Xylok Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. Data Collection
  4. /
  5. Advanced Data Collector

Advanced Data Collector

Background

Xylok’s data collection typically uses human-readable scripts generated in a native scripting language of the target machine, such as BASH or PowerShell. This strategy runs commands just like a system administrator might and works very well for most DISA-produced STIGs. In addition, the scripts are produced from Xylok are machine-specific, tailored to the exact benchmarks selected for each device.

However, some devices need more control to collect all the needed data. For example, a firewall which offers its configuration via a REST API might need many related queries to collect all the required data. For these cases, Xylok offers the “advanced collector,” a binary written in Go which allows for more advanced data collection. This binary is offered for a variety of target platforms. Because it is a compiled binary, we create a single binary for each Xylok release, rather than binaries customized to your machines. The exact benchmarks run by the collector are instead controlled via a configuration file which Xylok will help you generate.

Security Information

Because the collector is offered as a binary that will be introduced onto your network, Xylok offers the following reports below use in evaluating its security. All reports are automatically generated for every Xylok release.

Downloads

The following binaries are included in this release. If you have a machine that does not work with these, contact support@xylok.io.

Configuration

The advanced collector is still under heavy development. It’s possible that the configuration format will change over time.

When the collector starts, it looks for a configuration file to control its operation. The following search is performed at the start:

  • ./collect.toml (current working directory, not the directory where the collector itself is located)
  • $XDG_CONFIG_HOME/xylok/collect.toml (typically this is ~/.config/xylok/collect.toml)
  • /etc/xylok/collect.toml

The first configuration file found is used and the search stops.

Alternatively, the configuration path can be specified with the --config option.

Configuration is in TOML. A configuration file with all valid options is below, modify for your system:

[general]
# Enable more verbose logging during execution
verbose = true
# Machine PK from Xylok. All data collected via this configuration file will be added to the given machine
# PKs can be retrieved from the URL of the Machine Details page. IE, in this URL, the PK is the last part
# https://xylok.local/client/machine/f89c5f7a-a13d-45c4-96ba-80563ef6edd3/
target-pk = "f89c5f7a-a13d-45c4-96ba-80563ef6edd3"
disable-detection = false

[collectors.cisco-fmc]
enable = true
target = "https://fmc.example.com"
username = "fmcapiuser"

# See note below if you don't want to put in a plain text password
password = "fmcapipassword"

# Instead of using a password in plain text, you may instead include it encrypted.
# You can generate the encrypted version of a password using the `collector encrypt --passphrase=<phrase> <plain text password>` command.
#
# For example, the below password was produced with the command:
# $ ./collector encrypt -P asdf agoodpassword
#
# When running the collector, you will then need to provide the decryption for passphrase:
# $ ./collector run -P asdf
#
# The encrypted version is substantially longer because it encodes the settings used to encrypt the password. As of this
# writing, the passphrase is expanded using Argon2ID, then used in AES-256-GCM with a 32 byte salt. The exact parameters used
# can be found by base64 decoding the encrypted text.
#
# If needed, the plain text can be recovered with the decrypt command:
# $ go run . encrypt -P asdf agoodpassword
# eyJrZXlBbGdvIjoiYXJnb24yaWQiLCJrZXlJdGVyIjoxLCJrZXlNZW0iOjY1NTM2LCJrZXlUaHJlYWRzIjo0LCJzYWx0Ijoiak9MdkpNVUNWbnc1THM0cnM3ZlFVVUN2cGxtN2ltTE5TUCt2VWJKNmRJMD0iLCJlbmNBbGdvIjoiYWVzLTI1Ni1nY20iLCJkYXRhIjoiOVVJZmZCM0pCaytqWGdZZHhxUFFMaHVwMGJYYWc4a0FEejNySEJkbStPY1VNTEp2TnlJTEJPTT0ifQ==
#
# $ go run . decrypt -P asdf eyJrZXlBbGdvIjoiYXJnb24yaWQiLCJrZXlJdGVyIjoxLCJrZXlNZW0iOjY1NTM2LCJrZXlUaHJlYWRzIjo0LCJzYWx0Ijoiak9MdkpNVUNWbnc1THM0cnM3ZlFVVUN2cGxtN2ltTE5TUCt2VWJKNmRJMD0iLCJlbmNBbGdvIjoiYWVzLTI1Ni1nY20iLCJkYXRhIjoiOVVJZmZCM0pCaytqWGdZZHhxUFFMaHVwMGJYYWc4a0FEejNySEJkbStPY1VNTEp2TnlJTEJPTT0ifQ==
# agoodpassword
#
password-encrypted = "eyJrZXlBbGdvIjoicGJrZGYyLXNoYTEiLCJrZXlJdGVyIjowLCJzYWx0IjoiMUdNWkxtK3hNeHRwTjVHZy84RTNLdHJzWHQ2K1ZlYllTT2NNLzBvNWtuUT0iLCJlbmNBbGdvIjoiYWVzLTI1Ni1nY20iLCJkYXRhIjoiM0daMC9qcEhBcTFCcW5iSm1IbVRzbWdNSmFqY0IvZGNocUFCRzNyeVoyckM4bWdxQmFTeFpYdz0ifQ=="

Execution

  1. Download collector binary to a machine in your network. If you’re collecting from a device over the network (i.e., you’re going to collect firewall data from a different machine), ensure the host you download the collector to has access to the target device.

  2. Run the collector with the run subcommand. For example, running the collector from a Linux device would look like this:

    $ chmod +x collector.linux-amd64
$ ./collector.linux-amd64 run
11:16AM INF Starting collector collector=cisco-fmc
...
gdoc_arrow_left_alt Windows (Powershell) Devices Downloading Scripts gdoc_arrow_right_alt