collector – SGBox Next Generation SIEM & SOAR

Associate Collector to Tenant

SGBox — Fri, 28 Nov 2025 10:47:22 +0000

Associate Collector to Tenant

This operation is needed in order to forward logs to the correct SGBox tenant. It could be done in two ways:

from the collector with option “Register collector” (https://www.sgbox.eu/en/knowledge-base/the-sgbox-collector-v6/#Register_the_collector). You need insert the “key probe for connection” you choosed when tenant was created (in our example https://www.sgbox.eu/en/knowledge-base/create-new-tenant/ is Key1234)
On SGBox by manually associate the collector to the right tenant. From SCM > Multitenant > Manager > Probes. Once identified your probes, select from drop down menu the correct tenant

Starting from version 6.2.2, new installations need a collector configured.
If your installation has just one tenant you can avoid deploy the collector VM and use the preconfigured collector: sgboxprobeid

Identify and assign it to the correct tenant.

The SGBox Collector (v6)

SGBox — Wed, 26 Mar 2025 14:02:25 +0000

The collector is a virtual appliance based on the Linux operating system, and is responsible for performing certain tasks of SGBox, such as collecting logs from local data sources and sending them to SGBox, via HTTPS (port 443) by establishing an encrypted channel. In addition the collector offers caching capabilities if the communication between the collector and SGBox should interrupt during the sending of data from the sources.

Requirements:

A collector must be deployed in your virtual infrastructure.
- HDD 80 GB
- RAM 4 GB
- CPU 2 Core
- The ports utilized by collector can be seen here Network Requirements

Collector network configuration

You can configure the Collector network configuration using the CLI tool present on the collector. Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

User: cli 
Pass: changeme

Choose Network configuration

Select Configure Collector interfaces

This option allows you to configure all the parameters (IP, Gateway, DNS and Domain) by

following the wizard

Select the interface you want to configure.

Select static option from the menu

Configure all the parameters

Configure all mandatory parameters (IP, Gateway, DNS and Domain). Note: If you want to add more than one DNS, you must use the character “,” to distinguish the first DNS from the second, e.g. 1.2.3.254,8.8.8.8.

Click on Submit to finish the configuration and choose when to apply it.

Establishing a connection with SGBox

This article explains how to configure the communication between collector and SGBox. It’ll be used to download collector updates and to send logs received by the local devices to SGBox.

Requirements:

A collector must be deployed in your virtual infrastructure.
The configuration of the collector network must be finished.

Configure and register collector for SGBox

Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

User: cli 
Pass: changeme

Tenant configuration

Choose Tenant configuration

Configure all the parameters by entering the SGBox IP address and Tenant UID.

Click on Submit to finish the configuration.

SGBox IP address: it depends on where SGBox is located you can insert a hostname, public IP or private IP.

TenantUID: is the code that identifies the tenant. You can find it in SGMaster on section SCM > Multi tenant > Manager then select TENANTS and identify the code in column ID

Register the collector

Choose Collector

Select Register collector

Enter Key Probe for Connection: the password you have configured during tenant creation activities.

If you can’t remember the password, you always have an option to reset it and get a new one from SGMaster on section SCM > Multi tenant > Manager and then click the “Reset” button under the Connection key column. After that follow the section on this page below to restart process.

SGBox Cloud

If your tenant is on SGBox Cloud, customers are asked to open a ticket to SGBox support via the ticket platform (https://sgboxportal.sgbox.it) by entering “collector registration for cloud tenant” in the subject of the ticket.

External Cloud

Contact the person/company who manages SGBox for more guidance on how to obtain the key to register the collector and connect it to your tenant.

To Restart Process:

After configured, go on System’s option:

Go on Process Handling

go on Services Management

For example if we want to reastart a service we proceed to click on:

We want in this case to restart sgbox-transfer so we click on our choice

Now we click on stop service and after on start service

Configure a collector as a probe

This section explains how to configure a collector as a probe in SGBox in order to launch a Vulnerability Scan check.

Requirements:

A collector must be deployed in your virtual infrastructure. (link)
The configuration of the collector network must be finished. (link)
Configure and register the collector (link)

Connect to the SGBox web interface inside the Tenant.

