Advanced Data Collector
- Download the collector binary to a machine in your network. On Linux or MacOS, make it executable:
chmod +x collector*
- Create a configuration file by running (adjust for your collector):
./collector config init
. Acollect.hcl
file will be created in the current directory. - Open and edit the newly created
collect.hcl
following the comments in the file - Run the collection:
./collector run
- If there are any remaining configuration questions that need to be answered, you will be prompted to enter that at the command line. Otherwise, the collector will begin running.
- At the end, each target in the configuration will have a
results-<targetname>-<datetime>.xylok
file produced, ready for upload to Xylok.
Xylok’s data collection typically uses human-readable scripts generated in a native scripting language of the target machine, such as BASH or PowerShell. This strategy runs commands just like a system administrator might and works very well for most DISA-produced STIGs. In addition, the scripts are produced from Xylok are machine-specific, tailored to the exact benchmarks selected for each device.
However, some devices need more control to collect all the needed data. For example, a firewall which offers its configuration via a REST API might need many related queries to collect all the required data. For these cases, Xylok offers the “advanced collector,” a binary written in Go which allows for more advanced data collection. This binary is offered for a variety of target platforms. Because it is a compiled binary, we create a single binary for each Xylok release, rather than binaries customized to your machines. The exact benchmarks run by the collector are instead controlled via a configuration file which Xylok will help you generate.
The following binaries are included in this release. If you have a machine that does not work with these, contact support@xylok.io.
The advanced collector is still under development. It’s possible that the configuration format will change over time.
When the collector starts, it looks for a configuration file to control its operation. The following search is performed at the start:
./collect.hcl
(current working directory, not the directory where the collector itself is located)$XDG_CONFIG_HOME/xylok/collect.hcl
(typically this is~/.config/xylok/collect.hcl
)/etc/xylok/collect.hcl
The first configuration file found is used and the search stops. Alternatively, the configuration path can be specified with the --config
option.
Configuration is in Hashicorp Configuration Language (HCL), the configuration language used by many of Hashicorp’s tools
like Terraform. A commented example configuration file is available by running the collector with the subcommand config example
. During development of the
advanced collector, this is the easiest way to maintain an accurate example.
-
Download collector binary to a machine in your network. If you’re collecting from a device over the network (i.e., you’re going to collect firewall data from a different machine), ensure the host you download the collector to has access to the target device.
-
Run the collector with the
run
subcommand. For example, running the collector from a Linux device would look like this:$ chmod +x collector.linux-amd64 $ ./collector.linux-amd64 run 11:16AM INF Starting collector collector=cisco-fmc ...
Add the-h
flag to any collector call to get more help information and additional flags you can use.
- If there are any remaining configuration questions that need to be answered, you will be prompted to enter that at the command line. Otherwise, the collector will begin running.
- At the end, each target in the configuration will have a
results-<targetname>-<datetime>.xylok
file produced, ready for upload to Xylok.
The results file from the advanced collector is a different format than the traditional script. It’s line-delimited JSON, with each line (after some header lines) representing the results for one or more checks. Results are compressed and base64-encoded if it will save space, then the result is signed to allow for verification later.
Because the collector is offered as a binary that will be introduced onto your network, Xylok offers the following reports below use in evaluating its security. All reports are automatically generated for every Xylok release.