Alert Logic Threat Manager for Rackspace Public Cloud (Linux)

Before you begin:

Share the Threat Manager image

Make sure you have the following information:

  • Member ID – This is your Rackspace Public Cloud account ID.
  • Region – This is where you wish to store your image.

To share the image: 

  1. Contact Alert Logic provisioning and provide the necessary information. Call (877) 484-8383 and select the appropriate option.

For more information, visit the Alert Logic YouTube page.

Get the Threat Manager image

Make sure you have the following information:

  • Image UUID – You can retrieve this information from the Alert Logic provisioning engineer.
  • Customer API key – You can retrieve this information from the Account Settings page in the Rackspace Public Cloud User Interface. The API key is located under Login Details.

To properly run the commands in this topic: 

  • If you use Mac OS, you can enter the commands in your local machine.
  • If you use Windows, you must first install Cygwin on your Windows machine.

To get the image:

  1. The API (authentication) token allows you to access the shared image from Alert Logic. Use the curl command below to get the API token:

curl -s https://identity.api.rackspacecloud.com/v2.0/tokens -X 'POST' \
-d '{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"yourUserName", "apiKey":"yourApiKey"}}}' \
-H "Content-Type: application/json" | python -m json.tool

curl -s https://identity.api.rackspacecloud.com/v2.0/tokens -X 'POST' \
-d '{"auth":{"RAX-KSKEY:apiKeyCredentials":{"username":"TomR", "apiKey":"005ec2603b6e14"}}}' \
-H "Content-Type: application/json" | python -m json.tool

  1. When the command runs, several line items appear on the screen. Locate the line beings with token.

  1. Copy the string of characters in the id field under token. You need this in the next step.
  2. Use the table below to identify your region and the corresponding MemberID. You will need this information to run the command in the next step.
Region MemberID
DFW al-tmc-image-latest - 886b54bb-274a-413f-bd52-e5ab47fb3a75
IAD al-tmc-image-latest - 74b2c542-8917-42eb-87d3-c6ac0197b7f8
ORD al-tmc-image-latest - b90dce7b-fa42-4c22-b1ab-46427ee911c9
  1. Use the following command to get the Threat Manager virtual appliance image:

Your MemberID varies based on your region. When you run the command, be sure to use the correct MemberID.

curl -s -XPUT -H "Content-Type: application/json" -H"X-Auth-Token: $Token" \
https://$region.images.api.rackspacecloud.com/v2/images/$Image_UUID/members/$MemberID \
-d '{ "status": "accepted" }'

curl -s -XPUT -H "Content-Type: application/json" -H"X-Auth-Token: 7fc6353373ac4poTD68f7a99a02e83" \
https://iad.images.api.rackspacecloud.com/v2/images/86a0a711-c07e-4dfc-a533-ebd2a1482795
/members/000000 \

-d '{ "status": "accepted" }'

  1. After you see that the image is accepted, log in to the Rackspace Public Cloud User Interface.
  2. Select your region. Cloud servers should be created in the same region as the protected host.
  1. Click Saved Images.
  2. Verify that the image is listed.

You may see the word Deleted instead of the Parent Server name for the image. This behavior is normal and simply means that you are not authorized to access the parent server. This behavior has no impact on the installation of Threat Manager in your environment.

For more information, visit the Alert Logic YouTube page.

Create a cloud server

A cloud server is a virtual machine that contains the Threat Manager virtual appliance.

To create a cloud server:

  1. Log in to the Rackspace Public Cloud User Interface.
  2. Click Create Server.
  3. Type a Server Name. Use a standard naming convention, such as rax-cloud-IAD-tm01.
  4. Select your Region. Cloud servers should be created in the same region as the protected host.
  1. Under Image, select SavedParent Server > Image name.
  1. Scroll to the Flavor area of the user interface, and then select the Flavor Class you need

  1. Leave the remaining server options at their default settings, and then click Create Server. The service builds your cloud server.
    • When the server spins up, the server status changes to Active.