Go to SGBOX > SCM > Network > Probe

Click on ➕ Add New Probe button and specify:

Collector IP Address
Collector Name
Network or networks that belong to this collector

The SGBox Collector (v5)

SGBox — Wed, 31 Jan 2024 10:51:16 +0000

Requirements:

A collector must be deployed in your virtual infrastructure.
- HDD 50 GB
- RAM 4 GB
- CPU 2 Core
- The ports utilized by collector can be seen here Network Requirements

Notes: minimum requirements given above indicates what the appliance image will take automatically when deploying in virtualization environment, the hardware resources should be resized according to the tasks the collector will have to perform, for example, If the collector is used to run vulnerability scan you need to increase the resources: We suggest to set the minimum to 4CPU and 8GB of RAM (preferred 8CPU and 16GB of RAM).

Collector network configuration

You can configure the Collector network configuration using the cli tool present on the collector. Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

version 5

User: sgbox
Pass: sgbox

Choose Network configuration

Select Configure Collector interfaces

This option allows you to configure all the parameters (IP, Gateway, DNS and Domain) by

following the wizard

Select the interface you want to configure.

Select static option from the menu

Configure all the parameters

Click on Submit to finish the configuration and choose when to apply it.

Establishing a connection with SGBox

This article explains how to configure the communication between collector and SGBox. It’ll be used to download collector updates and to send logs received by the local devices to SGBox.

This communication is also useful to configure NVS checks made by the collector.

Requirements:

A collector must be deployed in your virtual infrastructure.
The configuration of the collector network must be finished.

Configure and register collector for SGBox Multi tenant

Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

Username: sgbox
Password: sgbox

Tenant configuration

Choose Tenant configuration

Configure all the parameters by entering the SGBox IP address and Tenant UID.

Click on Submit to finish the configuration.

SGBox IP address: it depends on where SGBox is located you can insert a hostname, public IP or private IP.

TenantUID: is the code that identifies the tenant. You can find it in SGMaster on section SCM > Multi tenant > Manager then select TENANTS and identify the code in column ID

Register the collector

Choose Collector

Select Register collector

Enter Key Probe for Connection: the password you have configured during tenant creation activities.

Restart processes

After configured, go on Process & stats and click on Restart processes

Cloud consideration

SGBox Cloud

External Cloud

Contact the person/company who manages SGBox for more guidance on how to obtain the key to register the collector and connect it to your tenant.

Configure a collector for SGBox Single tenant

Connect via ssh (using a program like Putty, or, virtualization console) to Collector specifying the User and Password.

Username: sgbox
Password: sgbox

Choose Tenant configuration

Configure all the parameters by entering the SGBox IP address.

Note: Configuring the TenantUID field is not necessary so you can leave it blank.

Click on Submit to finish the configuration.

Go to back to main menu and select Configuration

Select Collector configuration editor

Change collector_legacy from 0 to 1

Click on Save to finish the configuration.

After configured, go on Process & stats and click on Restart processes

Configure a collector as a probe

This section explains how to configure a collector as a probe in SGBox in order to launch a Vulnerability Scan check.

Requirements:

A collector must be deployed in your virtual infrastructure. (link)
The configuration of the collector network must be finished. (link)
Configure and register the collector (link)

Connect to the SGBox web interface inside the Tenant.

Go to SGBOX > SCM > Network > Probe

Click on ➕ Add New Probe button and specify:

Collector IP Address
Collector Name
Network or networks that belong to this collector

Click on OK to finish the configuration.

Network Requirements

SGBox — Tue, 30 May 2023 15:16:23 +0000

SGBox and Collector network requirements

Following table explains the different network configuration you in order to:

Manage SGBox and the Collector using WebUI and CLI.

Keep SGBox and the Collector updated.

Make a correct communication between SGBox and the Collector.

Allow data sources to send data to SGBox and Collector.

