The system options include functions such as package upload, updates, settings, backup, restore, support, licensing, clustering, front-end collectors, and Client Agent Console .

Package Upload

upload.png

1. Select "System" → "Package Upload" to enter the package upload page.

2. Users can upload visual units, dashboards, reports, and parsers here. Multiple files can be uploaded at once.

  • If the license is the LITE version, official parsers cannot be uploaded.
  • If the license is the STANDARD version, both official and custom parsers can be uploaded.

3. Users can either drag and drop or click on the upload box to select files for upload. Click "Update," and the upload progress can be viewed in the notification list.

Update

update.png

1. Select "System" → "Update" from the left-side menu to go to the system update page.

2. Updates are divided into manual and automatic. During the system update, all online users will be logged out and the update progress page will be displayed. After the update is completed, the screen will automatically redirect to the login page.

  • Manual Update: Click "Upload Update File," then drag and drop or click the upload box to upload the update file. Click "Update."

manual_update.png

  • Online Update: Click "Check for Updates" to immediately check if the latest version of the update package has been released. If available, it will display "A new version is available, please proceed with download"; if not, it will display "You are on the latest version." If the Maintenance Agreement (MA) has expired, the online update feature will not be available.

check_update.png

  • Scheduled Update Check Settings: Click "Update Settings" to open the scheduled update settings. The system will check for the latest version based on the user-defined schedule.

auto_update.png

Settings

1.Base setting

setting.png

(1) System Time: Displays the current system time.

(2) Language: A drop-down menu to select the system language. Currently supports English, Traditional Chinese, and Simplified Chinese.

(3) Report Header Image: Allows users to change the image on the report homepage. The recommended size is 30px by 80px (height x width). Only .png, .jpg, and .jpeg formats are allowed for upload.

  • Drag and drop or click the upload input box to upload an image that meets the upload requirements. The settings will take effect after saving.

  • To delete a custom report header image, click the delete icon to revert to the default report header image.

2. Mail server

mail_server.png

(1) Supports configuring two mail servers simultaneously.

(2) Sequentially fill in the information for "Sender," "Server or Domain," "Port," and "Account Password." This allows for setting up scheduled report notifications, alert notifications, and system notifications to be sent via email.

 3. Connection

 Connection.png

(1) InspireOZ Integration(Ticket System):If used with InspireOZ products, enter the email address that needs to receive notifications.

(2) IFTTT Settings: You can configure IFTTT to enable LINE Notify notification functionality by entering the notification group and key.

4. Advanced Settings 

Advanced_Settings.png

(1) SAFE3.0 Log Export(Syslog):Users can export the SAFE3.0 system operation logs (weblogs) to another host for storage based on their needs. The SAFE3.0 system will also keep a copy.

(2) Log Hash(SHA256):Users can choose to enable hash value settings. Once enabled, the log collector service must be restarted, and each log entry will include a hash value (SHA256) to ensure its integrity and security.

(3) Cloud Backup(Azure):Cloud backup and local backup can only be used one at a time. After clicking to enable on the interface, users need to set up the storage account name, Key, and backup path, then click test to verify the settings, and finally save to complete the configuration. When enabling or re-enabling, the search engine will also restart, which may cause several minutes to several hours of downtime for log queries, dashboards, and other features.

Backup Limitations:

  • Compression for backups is not supported.
  • Restoration of old backup files (e.g., 7z, des3, v2.9.2 version) is not supported.
 5. Security

Security.png

(1) Password Policy: System administrators can configure the password change policy. If the password exceeds its validity period, the system will require the user to reset their password before they can log in again.

(2) Login Captcha: Once enabled, users will need to enter a verification code during login.

(3) AD Integration: Supports LDAP and LDAPS connection methods. Once enabled, all fields are required. System administrators can configure AD information as needed. When users enter their account on the homepage, the system will automatically determine if it is an AD account.

6. Threat Detection Module

Once enabled, the system will automatically execute TDM rule updates daily at 12:00 PM.

tdm.png

Backup

backup.png

1. Menu

In the left-hand menu, select "System" → "Backup" to enter the backup settings page.

