu Log Forwarder Agent, repository, and key on a system using the YUM package manager. Use it if you prefer to uninstall it manually.

1. Remove the lumu-forwarder-agent package.

sudo yum remove -y lumu-forwarder-agent

2. Remove the lumu repository file.

sudo rm -f /etc/yum.repos.d/lumu.repo

3. Remove the lumu repository public GPG key. For this, you must list your rpm gpg keys:

# List gpg keys
sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
# Remove gpg key
sudo rpm -e <gpg key id (first column of previous command)>

4. Finally, update your yum package index.

sudo yum update

Upgrading the Lumu Agent for Linux

This is the procedure to update the Lumu Agent for Linux. Given that Lumu provides its own repositories for the most common package managers, this process is a very simple process.

Most distributions require root access to update packages.

Debian/Ubuntu Update Process

To update the Lumu Linux Agent in a Linux distribution that uses the apt package manager, simply execute the following steps:

1. Update your packages database.

apt update

2. Upgrade the lumu-forwarder-agent package.

sudo apt install --only-upgrade lumu-forwarder-agent

Ubuntu/Debian Users must consider the following:

Due to the new version of OpenSSL being distributed with new versions of Ubuntu and Debian (OpenSSL v3.0.0), it is not possible to switch Lumu repositories between new and old versions of Ubuntu and Debian. Therefore, if your operating system uses an old version of OpenSSL (OpenSSL v1.0.0) and you do a major system update, it is necessary to reinstall the Lumu repository, and therefore, reinstall the agent. To do so, please refer to our installation guide.

RHEL Update Process

To update the Lumu Linux Agent in a Linux distribution that uses the dnf and/or the yum package manager, simply run the update command; use the dnf tool if you use Fedora, or yum if you use RHEL.

# Fedora
dnf update lumu-forwarder-agent

# RHEL
yum update lumu-forwarder-agent

Command Quick Reference for Agent Support

The Lumu Agent for Linux includes an application for support purposes. You can use this application to troubleshoot, configure and get agent information. The log-forwarder-support application is available from any part of the system because it is registered in the PATH.

To use the log-forwarder-support application, you must enter an option and, if necessary, an argument for that option. The table below lists the available support options for the Lumu Linux Agent.

sudo -u lumu log-forwarder-support <OPTION> <ARGUMENT>

Option Description
-h, --help Displays help with command line options.
-v, --version Displays version information.
-c, --check Displays agent status.
-s, --status Displays the last status message.
--activate <ACTIVATION CODE> Request server to validate activation code.
--proxy-list <PROXY LIST> Set the proxy list configuration to the provided argument.
--clear-proxy-list Removes proxy list configuration.
--log-level <LOG LEVEL> Change agent log level. Available levels: debug, info, warning, error.
--get-id Displays agent ID.

Proxy Configuration

This section shows you how to configure the Lumu Linux Agent to use a custom list of HTTP proxies. This can be achieved through the lumu-agent-support application that is installed along with the agent. You can use more than one proxy if it’s required by your business requirements.

Configure a Proxy List

To configure a proxy use the --proxy-list option from the log-forwarder-support application with the following syntax:

`sudo -u log-forwarder-support --proxy-list `http://user:password@192.168.0.1:4443`

This command must be run as root user.

If you wish to add more than one proxy, separate them using a semicolon as follows:

Remove Proxy Configuration

If you need to remove the proxy configuration from your Lumu Linux Agent settings, use the --clear-proxy-list option from the log-forwarder-support application.

sudo -u log-forwarder-support --clear-proxy-list

This command must be run as root user.

Check Agent Status

You can quickly validate that the agent has been installed and activated correctly, and that it is sending traffic to Lumu for analysis. Just run the following commands:

# Use SystemD service
sudo systemctl status forwarderd.service
# Use internal agent status
sudo log-forwarder-support --check

This is the expected result when the agent is running:




Vendor-specific Configuration

  • Sophos SG
    • For instructions on how to setup Sophos SG to work with Log Forwarder, refer to their documentation.
  • Sophos XG
    • For instructions on how to setup Sophos XG to work with Log Forwarder, refer to their documentation.
    • Timezone configuration needs to be the same as the one in Lumu Portal.
  • Cisco Meraki
    • For instructions on how to setup Cisco Meraki to work with Log Forwarder, refer to their documentation.
  • Sonic Wall
    • For instructions on how to setup Sonic Wall to work with Log Forwarder, refer to their documentation.
  • Fortinet
  • Watchguard
    • For instructions on how to setup Watchguard to work with Log Forwarder, refer to their documentation.
  • Barracuda
    • In order to configure Barracuda to work with Log Forwarder, consult their documentation.
    • The Activity Log Mode field under Log Policy needs to be set to "Log-Pipe-Separated-Key-Value-List"

    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Deploy Collectors with Log Forwarder for Windows

          Log Forwarder is designed to streamline the data collection processes from third party data collection services. While not as optimized as a fully-fledged Virtual Appliance deployment, it is a great alternative for fast and accessible deployment. ...

        • Lumu Log Forwarder FortiGate Configuration

          In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...

        • Log Forwarder Agent Command Reference and Installer Troubleshooting

          The Log Forwarder Agent is part of the larger family of Lumu Agents. As such, it shares several features and processes with them that are outlined below. Command Quick Reference for Windows Agent Support The Lumu Log Forwarder Agent for Windows ...

        • Deploy Lumu Agent using Group Policy (GPO)

          The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server. For getting started ...

        • Configure DNS in Linux Desktop

          Setting up DNS forwarding on a Linux client device is the configuration suggested for testing purposes. We recommend you configure your DNS server or your router to take the most advantage of Lumu Continuous Compromise Assessment on your entire ...