Alert Logic Log Manager for Microsoft Azure IaaS (Linux)

This document is to walk the user through setting up Alert Logic Log Manager on Azure using a system running Linux.

Alert Logic updated the appearance of the Alert Logic console, though all functionality remains. If you have not elected to use the new console yet, please note that the product documentation describes the current Alert Logic console, not the Classic.

Before you begin

Review the Requirements for Alert Logic Log Manager for Microsoft Azure .

For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.

Select a virtual machine

You need to create a virtual machine in Azure or use an existing virtual machine to start collecting logs. For more information regarding how to create a virtual machine in Linux, see Microsoft Azure's documentation.

Download the agent

To download the agent:

  1. In the Alert Logic console, open the Settings menu, and then click Support Information.
  2. From the menu bar, click Quick Install Guide and Downloads.
  3. Download the appropriate agent and follow the on-screen instructions.
    • For Windows users, click Windows Agents, and then select the desired agent.
    • For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
  4. Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.

Install the agent for Linux

Option 1: Install the agent without image capture support

To install the agent:

This method does not support image capture.

  1. Copy the package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, based on your distribution:
    • RPM: rpm -U al-agent-<version>*.rpm
    • Debian: dpkg –i al-agent-<version>*.deb
  2. (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify this as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>
  3. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>

    A TCP or HTTP proxy may be used in this configuration.

  4. Run the following command: /etc/init.d/al-agent configure --key <UNIQUEREGISTRATIONKEY>

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

  1. (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
    *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

  1. (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
    • destination d_alertlogic {tcp("localhost" port(1514));};
    • log { source(s_src); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.
  2. Verify that the agent has registered with the Alert Logic console. To do so, navigate to the deployment the agent is assigned to, click Hosts and Sources, click Sources, and then search for the agent.

Agent registration can take several minutes.

Option 2: Install the agent with image capture support

To install the agent and capture the image:

  1. Copy the package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, based on your distribution:
    • RPM : rpm -U al-agent-<version>*.rpm
    • Debian: dpkg –i al-agent-<version>*.deb
  1. (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify this as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>
  2. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>

    A TCP or HTTP proxy may be used in this configuration.

  3. Run the following command: /etc/init.d/al-agent provision --key <UNIQUEREGISTRATIONKEY> --inst-type host
  4. Run the following command: /etc/init.d/al-agent start
  5. (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
    *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

  1. (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
    1. destination d_alertlogic {tcp("localhost" port(1514));};
    2. log { source(s_src); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.
  2. Verify that the agent has registered with the Alert Logic console.To do so, clickDeployments, click the deployment the agent is assigned to, clickHosts and Sources, click Sources, and then search for the agent.

Agent registration can take several minutes.

Related topics