Frequently Asked Questions (FAQ)
-
What should we do if the master server’s hard disk becomes full?
We recommend using a disk with a minimum capacity of 1 TB for data storage. This recommendation aligns with the platform’s backup retention policies, typically set to one year. -
How can we back up the master server logs to backup storage?
Map an NFS server disk to the/utmstack/opensearch/backups
folder. This method ensures secure and efficient storage of master server logs in the designated backup location. -
How long are logs retained, and are they deleted automatically?
Logs are retained based on the client’s policy. After this period, they are archived in the/utmstack/opensearch/backups
folder. Typically, logs are kept for one year. -
Should we be concerned about application log errors?
These logs are internal system messages and generally do not require attention. -
How can we create a menu?
Follow the instructions provided in Dashboard -
Can we forward logs from UTMStack to another SIEM?
No, UTMStack does not support forwarding logs to other SIEM platforms. -
How do we integrate third-party applications?
UTMStack supports multiple log sources and allows the receipt of non-integrated app logs via Syslog and HTTP Post. -
Can we install the Windows Agent on Windows Server 2008?
No, the Windows Agent is compatible with Windows Server 2016R2 or higher. Alternatively, use NXLog to send logs via Syslog. -
Do you offer older versions of the current agent?
No, older versions are not compatible with UTMStack V10. -
How do we change the time zone settings on the federation server?
Go to Settings > Application Settings via the right-side hamburger menu, where you will find the option to change the platform’s time zone. -
How can we generate reports of processed and closed incidents?
Create a custom dashboard with the relevant data and export it as a PDF. You can also set up an automated schedule for email delivery. - How can I block an IP address using a command?
After identifying the command to block the IP address, you can use a variable from the alert to pass the IP to the command. For example:$ ssh -o StrictHostKeyChecking=accept-new -i /root/.ssh/id_rsa admin@192.168.1.1 command-to-block-ip $(source.ip)
- How are commands executed on remote hosts using UTMStack? The incident response automation is designed to execute commands on Linux and Windows systems via SSH. For example:
$ ssh -o StrictHostKeyChecking=accept-new admin@192.168.1.1 -i /root/.ssh/id_rsa echo hello
SSH will connect to the host 192.168.1.1 using admin, authenticate with the SSH key, and execute the command.
-
Do you provide third-party vendor support? No, we do not provide third-party vendor support. Refer to the vendor documentation for specific commands.
- How can I get training on the incident automation feature? Contact your account executive to schedule a session for in-depth training on the incident automation feature.