Deploy Collectors with Log Forwarder for Windows
Using Log Forwarder, you can configure collectors quickly and easily, as well as receiving reports from said collectors to a centralized location for comprehensive analysis and monitoring.
The Log Forwarder Agent supports the following providers for data collection:
- Sophos SG
- Sophos XG
- Cisco Meraki
- Sonic Wall
- Fortinet
You will find vendor-specific documentation to configure each of these solutions at the end of this article, under the "Vendor-specific Configuration" header.
Requirements
- A device running a Windows Server 2016 and above or Windows 10 operating system and above.
The device should be kept on at all times, and be reachable by the Firewall or device that will send the data.
- Administrator permissions on the local machine.
- Administrator permissions on the firewall to be configured.
- A Lumu Free or higher account.
- Grant access to the Lumu domains in the firewall Allow list. The domain list can be found here
The Log Forwarder Agent is a lightweight software program. Below are some referential information regarding the agent average consumption on Windows devices:
RAM consumption (average): 20 MB
CPU consumption (average): < 2%
BW consumption (average): 1 Kbps
Online installer size: 1.05 MB
Agent installed size: 6.7 MB
Creating a Log Forwarder Agent
1. On the Lumu Portal, head to the Collectors category on the left panel, then click on Log Forwarders.
2. If it's your first Agent, the button will be where the Agent list normally is. Click on Create Agent.
After you have created your first agent, the button will move to the upper right side of this area, and will be renamed Add Agent.3. Provide a name for the agent, as well as the following information:
- Description: an optional brief description for the Agent.
- Label: optionally assign a default label with which all the captured metadata will be associated by default.
Learn more about Lumu’s Label system here.4. Once you create a Log Forwarder Agent, you will see its activation code. Be sure to record this activation code. Once you click Next, you will not be able to view or recover this code again.
Installing the Agent
1. On the Lumu Portal, head to the Collectors category on the left panel, then click on Log Forwarder. Here, you will find the button to download the agent.
2. Once you click on Download, a pop-up will appear. You can choose between an Online Installer, which will download and install the necessary files during the setup process, or an Offline Installer, which has all that you need to install the Agent.
3. When you open the installer, you will need to input the activation code from the previous section to proceed. Click Next.
4. Tick on the checkboxes you deem necessary, and click Install.
5. Once done, click Finish to complete the Log Forwarder Agent installation.
Add Collectors to your Agent
In order for a Log Forwarder Agent to collect information for you, you will need to configure a collector for it. At least one collector must be configured for the Log Forwarder Agent to work.
1. On the Lumu Portal, head to the Collectors category on the left panel, then click on Log Forwarder. You will see a list of all your Log Forwarder Agents. Click on the one you want to add collectors to.
2. Once on the Log Forwarder Details page, click on the Add Collector button.
3. Name your collector and choose the collector type
3. Configure your collector’s ports and timezone.
a. If your collector only supports UDP Protocol, then input your UDP Listening port here
b. If your collector supports TCP/UDP Listener ports, choose the correct one and input your Listener port.
4. Your newly created collector will be shown under the Collectors section of the Log Forwarder Details page.
For Command Reference and Agent troubleshooting, consult this article
Vendor-specific Configuration
- Sophos SG
- For instructions on how to setup Sophos SG to work with Log Forwarder, refer to their documentation.
- Sophos XG
- For instructions on how to setup Sophos XG to work with Log Forwarder, refer to their documentation.
- Timezone configuration needs to be the same as the one in Lumu Portal.
- Cisco Meraki
- For instructions on how to setup Cisco Meraki to work with Log Forwarder, refer to their documentation.
- Sonic Wall
- For instructions on how to setup Sonic Wall to work with Log Forwarder, refer to their documentation.
- Fortinet
- For more details on the configuration settings, consult the Fortinet official documentation about Configuring multiple SYSLOG servers and Logging all user traffic URLs.
Related Articles
Deploy Collectors with Log Forwarder for Linux
The Lumu Log Forwarder Agent is available for Linux-based operating systems. In this article, you will find the installation procedures, both automatic and manual, for all the supported distributions. Log Forwarder is designed to streamline the data ...Deploy Lumu Agent using Group Policy (GPO)
The installation of the Lumu Agent for Windows is simple and straightforward. This article describes how to deploy the Windows Agent quickly to your entire user population through Group Policy Objects (GPO) in a Windows Server. For getting started ...Lumu Log Forwarder FortiGate Configuration
In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...Lumu Agent Deployment via Kaseya VSA
The Lumu Agent can be deployed remotely in corporate environments using an array of tools such as Remote Monitoring and Management software (RMM). This article describes the remote installation procedure of the Lumu Agent for Windows and macOS ...Lumu Agent Collector for Windows Server
Up until now, the Lumu Agent has been an endpoint software program installed on a user's machine which enables the detection of adversarial activity; however, the compromise detection capabilities of the Lumu Agent are now available for Windows ...