2. Data Index

Backups are performed for indexed logs (safe3r2-* index).

(1) One-time Backup:Click the single backup icon safe3 1 266 to open the one-time backup settings page.

single_backup.png

  • Click the input box to open the drop-down menu. Users can select the desired indexes to back up according to their needs (multiple index backups can be performed at once).

backup2.png

  • After selecting the indexes, click "Execute."
  • You can view the backup status in the execution list.

execute_list.png

(2) Scheduled Backup Configuration: Click the "Edit Schedule" iconsafe3 1 271 to open the scheduled backup settings screen.

back_config.png

  • Users can select the backup frequency (daily/weekly/monthly) and backup time according to their needs. Set the switch to "enabled," and once the configuration is complete, click "Save" to finish the schedule setup.
  • If the monthly backup is set for the 31st, it will not be executed in months that do not have a 31st.

(3) View All Backup Records: Click the "View" icon safe3 1 273 to see all one-time and scheduled backup records.

bac_log.png

3. SAFE System Configuration:Perform backups based on system user settings.

(1) One-time Backup:Click the single backup icon safe3 1 274 to open the one-time backup settings page.

Click the "Execute" icon, and you can view the backup progress in the execution list.

bak_config.png

(2) Scheduled Backup Configuration:Click the Edit icon safe3 1 276 to open the scheduled backup settings screen.

bak_config2.png

  • Users can set the backup date and time for each month.
  • If the monthly backup is set for the 31st, it will not be executed in months that do not have a 31st.
  • Set the switch to "enabled" and click "Save" to complete the schedule setup.

(3) View All Backup Records::Click the "View" icon safe3 1 278 to see all one-time and scheduled backup records.

4. SAFE System Audit:Perform backups for system logs (weblog-* index).

(1) One-time Backup:Click the single backup safe3 1 274 icon to open the one-time backup settings page.

weblog_bac.png

  • Click the "Create Backup" input box to open the drop-down menu. Users can select the indexes they wish to back up according to their needs (multiple indexes can be backed up at once).
  • System audit logs and data index logs are different; each index is based on a monthly unit.
  • You can view the backup status in the execution list.

(2) Scheduled Backup Configuration:Click the Edit icon safe3 1 276 to open the scheduled backup settings screen.

weblog_sc.png

  • Users can set the backup date and time for each month.
  • If the monthly backup is set for the 31st, it will not be executed in months that do not have a 31st.
  • Set the switch to "enabled," and click "Save" to complete the schedule setup.

(3) View All Backup Records::Click the "View" icon safe3 1 278 to see all one-time and scheduled backup records.

Restore

restore.png

1. Menu: In the left-hand menu, select "System" → "Restore" to access the restore list page.
  • The list displays file names, last validation results, and last validation time.
  • You can perform keyword searches using the search input box.
2. Select for Restore: Check the checkbox next to the index file names you want to restore, and click "Select Restore." You can choose whether to ignore the validation results during the restore process.

restore2.png

  • Click "Yes" to proceed with the restore without validating the file's hash values.
  • Click "No" to perform hash value validation; the restore will only proceed if the validation passes. If it fails, the restore will not be executed.
3. Restore Logs: Click the "Restore Log" icon to open the restore records list page. You can view the restored file names, restore status, and update time. You can also use the search input box for keyword searches.

restore_lolg.png

4. Restore Management: Click the "Restore Management" icon to open the restore index list. To delete restored indexes, users can check the checkboxes next to the indexes and click to delete.
restore_index.png

4. MD5 Hash Value Verification: Click the icon to perform hash value verification on the restored files, and the verification results will be displayed on the list page.

Support

support.png

1. In the left-hand menu, select "System" → "Support" to enter the support download page.

2. When the system encounters an issue, you can click the download icon safe3 1 292 on this page to download the system logs. Once downloaded, the file can be provided to the vendor for analysis to identify the cause of the error.