The server may take up to an hour to spin up. The typical time is about 20 minutes. If the server does not spin up after an hour, create another cloud server.

For more information, visit the Alert Logic YouTube page.

Send the appliance external ID to Alert Logic

Contact Alert Logic provisioning and provide the appliance external IP address. You can all (877) 484-8383 and select the appropriate option.

Contact Alert Logic to claim your appliance

To contact Alert Logic to claim your appliance: 

  • In the US, call (877) 484-8383 and select the appropriate option.
  • In the EU, call +44 (0) 203 011 5533 and do the same.

After the appliance claim, the Alert Logic provisioning engineer adds your appliance details in the Alert Logic data center back end and establishes connectivity to your new appliance.

Alert Logic adds appliance to data center back end

After you claim your appliance, the Alert Logic provisioning engineer adds your appliance details in the Alert Logic data center back end and establishes connectivity to your new appliance.

Download the agent

To download the agent:

  1. In the Alert Logic console, open the Settings menu, and then click Support Information.
  2. From the menu bar, click Quick Install Guide and Downloads.
  3. Download the appropriate agent and follow the on-screen instructions.
    • For Windows users, click Windows Agents, and then select the desired agent.
    • For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
  4. Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.

Install the agent for Linux

If you have previously installed a Linux version of the Alert Logic agent, you must uninstall that version before you install the current Alert Logic agent image.

Install the agent

To install the agent:

This method does not support image capture.

  1. Copy the package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, based on your distribution:
    • RPM: rpm -U al-agent-<version>*.rpm
    • Debian: dpkg –i al-agent-<version>*.deb
  2. (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify this as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>
  3. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>

    A TCP or HTTP proxy may be used in this configuration.

  4. Run the following command: /etc/init.d/al-agent configure --key <UNIQUEREGISTRATIONKEY>

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

  1. (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
    *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

  1. (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
    • destination d_alertlogic {tcp("localhost" port(1514));};
    • log { source(s_src); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.
  2. Verify that the agent has registered with the Alert Logic console. To do so, navigate to the deployment the agent is assigned to, click Hosts and Sources, click Sources, and then search for the agent.

Agent registration can take several minutes.

Install the agent with image capture

To install the agent and capture the image:

  1. Copy the package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, based on your distribution:
    • RPM : rpm -U al-agent-<version>*.rpm
    • Debian: dpkg –i al-agent-<version>*.deb
  1. (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify this as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>
  2. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>

    A TCP or HTTP proxy may be used in this configuration.

  3. Run the following command: /etc/init.d/al-agent provision --key <UNIQUEREGISTRATIONKEY> --inst-type host
  4. Run the following command: /etc/init.d/al-agent start
  5. (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
    *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

  1. (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
    1. destination d_alertlogic {tcp("localhost" port(1514));};
    2. log { source(s_src); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.
  2. Verify that the agent has registered with the Alert Logic console.To do so, clickDeployments, click the deployment the agent is assigned to, clickHosts and Sources, click Sources, and then search for the agent.

Agent registration can take several minutes.

Create an assignment policy

An assignment policy is a set of rules that indicates to appliances how to handle incoming traffic; the appliance will either accept or ignore the traffic. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.

To create an assignment policy:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. In the left navigation area, click Policies.
  3. Click the Assignment tab.
  4. Click the Add icon ().
  5. In Appliance Assignment Policy Name, enter a name.
  6. In Appliances, select an appliance.
  7. Click Save.

Assign a policy to a protected host

To assign a policy to a protected host:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the All Deployments tile.
  3. In the left navigation pane, click Networks and Hosts, and then click the Protected Hosts tab.
  4. Click the pencil icon ( ) for the desired protected host.
  5. Select Use an Existing Assignment Policy.
  6. From the Existing Assignment Policy drop-down menu, select the assignment policy you want to use.
  7. Click SAVE.

Related topics