From	To	Port	Description
Client (User)	SGBox	443/tcp	HTTPS WebUI
Client (User)	SGBox	22/tcp	SSH (CLI)
Client (User)	Collector	22/tcp	SSH (CLI)
Client (User)	Collector (v5)	4000/tcp	OpenVAS console HTTPS
Client (User) / SGBox	SGBox	4000/tcp	HTTPS (API)
SGBox/Collector	apps.sgbox.it	80/tcp 443/tcp	HTTP/S (Updates)
SGBox/Collector	*.ubuntu.com	80/tcp 443/tcp	HTTP/S (Updates)
Collector (v5)	feed.community.greenbone.net	873/tcp	RSYNC (Updates)
SGBox / Qualys probe	qualysguard.qg3.apps.qualys.it	443/tcp	Cloud (scans, results)
SGBox / Collector (v6)	registry.sgcloud.it	7442/tcp	HTTPS (Updates), mandatory connection
SGBox / Collector (v6)	No Syslog datasources	eg. 1433/tcp, 1521/tcp, 443/tcp	DB, other (receive data)
SGBox / Collector (v6)	Active Directory (LDAP)	389/tcp, 636/tcp	LDAP/LDAPS
Collector	SGBox	443/tcp	HTTPS (send data)
SGAgent	Collector / SGbox	443/tcp	HTTPS (send data)
Data source	Collector / SGbox	514/udp	Syslog (send data)
Data source	Collector / SGBox	514/tcp	Syslog (send data)
Data source	Collector / SGBox	6514/tcp	Syslog + TLS (send data)

Containers networks

SGBox and Collector (V6) introduce containers for different activities.
Here you can find the default networks used. If for some reason your internal networks overlap the default containers networks you can change them by connecting to the collector’s CLI:
Network Configuration > Change Docker network configuration

VM	Network Name	Network Address
SGBox, Collector	default	10.42.78.0/24
Collector	sg-internal	10.10.0.0./16
Collector	sg-external	10.20.0.0/24
Collector	swarm	10.43.0.0/16

Register a collector

SGBox — Thu, 18 Aug 2022 09:55:08 +0000

Register a collector

After the collector is configured (), it must be associated with the correct tenant in order to start to send logs. You can do this operation in two ways:

Registration using key

If the SGBox manager provides you the key you can register the collector using the CLI. You have to connect to the collector using a terminal emulator (a program like Putty). Default credentials are:

user: sgbox
pass: sgbox

Go to Collector > Register collector then insert the key. In our example the key is “Key1234”, see section 3 (Create new tenant). If the registration succeeded the following message is shown.

Registration using web interface

A SGBox manager can manually associate a collector to a specific tenant. Also if the collector is not registered, it appears as “not assigned” in the list of collectors: SCM > Multi tenant > Manger section PROBES.

You can select the correct tenant and click on ASSIGN.

After the collector is associated with the tenant, it’ll start to send logs: SCM > Multi tenant > Manger section TENANTS.

Apache HTTP Server

SGBox — Tue, 30 Mar 2021 11:16:40 +0000

How to forward Apache web server logs to SGBox

This article explains how to forward logs from Apache web server installed in Linux & Windows systems to SGBox and all the related information.

Linux systems

In the Linux, go In syslog path /etc/ryslog.d/ and Add a file with name like 60-ApacheLogs.conf

In this example, to read the Apache access.log file, insert the following script into the file 60-ApacheLogs.conf.

$ModLoad imfile #Load the imfile input module
$InputFilePollInterval 2
$InputFileName /var/log/apache2/access.log
$InputFileTag file-access:
$InputFileStateFile stat-file-access
$InputFileSeverity Info
$InputRunFileMonitor
$template file_log, " %msg% "

if $programname == 'file-access' then @SGBox-IP:514;file_log
if $programname == 'file-access' then stop

Restart rsyslog daemon to load the new configuration and start to send logs.

service rsyslog restart

This configuration will read the file of Apache access.log and send it via syslog protocol on port 514 UDP to the SGBox-IP .

Windows systems

You can follow the link of article reported below in order to setup your SGAgent installed on apache server too retrieve all the related information, check Capture Logs from File/Folders (TailFolder method) section.

Check the Apache logs in SGBox

To verify that SGBox is correctly handling the raw logs sent by the Apache server, use Historical Search. Once you have verified the raw logs in SGBox, we recommend installing the Apache2 HTTP Server package to allow SGBox to analyze the raw logs received and show you events on the analysis pages.

Add Probe

SGBox — Tue, 17 Dec 2019 14:33:23 +0000

Configure a collector as a probe in SGBox

This section explains how to configure a collector as a probe in SGBox to monitor the status of the collector directly from the tenant where it is added.

Requirements:

A collector must be deployed and configured. Look this section to see how to configure it.

Connect to the SGBox web interface.
Go under SCM > Network > Probe

Click on ➕ Add new probe button and specify:

Collector IP Address
Collector Name
Probe type: SGBox Standard Probe
(optional) Network or networks that belong to this collector

Click on SAVE in order to save configuration.
After a few minutes, information about the status of the collector should be displayed.