License

license.png

1. License Types:The SAFE3.0 license includes the following types, with different licensing details based on the purchase method:

  • EPS: (Events Per Second): Calculated once every hour, it averages the EPS over the past 168 hours (7 days). If the amount exceeds the licensed limit, the system will lock.
  • Device:Calculated once every hour, it counts the number of devices received within the past 6 hours. If the count exceeds the licensed limit, the system will lock.
  • Expiration Date: This is the software usage period. If the date is exceeded, the system will lock.
  • Version: Divided into Lite (simplified version) and Standard (full version).

2. If the original license limit is exceeded, the report, log, and dashboard functions will stop, but the log collection function will not be affected.

3. Upload License File:Click the "Download" icon to download the system information, provide it to the vendor, and after obtaining the license key from the vendor, upload it to verify and update the license.

Cluster

cluster.png

1. Important Notes Before Creating a Cluster

  • After configuring the cluster, all indexes will be cleared and deleted. Therefore, please back up any necessary content, such as search conditions and dashboards, beforehand.
  • For a cluster, each individual host must have at least 64GB of memory, and for a multi-host cluster, there must be at least 3 machines.

2. Create Cluster

(1) In the left-hand menu, under "System," click "Cluster" to enter the cluster management page. Click the "Add+" icon to open the cluster settings page.

(2) Enter the cluster configuration information in sequence.

cluster_setting.png

  • SAFE3.0 Cluster Network: Enter the network segment IP. For example, if the host IP is 10.16.6.135, the cluster network can be entered as 10.16.6.0.
  • Voting Node: The IP of the host with voting functionality. If it is a 2+1 cluster architecture, check the checkbox and enter the voting host's IP. Once the setting is applied, it cannot be changed.
  • Group 1: The IP of the cluster host. For a single host, you can just enter the IP of the SAFE3.0 host.
  • Group 2 (or more): Enter the second cluster host's IP. For multiple clusters, click the icon to add a new group input field.

(3) Click the "Check" icon to check the connection status. If everything is normal, click the "Apply" icon to proceed.

(4) After applying, Elasticsearch will restart, causing a waiting screen to appear. Wait approximately 3-5 minutes before entering the cluster page to check the results.

3. Cluster Synchronization Mechanism

  • The database (DB) will be synchronized during cluster creation.
  • Logstash parsing will be synchronized during cluster creation.
  • Package uploads will be synchronized across all nodes.
  • Licensing is independent and not synchronized.
  • Updates will be synchronized to all nodes.
  • The support download page allows downloading support files from all cluster hosts at once.
  • Parsing settings will be synchronized across all nodes.

 

Frontend Collector

fc.png

1.Frontend Collector Page

In the left-hand menu, click "System" → "Frontend Collector" to enter the frontend collection edit page. Users can change the sorting rules using the column sorting icon, or perform a keyword search using the search input box for fuzzy search.

(1) IP: The IP address of the frontend collector host.

(2) Name: The name of the frontend collector, defaulting to the host's IP. Users can set it on the edit page.

(3) Remaining Space: The percentage of remaining log storage space.

(4) Queue (Number of Entries): The number of logs stored in the frontend collector that have not yet been forwarded to the SAFE3.0 host. If the number keeps increasing, check whether the frontend collector service is functioning properly.

(5) Version: Displays the last updated version.

(6) Status: Indicates the service status of the frontend collector with different colors:

  • Green: Service/connection is normal.

  • Orange: Service is abnormal.

  • Red: Connection is abnormal.

  • Black: Disabled.

2. Functions (from left to right)

  • Refresh: Click the "Refresh" icon safe3183to restart the frontend collector service.

  • Edit: Click the "Edit" icon safe3184to open the frontend collector edit page.

3. Frontend Collector Edit Page

(1) Basic Information: Displays the name and the settings for enabling or disabling the collector.

basic.png

(2) Host: Displays the IP addresses of the client hosts sending logs to the frontend collector. Users can change the sorting rules using the sorting icon, and also use the search input box to perform a keyword fuzzy search.

host.png

Edit: Click the iconsafe3184 to enter the edit page, where you can configure the client host name, query roles, categories, and log reception checks.

