Adding A Centralized Logging Server

TABLE OF CONTENTS

• Download the Atakama Log Server binary

• Run the Log Server

• Connect end users to the Log Server

By granularly encrypting each file, Atakama is able to record user interactions with those files and generate a log file.

Download the Atakama Log Server binary:

• Windows binary: https://atakama-log-server.s3.amazonaws.com/atakama-logger-0.4.33.exe

• Linux (Ubuntu) binary: https://atakama-log-server.s3.amazonaws.com/atakama-logger-0.4.33

• Linux (RHEL) binary: https://atakama-log-server-internal.s3.amazonaws.com/atakama-logger-0.4.35-centos7

On Linux, mark the file as executable: chmod +x atakama-logger. Note that the binary may be deployed somewhere in the $PATH, such as /usr/local/bin.

On Windows, as a prerequisite the latest version of the Microsoft Visual C++ Redistributable must be installed. This is necessary for the server to start and function correctly.

Run the Log Server:

1. Generate a new private key for the server, and save it to the default config file:

   $ atakama-logger keygen --save

2. Open this config file in a text editor. It’s located at “C:\Users\[username]\AppData\Roaming\Atakama\server.cfg” on Windows, and “~/.config/atakama/server.cfg” on Linux.

3. Configure an output type. Here’s an example file:
   

   {
       "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
       "output": {
           "json_file": "/tmp/atakama-events.log"
       }
   }

   This will write all events in JSON lines format to /tmp/atakama-events.log.
   Here’s an example for Logstash output, where <endpoint> is the endpoint you configured for your HTTP input plugin:
   

   {
       "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
       "output": {
           "logstash_url": "https://<endpoint>"
       }
   }

   And finally, for an RFC 3164-compatible syslog server:
   

   {
       "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
       "output": {
           "rfc3164_syslog_url": "<ip or hostname>[:port]"
       }
   }

   Note that if unspecified, the port will default to 514.

4. Obtain the server’s ID, which will be used when connecting an Atakama instance to the server.
   

   $ atakama-logger get-id
   46e9ceacc26ca48ef8ee90d21b24b2f4

   Save this value where it can be later referenced.

5. Start the server:
   

   $ atakama-logger start
   20201118-143434: INFO: __main__ - Loading config from '/home/user/.config/atakama/goblin/server.cfg'
   20201118-143434: CRITICAL: __main__ - This server's device id is: 46e9ceacc26ca48ef8ee90d21b24b2f4
   20201118-143434: INFO: __main__ - Starting server
   20201118-143434: INFO: loggoblin.goblin - workstation relay connect: wss://relay.atakama.com:443
   20201118-143435: INFO: loggoblin.goblin - Connected to relay server
   20201118-143435: INFO: loggoblin.goblin - Goblin startup complete

   To exit, just hit Ctrl-C and the server will shut down cleanly.

Connect end users to the Log Server:

For local testing, the Log Server ID can be configured from the Atakama Control Center:

In the dialog box, enter the server ID generated during server setup.

For production deployments, the server ID can be configured via the usual enterprise configuration tool.

When this configuration is loaded onto end user machines, the machines will automatically send data to the Log Server.