Deploy Collectors with Log Forwarder for Windows

Deploy Collectors with Log Forwarder for Windows

Log Forwarder is designed to streamline the data collection processes from third party data collection services. While not as optimized as a fully-fledged Virtual Appliance deployment, it is a great alternative for fast and accessible deployment.

Using Log Forwarder, you can configure collectors quickly and easily, as well as receiving reports from said collectors to a centralized location for comprehensive analysis and monitoring.

The Log Forwarder Agent supports the following providers for data collection, both in Linux and Windows:
  • Sophos SG
  • Sophos XG
  • Cisco Meraki
  • Sonic Wall
  • Fortinet
  • Watchguard Firebox
  • Barracuda CloudGen
  • pfSense
  • MikroTik
  • Ubiquiti Unifi Cloud Gateway

Notes
You will find vendor-specific documentation to configure each of these solutions at the end of this article, under the Vendor-specific Configuration section.

Requirements

  • A device running a Windows Server 2016 and above or Windows 10 operating system and above.

Notes
The device should be kept on at all times, and be reachable by the Firewall or device that will send the data.
  • Administrator permissions on the local machine.
  • Administrator permissions on the firewall to be configured.
  • A Lumu Free or higher account.
  • Grant access to the Lumu domains in the firewall Allow list. The domain list can be found here

The Log Forwarder Agent is a lightweight software program. Below are some referential information regarding the agent average consumption on Windows devices:

RAM consumption (average): 20 MB

CPU consumption (average): < 2%

BW consumption  (average): 1 Kbps

Online installer size: 1.05 MB

Agent installed size: 6.7 MB

Creating a Log Forwarder Agent

1. On the Lumu Portal, head to the Collectors category on the left panel, then click on Log Forwarders. 


2. If it's your first Agent, the button will be where the Agent list normally is. Click on Create Agent.

Notes
After you have created your first agent, the button will move to the upper right side of this area, and will be renamed Add Agent.

3. Provide a name for the agent, as well as the following information:

  • Description: an optional brief description for the Agent.
  • Label: optionally assign a default label with which all the captured metadata will be associated by default.

Notes
Learn more about Lumu’s Label system here.


4. Once you create a Log Forwarder Agent, you will see its activation code. Be sure to record this activation code. Once you click Next, you will not be able to view or recover this code again.

Installing the Agent

1. On the Lumu Portal, head to the Collectors category on the left panel, then click on Log Forwarder. Here, you will find the button to download the agent.


2. Once you click on Download, a pop-up will appear. You can choose between an Online Installer, which will download and install the necessary files during the setup process, or an Offline Installer, which has all that you need to install the Agent.

3. When you open the installer, you will need to input the activation code from the previous section to proceed. Click Next.

4. Tick on the checkboxes you deem necessary, and click Install.

5. Once done, click Finish to complete the Log Forwarder Agent installation.

Add Collectors to your Agent

In order for a Log Forwarder Agent to collect information for you, you will need to configure a collector for it. At least one collector must be configured for the Log Forwarder Agent to work.

Notes
You can configure different collectors for different devices.

1. On the Lumu Portal, head to the Collectors category on the left panel, then click on Log Forwarder. You will see a list of all your Log Forwarder Agents. Click on the one you want to add collectors to.

2. Once on the Log Forwarder Details page, click on the Add Collector button.


3. Name your collector and choose the collector type


3. Configure your collector’s ports and timezone.

a. If your collector only supports UDP Protocol, then input your UDP Listening port here


b. If your collector supports TCP/UDP Listener ports, choose the correct one and input your Listener port.


4. Your newly created collector will be shown under the Collectors section of the Log Forwarder Details page.


Notes
For Command Reference and Agent troubleshooting, consult this article

Setup Grouping Rules

Grouping Rules are powerful tools to organize and streamline the traffic received by your collectors by making full use of Lumu’s Labels. Consult the relevant article on our technical documentation to learn more about Grouping Rules.

Vendor-specific Configuration

  • Sophos SG
    • For instructions on how to setup Sophos SG to work with Log Forwarder, refer to their documentation.
  • Sophos XG
    • For instructions on how to setup Sophos XG to work with Log Forwarder, refer to their documentation.
    • Timezone configuration needs to be the same as the one in Lumu Portal.
  • Cisco Meraki
    • For instructions on how to setup Cisco Meraki to work with Log Forwarder, refer to their documentation.
  • Sonic Wall
    • For instructions on how to setup Sonic Wall to work with Log Forwarder, refer to their documentation.
  • Fortinet
  • WatchGuard 
    • For instructions on how to setup WatchGuard to work with Log Forwarder, refer to their documentation.
  • Barracuda CloudGen
    • In order to configure Barracuda to work with Log Forwarder, consult their documentation.
    • The Activity Log Mode field under Log Policy needs to be set to "Log-Pipe-Separated-Key-Value-List"
  • pfSense
  • MikroTik
    • In order to configure MikroTik to work with Log Forwarder, consult our documentation.
  • Ubiquiti Unifi Cloud Gateway
    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Deploy Collectors with Log Forwarder for Linux

          The Lumu Log Forwarder Agent is available for Linux-based operating systems. In this article, you will find the installation procedures, both automatic and manual, for all the supported distributions. Log Forwarder is designed to streamline the data ...

        • Deploy Lumu Agent using Group Policy (GPO)

          The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server. For getting started ...

        • Lumu Log Forwarder FortiGate Configuration

          In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...

        • Lumu Agent Deployment via Kaseya VSA

          The Lumu Agent can be deployed remotely in corporate environments using an array of tools such as Remote Monitoring and Management software (RMM). This article describes the remote installation procedure of the Lumu Agent for Windows  and macOS   ...

        • Lumu Agent Collector for Windows Server

          Up until now, the Lumu Agent has been an endpoint software program installed on a user's machine which enables the detection of adversarial activity; however, the compromise detection capabilities of the Lumu Agent are now available for Windows ...