(3)  SNMP Trap Settings: After turning on the switch, enter the Trap Community to send Trap Logs to the Frontend Collector (FC).

snmp.png

(4) Parser: Set up log parsing on the frontend collector. Enable the FC parsing function by turning on the switch and clicking "Apply" to complete the configuration.

 parser.png

(5) Keyword

keyword.png

  • Click the iconicon.png to add a field configuration.
  • You can select a field name from the dropdown menu, such as Beats, host, or rawlog, for configuration.
  • Enter the keyword to be filtered in the keyword field. For example:
    • If you choose the field rawlog and enter the keyword just for test, it will filter out logs matching rawlog:"just for test".
    • If you choose the field host and enter the keyword 10.16.6.199, it will filter out logs matching host:"10.16.6.199".
  •  After saving the settings, select "Apply Keywords Filtering" to apply the configuration. The system will restart the service and write the settings to the system configuration file. Conversely, if you cancel applying keyword filtering, only the file configuration content will be saved.

(6) Log Reception:Configure the frontend collector to check log reception. If the frontend collector service is abnormal and cannot forward logs to SAFE3.0, it will check according to the time interval set by the user and send an email notification to the user.

log_reception.png

4. Update FC

Click the"Update FC" icon to open the frontend collector update page. Drag the update package to the upload box or click to select the file. Click "Update" to start the update process. You can then check the update status in the "Update History" section.

update_fc.png

 update_his.png

 5. Refresh Service Status:Click the "Refresh" icon to refresh the status of the frontend collector service.

Client Agent Console

After logging into SAFE3, Select "System" → "Client Agent Console" to access the Client Agent Console.

agenthome-en.png

Click "Beats" to enter the list of controller-installed hosts. The list shows the hostname, Agent version, installed Beats type, and the connection status between the host and SAFE3.

instance-en.png

Click the hostname to view the performance page for that host.

agent-en.png

Click the Beats name to open the Beats Agent management page.

agenthome-en2.png

metricbeat.png

  • Click "Restart" to restart the Agent services on all hosts in the list and update the configuration file.
  • Click "Config" to open the Agent template settings page.
    • The default template is named "Default" and cannot be deleted.
    • Templates can be duplicated, but only the fields are copied, not the host list associated with the settings.
    • Click "Host List" to set the host IPs you want to apply the template to.
    • Template names must be unique.
    • The checkboxes in the list can be used to sort items.

metricbeat-en.png

  • Click "Update" to open the Agent update window, displaying the Agent host IP, last update time, and update status.

update-en.png

Single Agent Operations
  • 單一重整.pngRestarting and updating the configuration file for a single Agent service.
  • 停止.pngStopping a single Agent service.
  • 編輯.pngEditing the Agent.
  • 刪除.pngA delete button will appear only when the Agent is disconnected (indicated by a red status light).

Installing SAFE3 Beats Controller on Windows Server

Supported Versions

  • Windows 10
  • Windows 11
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Note: Windows Server 2012 R2 is not supported.

Installation Steps

On the host where the Agent is to be installed, open Chrome and go to https://<SAFE3 IP>/agent/home. Select the required Beats type and choose the Windows MSI x86_64 platform, then click "Download." Once downloaded, locate the Beat_Controller-<SAFE3 IP>.zip file in the folder, extract it (contact the vendor for the password), and right-click to run the installer as Administrator. During installation, the host IP will be automatically populated, and a dropdown menu allows selecting the port for connection to SAFE3.

安裝檔.png

The installer will configure the local firewall based on the selected ports (8443, 10443, 20443). 

安裝1.png

安裝2.png

Select the installation path, keep the default settings, and click "Next."

安裝3.png

安裝4.png

Click "Install" to proceed with the installation.

安裝5.png

Completing the Installation.

安裝6.png

After the installation is complete, you can check the "SAFE3.0 Beats Controller" service in the Task Manager and Programs section on the Agent host. The Beats Agents will also gradually complete their installation process.

工作管理員.png

In the resident program interface on the host, you can enable, stop, restart, re-register, and exit the Beats Controller.

常駐程式.png