Collectors

Overview

The Secure60 Portal provides a modern, intuitive interface for managing your Secure60 Collector configuration. This portal-based approach is the recommended method for configuring collectors, as it allows you to manage all aspects of collector configuration directly through the web interface without needing to edit .env files or configuration files manually.

With portal-based configuration, you can:

• Create and manage Collector Groups
• Generate .env files automatically
• Configure Collector Profiles that contain Log Parsers
• Build Log Parsers to extract valuable context from your logs
• Leverage automated Log Pattern detection for intelligent log enrichment
• Manage all configuration through the portal UI

Advanced Configuration Options

While the portal provides comprehensive configuration management, advanced features and custom scenarios may still require manual configuration. For these cases, see the Manual Configuration documentation.

Workflow Overview

The portal-based collector configuration follows this workflow:

1. Create a Collector Group - Organize your collectors into named groups
2. Generate Configuration - Automatically generate .env files for deployment
3. Create Collector Profiles - Define profiles that contain one or more Log Parsers
4. Build Log Parsers - Create parsers to match log types and extract valuable context
5. Leverage Log Patterns - Use automated pattern detection to build parsers intelligently

Creating Collector Groups

Collector Groups allow you to organize and manage multiple collectors together. This is the starting point for portal-based configuration.

Step 1: Navigate to Collectors

1. Log in to your Secure60 Portal
2. Navigate to Integrations → Secure60 Collector → Collectors

Step 2: Create a New Collector Group

1. Click the “New Collector Group” button
2. Enter a descriptive name for your collector group (e.g., “Production Web Servers”, “Network Devices”, “Application Logs”)
3. The system will generate a unique identifier for this group

Step 3: Generate Configuration File

Once you’ve created a collector group, you can generate a .env file that contains all the necessary configuration:

1. Select your collector group from the list
2. Click to view the group details
3. Generate or download the .env file

The generated .env file will include:

• Your Project ID
• Ingest token
• Collector group identifier
• Any configured profiles and parsers

Step 4: Deploy the Collector

Use the generated .env file to deploy your Secure60 Collector:

docker run -i --name s60-collector \
  -p 80:80 -p 443:443 -p 514:514/udp -p 6514:6514 -p 5044:5044 \
  --rm -d --env-file .env secure60/s60-collector:1.09

Or using Docker Compose:

services:
  s60-collector:
    image: "secure60/s60-collector:1.09"
    container_name: "s60-collector"
    ports:
      - "443:443"
      - "80:80"
      - "514:514/udp"
      - "6514:6514"
      - "5044:5044"
    env_file:
      - .env
    restart: 'always'

Managing Collector Groups

The Collectors page displays two sections:

• Configured Collectors: Collector groups that have been set up and are actively sending data
• Unknown Collectors: Collectors that are sending data but haven’t been assigned to a group yet

You can:

• Click on any configured collector group to view details and assign profiles
• Update unknown collectors by assigning them to the correct group name
• Monitor event rates and last seen timestamps
• Delete collector groups when no longer needed

Collector Profiles

Collector Profiles are containers that hold one or more Log Parsers. They allow you to organize parsers logically and apply them to specific collector groups.

Creating a Collector Profile

1. Navigate to Integrations → Secure60 Collector → Collector Profiles
2. Click “New Profile” or “Add Item”
3. Enter a descriptive name for your profile (e.g., “Cisco ASA Logs”, “Web Application Logs”, “Authentication Events”)
4. Optionally, provide a value identifier for the profile

Assigning Log Parsers to Profiles

1. Select a profile from the list
2. Add Log Parsers to the profile by:
   • Creating new parsers directly in the profile
   • Assigning existing parsers to the profile
3. Configure the order in which parsers are applied (if multiple parsers are in the profile)

Assigning Profiles to Collector Groups

1. Navigate to Collectors
2. Click on a collector group to view its details
3. Assign one or more profiles to the group
4. The collectors in that group will automatically use the parsers defined in the assigned profiles

Log Parsers

Log Parsers are objects that match specific log types and extract valuable context from log messages. They are essential for understanding security contexts and enabling effective analysis.

