The Secure60 Collector is a service that ingests data from various log sources and automatically transforms it into the Secure60 Common Information Model (CIM). The collector normalizes and sends this data to your Secure60 Project.
Your generated .env
file will contain:
S60_PROJECT_ID=YOUR_PROJECT_ID
S60_INGEST_TOKEN=YOUR_TOKEN
ENABLE_GENERIC_NORMALISE=true
docker run -i --name s60-collector \
-p 80:80 -p 443:443 -p 514:514 -p 6514:6514 -p 5044:5044 \
--rm -d --env-file .env secure60/s60-collector:1.07
Or using Docker Compose:
services:
s60-collector:
image: "secure60/s60-collector:1.07"
container_name: "s60-collector"
ports:
- "443:443"
- "80:80"
- "514:514"
- "6514:6514"
env_file:
- .env
restart: 'always'
logging:
driver: "json-file"
options:
max-size: "50m"
max-file: "10"
You can now configure devices (Desktops, Servers, Network devices, Applications) to send their data to the Secure60 collector. This is often achieved via tools such as Syslog that you would configure to output to the IP address of the Secure60 Collector you have deployed.
Once you have configured a device, Login to the Secure60 Portal and view the Overview page to look for the count of Events to be increasing OR view the Search page to see the actual Events you are sending.
We strongly recommend touching base with our Integrations team to for custom advice and onboarding assistance specific to your organisations needs: integrations@secure60.io
The Secure60 Portal provides an intuitive interface for all collector configurations:
The collector automatically normalizes known field names into the Secure60 schema with zero configuration required. This covers:
Enable via Portal UI or environment variable:
ENABLE_GENERIC_NORMALISE=true # Enabled by default
Add consistent values to all events (e.g., environment, application name):
Via Portal UI:
app_name=internet-banking,environment=production
Normalize field names from different sources:
Via Portal UI:
application_name=app_name,user-username=user_name
Enable pre-built transformations for specific technologies via Portal UI:
For complex scenarios requiring custom transformations:
Example custom transformation:
transforms:
transform_custom:
type: remap
inputs:
- source_custom
source: |
# Custom transformation logic
The Secure60 Collector supports TLS encryption for secure data transmission. While test certificates are included by default, we recommend using your own certificates in production environments.
The collector comes with test certificates pre-installed. These are suitable for testing but should not be used in production environments.
Generate New Certificates
You can generate new self-signed certificates using OpenSSL:
# Generate certificate and private key
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -sha256 -days 365
# Remove passphrase from private key
openssl rsa -in key.pem -out key_nopass.pem
# Rename files to match expected names
mv key_nopass.pem example_key.pem
mv cert.crt example_cert.crt
Deploy Custom Certificates
Mount your certificates into the container using Docker volumes:
docker run -i \
-v ./example_cert.crt:/etc/vector/example_cert.crt \
-v ./example_key.pem:/etc/vector/example_key.pem \
--name s60-collector \
-p 80:80 -p 443:443 -p 514:514 -p 6514:6514 \
--rm -d --env-file .env secure60/s60-collector:1.07
Or using Docker Compose:
services:
s60-collector:
image: "secure60/s60-collector:1.07"
volumes:
- ./example_cert.crt:/etc/vector/example_cert.crt
- ./example_key.pem:/etc/vector/example_key.pem
ports:
- "443:443"
- "80:80"
- "514:514"
- "6514:6514"
env_file:
- .env
For assistance with TLS configuration or certificate management, contact our integrations team at integrations@secure60.io
The Secure60 Collector provides flexible buffer configuration options to optimize performance and reliability based on your specific needs. These settings can be configured through the Portal UI or via environment variables.
The collector supports two buffer types:
Disk Buffer (default):
Memory Buffer:
When using disk buffering, you can configure the maximum buffer size:
Configure how the collector handles events when the buffer is full:
Block (default):
Drop Newest:
Portal UI Configuration (Recommended):
Environment Variables:
INGEST_BUFFERTYPE=disk # or "memory"
INGEST_BUFFERSIZE=1000000000 # Buffer size in bytes
INGEST_BUFFERFULL=block # or "drop_newest"
INGEST_LOCATION=https://ingest.secure60.io/ingest/1.0/http/project/ # Custom ingest endpoint
Secure60 Collector implements comprehensive data masking and hashing capabilities that allow organizations to protect sensitive data before it reaches the Secure60 platform. This solution is applied within your environment, ensuring sensitive information is never transmitted or stored in its original form.
