--- title: Arctic Wolf Aurora Endpoint Security description: Gain insights into Arctic Wolf Aurora Endpoint Security logs. breadcrumbs: Docs > Integrations > Arctic Wolf Aurora Endpoint Security --- # Arctic Wolf Aurora Endpoint Security Supported OS Integration version1.0.0 Arctic Wolf Aurora Endpoint Security OverviewArctic Wolf Aurora Endpoint Security OverviewArctic Wolf Aurora Endpoint Security Threat InsightsArctic Wolf Aurora Endpoint Security Application and Device Control InsightsArctic Wolf Aurora Endpoint Security Memory protection and Script Control InsightsArctic Wolf Aurora Endpoint Security Network InsightsArctic Wolf Aurora Endpoint Security Process and System ActivityArctic Wolf Aurora Endpoint Security System Tool Activity ## Overview{% #overview %} [Arctic Wolf Aurora Endpoint Security](https://docs.arcticwolf.com/bundle/AES-Overview/page/What-is-Aurora-Endpoint-Security.html) is a unified solution that helps to tackle modern threats. It provides comprehensive capabilities to detect and protect against threats across endpoints. This integration enriches and ingests the following events: - **Aurora Protect Desktop Events**: Log messages generated for application control, audit logs, devices, device control, memory protection, script control, threats and threat classification. - **Aurora Focus Detection Events**: Malicious or suspicious events detected by Aurora Focus. The events includes security process and system events, network events and system tool events. This integration collects all the above listed logs, channeling them into Datadog for analysis. Using the built-in logs pipeline, these logs are parsed and enriched, enabling search and analysis. The integration provides insight into desktop and detection events through out-of-the-box dashboards. Additionally, it includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security. **Minimum Agent version**: 7.74.0 ## Setup{% #setup %} ### Configuration{% #configuration %} #### Enable log collection{% #enable-log-collection %} 1. Collecting logs is disabled by default in the Datadog Agent. Enable log collection in `datadog.yaml`: ```yaml logs_enabled: true ``` 1. Add the following configuration block to your `arctic_wolf_aurora_endpoint_security.d/conf.yaml` file to start collecting Arctic Wolf Aurora Endpoint Security logs. ```yaml logs: - type: tcp # or 'udp' port: service: arctic-wolf-aurora-endpoint-security source: arctic-wolf-aurora-endpoint-security ``` See the sample [`arctic_wolf_aurora_endpoint_security.d/conf.yaml`](https://github.com/DataDog/integrations-core/blob/master/arctic_wolf_aurora_endpoint_security/datadog_checks/arctic_wolf_aurora_endpoint_security/data/conf.yaml.example) file for available configuration options. Note: - PORT: Port should be similar to the port provided in **Configuration needed on Arctic Wolf Aurora Endpoint Security**. - Do not change the service and source values, as these parameters are integral to the pipeline's operation. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent). #### Configure Arctic Wolf Aurora Endpoint Security settings{% #configure-arctic-wolf-aurora-endpoint-security-settings %} 1. Log in to Arctic Wolf Aurora Endpoint Security platform. 1. In the management console, on the menu bar, go to **Settings** > **Application**. 1. Enable the **Syslog/SIEM** option. 1. Enable the following event types to be sent to the syslog server: - Application Control - Audit Log - Devices - Device Control - Optics Events - Memory Protection - Script Control - Threats - Threat Classifications - Network Threats 1. Set the **SIEM** field to **Other**. 1. Set the **Protocol** field to **TCP/UDP**. 1. Enable the **Allow messages over 2 KB** option. 1. In the **IP/Domain** field, enter the public **IP address** of the Datadog Agent that will receive the logs. 1. In the **Port** field, specify an open **port** on the Datadog Agent for receiving logs. 1. Set the **Severity** level to **Debug (7)**. 1. Set the **Facility** value to **Local0 (16)**. 1. In **Include tenant identifiers**, specify whether the tenant ID, name, or both should be included in the syslog messages. 1. Click **Save**. **Note**: The `Port` value should be similar to the port provided in the Log Collection section. ### Validation{% #validation %} [Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information) and look for `arctic_wolf_aurora_endpoint_security` under the `Logs Agent` section. ## Data Collected{% #data-collected %} ### Logs{% #logs %} The Arctic Wolf Aurora Endpoint Security integration collects `Aurora Protect Desktop` and `Aurora Focus Detection` event logs. ### Metrics{% #metrics %} The Arctic Wolf Aurora Endpoint Security integration does not include any metrics. ### Events{% #events %} The Arctic Wolf Aurora Endpoint Security integration does not include any events. ## Troubleshooting{% #troubleshooting %} **Permission denied while port binding:** If you see a **Permission denied** error while port binding in the Agent logs, see the following instructions: 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: 1. Grant access to the port using the `setcap` command: ```shell sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent ``` 1. Verify the setup is correct by running the `getcap` command: ```shell sudo getcap /opt/datadog-agent/bin/agent/agent ``` With the expected output: ```shell /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep ``` **Note**: Re-run this `setcap` command every time you upgrade the Agent. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent). **Data is not being collected:** Make sure that traffic is bypassed from the configured port if the firewall is enabled. **Port already in use:** If you see the **Port Already in Use** error, see the following instructions. The example below is for `PORT-NO = 514`. On systems using syslog, if the Agent listens for events on port 514, the following error can appear in the Agent logs: `Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use`. This error occurs because by default, Syslog listens on port 514. To resolve this error, take **one** of the following steps: - Disable Syslog, or - Configure the Agent to listen on a different, available port. For any further assistance, contact [Datadog support](https://docs.datadoghq.com/help/).