Purpose of Log Parsers

Log Parsers serve several critical functions:

• Log Type Matching: Identify and categorize different types of logs (e.g., authentication logs, network logs, application logs)
• Context Extraction: Extract important fields from unstructured log messages, such as:
  • Usernames
  • IP addresses
  • Login success/failure status
  • Event types
  • Timestamps
  • Error codes
  • And many other security-relevant fields
• Field Enrichment: Add structured fields to events for better searchability and analysis
• Normalization: Standardize field names and formats across different log sources

Example Use Cases

Authentication Logs:

• Extract username, source IP, login success/failure status, and timestamp from authentication events
• Enable detection of brute force attacks, account compromises, and unauthorized access attempts

Network Device Logs:

• Extract source/destination IPs, ports, protocols, and connection status from firewall and router logs
• Enable network traffic analysis and threat detection

Application Logs:

• Extract user actions, error codes, transaction IDs, and performance metrics
• Enable application security monitoring and operational insights

Creating Log Parsers

There are three main ways to create Log Parsers in the portal:

Method 1: From Log Patterns (Recommended)

This is the most automated approach, leveraging pattern detection:

1. Navigate to Integrations → Secure60 Collector → Log Patterns
2. Review detected patterns (requires the log pattern detector container to be deployed)
3. Select a pattern that matches the log type you want to parse
4. Use the interactive parser builder to:
   • Click on parts of the pattern (especially <*> wildcards) to extract them as fields
   • Define field names for extracted values
   • Set conditions for when the parser should apply
5. Add static fields if needed
6. Review the generated VRL (Vector Remap Language) code
7. Save the parser to a Collector Profile

Method 2: From Search Results

You can build parsers directly from log data you’re viewing:

1. Navigate to the Search page in the Secure60 Portal
2. Find log events that represent the log type you want to parse
3. Expand a row to view the full log message
4. Highlight text in the log message that you want to extract
5. Use the context menu to “Add to Parser” or “Build Parser”
6. Follow the parser builder workflow to create the parser

Method 3: Manual Parser Creation

For advanced users or custom scenarios:

1. Navigate to Integrations → Secure60 Collector → Log Parsers
2. Click “Add Item” or “New Parser”
3. Configure:
   • Parser Name: A descriptive name for the parser
   • Parser Value: An optional identifier
   • Conditions: When the parser should apply (e.g., when source_name equals cisco_asa)
   • VRL Code: Write or edit Vector Remap Language code to define parsing logic
4. Save the parser to a Collector Profile

Parser Configuration

Each Log Parser consists of:

• Item Name: A unique identifier for this specific parser rule
• Conditions: Rules that determine when the parser applies (e.g., when field source_name is cisco_asa)
• VRL Code: The actual parsing logic written in Vector Remap Language
  • Uses functions like parse_regex!() to extract fields using regular expressions
  • Can merge extracted fields into the event
  • Can add static fields or transform data

Example Parser

Here’s an example of a Log Parser for Cisco ASA “Teardown” logs:

Conditions:

• When: field_is
• Field: source_name
• Value: cisco_asa

VRL Code:

if exists(.source_name) && .source_name == "cisco_asa" {
    parsed = parse_regex!(.message_text, r'Teardown local-host (?P<ip_src_address>(.*?)) du')
    if parsed != null { . = merge(., parsed) }
    .vendor = "cisco"
}

This parser:

1. Checks if the log is from a Cisco ASA device
2. Extracts the source IP address from “Teardown” log messages
3. Adds a vendor field set to “cisco”

Log Patterns

Log Patterns represent automated detection of common log structures. This feature enables state-of-the-art automated log enrichment by identifying patterns in your log data and allowing you to build parsers from them.

How Log Patterns Work

1. Pattern Detection: The log pattern detector container (deployed separately) analyzes incoming log data
2. Pattern Identification: Common structures are identified and normalized into patterns with wildcards (<*>) representing variable fields
3. Pattern Review: You can review detected patterns in the Log Patterns page
4. Parser Building: Select a pattern and use the interactive builder to extract fields and create parsers

Example Pattern

A detected pattern might look like:

<190>1 <*> <*> nginx - - - 2026/01/12 <*> [info] <*> <*> client <*> closed keepalive connection

The <*> symbols indicate fields that vary between log entries. You can:

• Click on <*> positions to define them as extractable fields
• Name the fields (e.g., timestamp, log_level, client_ip)
• Build a parser that automatically extracts these fields from matching logs

Interactive Parser Builder

When working with Log Patterns, the portal provides an interactive parser builder:

1. Pattern Display: The detected pattern is shown with clickable elements
2. Field Selection: Click on <*> wildcards to mark them for extraction
3. Field Naming: Provide meaningful names for extracted fields
4. Condition Configuration: Set when the parser should apply (e.g., “Always” or based on specific field values)
5. VRL Generation: The system automatically generates VRL code based on your selections
6. Static Fields: Optionally add static key-value pairs to all parsed events
7. Target Parser: Choose to add to an existing parser or create a new one

Deploying the Log Pattern Detector

The log pattern detector is a separate container that must be deployed alongside your collector. Documentation for deploying and configuring the log pattern detector will be available separately.