Secure60 Collector offers two primary data protection strategies:
Replacement Masking
"password123"
→ "pXXXXXXXX3"
(with partial redaction) or "XXXXXXXXXXX"
(full redaction)Hashing
"password123"
→ "a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3"
(SHA3-256)Data masking can be configured either through the Secure60 portal integrations page or via environment variables in the Secure60 Collector configuration:
# Basic Configuration
DATA_MASKING_ARRAY: ["password", "credit_card", "ssn"] # Fields to mask
ENABLE_DATA_MASKING_X: "true" # Enable replacement masking
ENABLE_DATA_MASKING_HASH: "false" # Enable hashing
# Advanced Configuration
DATA_MASKING_ENCRYPTION_ALGORITHM: "SHA3" # Hashing algorithm
ENABLE_DATA_MASKING_PARTIAL_REDACT: "true" # Enable partial redaction
The masking system automatically protects sensitive data in URL query parameters. For example:
https://api.example.com/user?password=secret123&token=abc123
https://api.example.com/user?password=XXXXXXXX&token=XXX123
The Secure60 Collector can be extended with completely custom configuration files that are written in YAML.
This enables completely bespoke configurations that support sophisticated ingestion and transformation scenarios.
We strongly recommend working with the Secure60 Integrations team to fast track your custom configuration.
Custom configurations are achieved by mapping .yaml files into the running Secure60 Collector container. Mapping files into specific locations with specific definitions allows the Secure60 Collector to pickup these files and include them in the default running configuration.
This mapping can be achieved in docker via -v
or creating a Docker compose file or Kubernetes ConfigMap
Examples of the mapping process include:
To achieve this configuration we would create a file called: transform-custom.yaml
The default template for this file is:
transforms:
transform_custom_transform:
inputs:
- route_core.custom_transform
type: remap
source: |
#Location for custom configuration of events
You would then run docker with the following syntax:
docker run -i -v ./transform-custom.yaml:/etc/vector/transforms-active/transform-filebeat.yaml --name s60-collector -p 80:80 -p 443:443 -p 514:514 -p 6514:6514 -p 5044:5044 --rm -d --env-file .env secure60/s60-collector:1.07
The additional syntax: -v ./transform-filebeat.yaml:/etc/vector/transforms-active/transform-custom.yaml
takes a file in your local folder called transform-custom.yaml
and inserts it into the docker container in a location that will be picked up and activated automatically.
The running docker conatiner will detect changes to this file and automatically reload, however if you change environment variables you should stop and restart the container to allow the values to be reloaded.
To enable a custom tranformation you select which Events to send into it.
To do this via the Portal UI:
Alternatively, via environment variables:
ENABLE_CUSTOM=true
ENABLE_CUSTOM_MATCH_FIELD=source_type
ENABLE_CUSTOM_MATCH_VALUE=custom_logs
This configuration will route any events where source_type="custom_logs"
into your custom transformation pipeline.
For assistance with custom transformations or to see more examples, contact our integrations team at integrations@secure60.io
-d
from the command lineDEBUG_OUTPUT=true
to output the Events log just before they are send to Secure60 Ingest endpointVECTOR_LOG=debug
incoming_
transform_
/etc/vector/transforms-active/
within the container as this location is automatically monitored for files and file changescurl -X POST -H "Content-Type: application/json" --data @./aws-cloudtrail-sample.json http://127.0.0.1
nc -w0 127.0.0.1 514 <<< "Feb 8 14:30:15 server1 sshd[1234]: Accepted password for user123 from 192.168.1.100 port 12345 ssh2"
S60_PROJECT_ID=<YOUR-PROJECT-ID>
S60_INGEST_TOKEN=<YOUR-INGEST-TOKEN>
ENABLE_GENERIC_NORMALISE=true
DEBUG_OUTPUT=false
STATIC_FIELDS
MAP_FIELDS
ENABLE_SYSLOG
ENABLE_CUSTOM
ENABLE_CUSTOM_MATCH_FIELD
ENABLE_CUSTOM_MATCH_VALUE
ENABLE_AWS=false
ENABLE_AWS_MATCH_FIELD=
ENABLE_AWS_MATCH_VALUE=
ENABLE_NGINX_MATCH_FIELD
ENABLE_NGINX_MATCH_VALUE
ENABLE_NGINX=false
ENABLE_APACHE_MATCH_FIELD
ENABLE_APACHE_MATCH_VALUE
ENABLE_APACHE=false
ENABLE_M365=false
ENABLE_LINUX_MATCH_FIELD=
ENABLE_LINUX_MATCH_VALUE=
ENABLE_LINUX=false
ENABLE_CUSTOM_SYSLOG_MATCH_FIELD
ENABLE_CUSTOM_SYSLOG_MATCH_VALUE
ENABLE_CUSTOM_SYSLOG=false
ENABLE_DEBUG_MATCH_FIELD
ENABLE_DEBUG_MATCH_VALUE
ENABLE_DEBUG=false
GCP_PUBSUB_CREDENTIAL_PATH
GCP_PUBSUB_PROJECT
GCP_PUBSUB_SUBSCRIPTION
GOOGLEWORKSPACE_CREDENTIAL_PATH
GOOGLEWORKSPACE_PROJECT
GOOGLEWORKSPACE_SUBSCRIPTION
DATA_MASKING_ARRAY
ENABLE_DATA_MASKING_HASH
ENABLE_DATA_MASKING_X
DATA_MASKING_ENCRYPTION_ALGORITHM