Log Collector Agent

The KYRA MDR Log Collector Agent is a lightweight, on-premises agent designed for organizations that need to securely collect and forward security telemetry from private network environments.

Problem Statement

Enterprise and regulated customers (defense contractors, healthcare, financial institutions) operate in firewalled or air-gapped networks where:

Raw logs cannot be forwarded directly to the cloud
Inbound ports from the cloud cannot be opened
Raw security telemetry must be filtered before egress

The Log Collector solves this by running inside the customer’s network as a secure proxy — collecting, filtering, normalizing, and forwarding only the data the platform needs.

Key Features

Lightweight Footprint: Single binary deployment with minimal resource usage (~30 MB idle RAM)
Secure Transport: Outbound-only HTTPS connections with mutual TLS authentication
Multiple Data Sources: Collects from firewalls, EDR agents, syslog sources, Windows Event Logs, and file-based logs
Smart Filtering: PII masking, field-level redaction, and configurable filtering rules
Disk Buffering: Local buffer ensures no data loss during network interruptions
Auto-Recovery: Automatic reconnection and retry with backpressure handling
Zero-Copy Parsing: High-performance log parsing with minimal memory allocation

Supported Data Sources

Source Type	Input Method	Examples
Syslog	TCP/UDP listener	Firewalls, routers, Linux systems
Windows Events	Windows Event Log API	Security, System, Application channels
EDR	Channel subscription	CrowdStrike, SentinelOne, Microsoft Defender
File-based	File watching	Application logs, audit trails
Network Traffic	TAP/SPAN interface	See NDR capabilities

Deployment

System Requirements

Requirement	Minimum	Recommended
CPU	2 cores	4 cores
RAM	256 MB	512 MB
Disk	1 GB (buffer)	10 GB (buffer)
OS	Linux (x86_64, ARM64), Windows Server 2016+	Linux recommended
Network	Outbound HTTPS (port 443)	Dedicated network interface

Installation

The collector is distributed as a single binary with an interactive installer:

Download the collector binary for your platform
Run the installer wizard — enter your gateway URL and license key
Configure data sources (syslog, Windows Events, EDR channels, file paths)
The installer provisions TLS certificates, configures the service, and starts collection

Configuration

The collector uses a YAML configuration file with the following sections:

Gateway: Platform endpoint URL and authentication credentials
Inputs: Data source definitions (syslog listeners, Windows channels, file paths)
Filters: PII masking rules, field redaction, event filtering
Buffer: Local disk buffer size and retention settings
Transport: Connection parameters, retry policy, compression settings

Security

Outbound-only: No inbound ports required — the collector initiates all connections
Mutual TLS: Certificate-based authentication between collector and platform
PII Protection: Configurable masking and redaction of sensitive fields before data leaves the network
Integrity Verification: Cryptographic hash of original raw logs for tamper detection
Auto-updates: Secure update mechanism with signature verification

Quota & Backpressure

The collector is quota-aware and adjusts its behavior based on the tenant’s ingestion quota:

Usage Level	Collector Behavior
< 75% of quota	Full send rate
75% - 90%	Reduced send rate
90% - 100%	Critical events only
Quota exceeded (hard cap)	Buffer locally, stop sending
Quota exceeded (overage OK)	Reduced rate, overage billing applies

The collector buffers events locally during quota enforcement or network interruptions, and automatically resumes forwarding when capacity is available.

Management

The platform provides remote management capabilities for deployed collectors:

Health Monitoring: Real-time status reporting (healthy, degraded, offline)
Remote Configuration: Push configuration updates without manual access
Diagnostics: Request diagnostic data from collectors for troubleshooting
Fleet Overview: Dashboard view of all deployed collectors with status and metrics