Log Pattern Detector

Documentation for deploying and configuring the log pattern detector container is being prepared and will be available soon. Contact integrations@secure60.io for assistance with pattern detector deployment.

Search Integration

The Secure60 Portal’s Search page integrates with the parser creation workflow, allowing you to build parsers directly from real log data.

Building Parsers from Search

1. Navigate to the Search page
2. Query for logs that represent the type you want to parse
3. Expand a log row to view the full message
4. Highlight text in the log message that you want to extract as a field
5. Use the context menu or action button to:
   • “Add to Parser” - Add the highlighted text to an existing parser
   • “Build Parser” - Create a new parser starting with this extraction
6. Follow the parser builder workflow to complete the parser configuration

This approach is particularly useful when:

• You have specific log examples you want to parse
• You need to extract fields that aren’t easily identified by pattern detection
• You want to verify parser behavior against real data before deploying

Configuration Management

Portal-Based Configuration Benefits

Using the portal for collector configuration provides several advantages:

• No File Editing: Manage all configuration through the web interface
• Automatic Synchronization: Configuration changes are automatically synchronized to collectors
• Version Control: Track changes and configurations over time
• Visual Management: See all your collectors, profiles, and parsers in one place
• Easy Updates: Modify parsers and profiles without redeploying collectors
• Collaboration: Multiple team members can manage configuration through the portal

Configuration Workflow

The recommended workflow is:

1. Initial Setup: Create collector groups and generate .env files
2. Deploy Collectors: Use the generated .env files to deploy collectors
3. Monitor Unknown Collectors: Review unknown collectors and assign them to groups
4. Create Profiles: Build profiles for different log types or environments
5. Build Parsers: Create parsers using Log Patterns, Search, or manual creation
6. Assign Profiles: Link profiles to collector groups
7. Iterate: Refine parsers and profiles as you learn more about your log data

Advanced Configuration

For advanced features not yet available in the portal UI, you can still:

• Edit .env files directly for environment variable configuration
• Use YAML configuration files for custom transformations
• Contact integrations@secure60.io for custom configuration assistance

See the Manual Configuration documentation for details on advanced configuration options.

Best Practices

Organizing Collector Groups

• Use descriptive names that reflect the purpose or location of collectors
• Group collectors by environment (production, staging, development)
• Group collectors by function (network devices, web servers, applications)
• Group collectors by geographic location if applicable

Designing Collector Profiles

• Create profiles for specific log types (e.g., “Cisco Logs”, “Apache Logs”, “Auth Events”)
• Create profiles for specific use cases (e.g., “Security Monitoring”, “Compliance Logging”)
• Keep profiles focused - don’t mix unrelated log types in one profile
• Use descriptive names that indicate what the profile contains

Building Effective Log Parsers

• Start with Log Patterns when available - they provide the best starting point
• Extract security-relevant fields (usernames, IPs, success/failure status)
• Use meaningful field names that align with the Secure60 Common Information Model
• Test parsers against real log data before deploying widely
• Document parser purpose and extracted fields
• Review and refine parsers as log formats evolve

Managing Unknown Collectors

• Regularly review the “Unknown Collectors” section
• Assign unknown collectors to appropriate groups promptly
• Use descriptive group names to make assignment decisions clear
• Monitor event counts to identify important collectors that need configuration

Getting Help

For assistance with portal-based collector configuration:

• Documentation: Review this guide and related documentation
• Portal UI: Use the in-portal help and tooltips
• Integrations Team: Contact integrations@secure60.io for:
  • Custom parser development
  • Complex log format parsing
  • Deployment assistance
  • Best practice recommendations

We strongly recommend working with our Integrations team for custom advice and onboarding assistance specific to your organization’s needs.