Log Collector Agent
이 콘텐츠는 아직 해당 언어로 제공되지 않습니다.
Log Collector Agent
The KYRA MDR Log Collector Agent is a lightweight, on-premises agent designed for organizations that need to securely collect and forward security telemetry from private network environments.
Problem Statement
Enterprise and regulated customers (defense contractors, healthcare, financial institutions) operate in firewalled or air-gapped networks where:
- Raw logs cannot be forwarded directly to the cloud
- Inbound ports from the cloud cannot be opened
- Raw security telemetry must be filtered before egress
The Log Collector solves this by running inside the customer’s network as a secure proxy — collecting, filtering, normalizing, and forwarding only the data the platform needs.
Key Features
- Lightweight Footprint: Single binary deployment with minimal resource usage (~30 MB idle RAM)
- Secure Transport: Outbound-only HTTPS connections with mutual TLS authentication
- Multiple Data Sources: Collects from firewalls, EDR agents, syslog sources, Windows Event Logs, and file-based logs
- Smart Filtering: PII masking, field-level redaction, and configurable filtering rules
- Disk Buffering: Local buffer ensures no data loss during network interruptions
- Auto-Recovery: Automatic reconnection and retry with backpressure handling
- Zero-Copy Parsing: High-performance log parsing with minimal memory allocation
Supported Data Sources
| Source Type | Input Method | Examples |
|---|---|---|
| Syslog | TCP/UDP listener | Firewalls, routers, Linux systems |
| Windows Events | Windows Event Log API | Security, System, Application channels |
| EDR | Channel subscription | CrowdStrike, SentinelOne, Microsoft Defender |
| File-based | File watching | Application logs, audit trails |
| Network Traffic | TAP/SPAN interface | See NDR capabilities |
Deployment
System Requirements
| Requirement | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores | 4 cores |
| RAM | 256 MB | 512 MB |
| Disk | 1 GB (buffer) | 10 GB (buffer) |
| OS | Linux (x86_64, ARM64), Windows Server 2016+ | Linux recommended |
| Network | Outbound HTTPS (port 443) | Dedicated network interface |
Installation
The collector is distributed as a single binary with an interactive installer:
- Download the collector binary for your platform
- Run the installer wizard — enter your gateway URL and license key
- Configure data sources (syslog, Windows Events, EDR channels, file paths)
- The installer provisions TLS certificates, configures the service, and starts collection
Configuration
The collector uses a YAML configuration file with the following sections:
- Gateway: Platform endpoint URL and authentication credentials
- Inputs: Data source definitions (syslog listeners, Windows channels, file paths)
- Filters: PII masking rules, field redaction, event filtering
- Buffer: Local disk buffer size and retention settings
- Transport: Connection parameters, retry policy, compression settings
Security
- Outbound-only: No inbound ports required — the collector initiates all connections
- Mutual TLS: Certificate-based authentication between collector and platform
- PII Protection: Configurable masking and redaction of sensitive fields before data leaves the network
- Integrity Verification: Cryptographic hash of original raw logs for tamper detection
- Auto-updates: Secure update mechanism with signature verification
Quota & Backpressure
The collector is quota-aware and adjusts its behavior based on the tenant’s ingestion quota:
| Usage Level | Collector Behavior |
|---|---|
| < 75% of quota | Full send rate |
| 75% - 90% | Reduced send rate |
| 90% - 100% | Critical events only |
| Quota exceeded (hard cap) | Buffer locally, stop sending |
| Quota exceeded (overage OK) | Reduced rate, overage billing applies |
The collector buffers events locally during quota enforcement or network interruptions, and automatically resumes forwarding when capacity is available.
Management
The platform provides remote management capabilities for deployed collectors:
- Health Monitoring: Real-time status reporting (healthy, degraded, offline)
- Remote Configuration: Push configuration updates without manual access
- Diagnostics: Request diagnostic data from collectors for troubleshooting
- Fleet Overview: Dashboard view of all deployed collectors with status and metrics