Creating groups of agent handlers

A group of agent handlers consists of one or several agent handlers. When an agent must connect to an agent handler, the agent gives priority to the last handler that accepted its request. If the connection fails, the agent will randomly choose another handler from the group until its request is accepted.

Once an agent handler is installed, it will automatically appear in the backoffice > Agent handlers menu in the administration console. By default, it belongs to a group named New Group (agent handler_name). By default, you can edit this group, create new groups or move an agent handler to another group.

Agent logs can be sent to different Syslog servers configured for each agent handler group. For example, configure several Syslog servers to receive logs of varying levels of severity or with different content formats.

The Stormshield Log Supervisor (SLS) log management solution can be used with SES Evolution. For more information, see section Configuring communication with a Stormshield Log Supervisor (SLS) server and the SLS documentation available on the Stormshield Technical Documentation website.

NOTE
If a Syslog or SLS server is unreachable, the agent handlers temporarily store the logs for a maximum of 24 h, provided there is sufficient disk space.

  1. Select the backoffice > Agent handlers menu.
  2. In the left panel, click on the + icon. The line New group appears.
  3. In the Agent handler group settings, enter the Name of your agent handler group.
  4. If you want to send agent logs from this agent handler group to Syslog servers, click on Add a server and define the following parameters:
    • Address: Enter the IP address or DNS name of the Syslog server.
    • Protocol: Select the protocol for communication with the Syslog server. If you wish to encrypt the data exchanged, select TCP/TLS. In this case, the root certification authority and intermediate authorities of the syslog server must be imported into the certificate store of each agent handler computer.
    • Port: Enter the port number used for Syslog (TCP 1468 by default). The TCP or UDP port numbers indicated here are allowed on the firewall of the workstation that hosts the agent handler, as well as on all network devices located between the agent handler and Syslog server.
    • Transfer type: choose the parameter defined during the installation of the Syslog server.
    • Structured data: Use this field to specify additional data to insert in the header of Syslog messages. To know the expected data format, refer to RFC 5424. You can add more than one data in the field. For example: [ABC param1="value1"][KEY@12345 param2="value2"].
    • Message format: choose the message format:
      • simple text mode (like the messages displayed in the Agent logs menu),
      • raw JSON format containing all the technical data,
      • CEF format,
      • IDMEF format.
    • Message language: Select the language if necessary.
    • You can indicate a maximum message size in bytes.
    • Choose the lowest log severity to send to this server.
    • Context details: Choose the context level you wish to send to the Syslog server:
      • None: No context details are sent to the Syslog server, which only receives strong signals of an attack (i.e., alerts).

      • Simple context detail: Strong signals are sent to the Syslog server, along with creation and termination logs for processes running on the agent at the time of the attack and shortly after the first attack log.

      • Full context detail: All attack-related logs are sent to the Syslog server, regardless of the severity level selected above.
        Whether the agent handler receives the full context detail depends on the agent group configuration. By default, transmission is deferred, and the simple context detail is sent well before the full context detail.

      For more information on context details, see Understanding what makes up a context.


    If you have configured at least one Syslog server, a Syslog server operation indicator will appear in the top banner of the console, after the environment has been deployed. It indicates the presence of any warnings or alerts, if any. Click on the indicator to display details for each server.
  5. If you wish to move an agent handler from another group to your new group, select the handler and drag and drop it to the new group.
  6. Click on Save in the upper banner.

NOTE
We advise against the use of UDP for communications with the Syslog server. Use TLS instead.

If you are using SLS, the Stormshield log management solution, complete the settings as follows in the Syslog servers section of the agent handler group settings panel.

Sending logs over TCP

  1. Indicate the IP address of the SLS server.

  2. Select TCP as the protocol.

  3. Indicate port 601.

  4. Select Raw JSON as the Message format.

  5. Select Non-Transparent-Framing as the Transfer type.

Sending logs over TCP/TLS

The SLS server must have an X.509 certificate in PEM format.

  1. Enter the .crt certificate and .key private key in the SLS administration console.

  2. Import the SLS server's root certificate into the certificate store of each machine hosting an agent handler.

  3. In the Syslog servers section of the SES Evolution administration console, complete the parameters as follows:

    • Indicate the host name or IP address of the SLS server. It must match the address entered in the certificate. If you have used the server host name in the certificate, you can specify the corresponding IP address in the HOST file of the machines hosting the agent handlers.

    • Select TCP/TLS,

    • Indicate port 6514,

    • Select Raw JSON as the Message format,

    • Select Non-Transparent-Framing as the Transfer type.

In both cases, if you encounter issues receiving logs in SLS, refer to System logs in the SES Evolution administration console. Filter by the relevant agent handler. For more information, see the section Monitoring the activity of SES Evolution backoffice components.

NOTE
The TCP port number indicated here must be allowed on the firewall of the workstations that host the agent handler, as well as on all network devices located between the agent handlers and SLS server.

A Syslog server is not receiving logs from agents:

  • Situation: One of the Syslog servers configured in an agent handler group is not receiving any logs from agents.
  • Cause: There may be an error in the TCP/TLS configuration of the Syslog server.
  • Solution: First check that the Syslog server is running in TCP mode.
    If so, check the logs issued by the agent handler. If there is a TCP/TLS configuration problem, the agent handler issues a log that identifies the defective Syslog server and describes the possible causes.
    If you do not see this log, try restarting the agent handler to force the issuing of logs. Wait at least one minute after the restart.
    Depending on the log indications, then review the TCP/TLS configuration of the Syslog server.
    You can also check the minimum severity level of the logs you have set, so that they are sent to the Syslog server.