Alert Logic Threat Manager for SoftLayer (Linux)
- Review the Requirements for Alert Logic Threat Manager for SoftLayer.
- For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.
- If you have previously installed a Linux version of the Alert Logic agent, you must uninstall that version before you install the current Alert Logic agent image.
Alert Logicshares the Threat Manager image
Alert Logic completes this step.
Get the Threat Manager image
Before you begin, you must retrieve the Image ID/Name from the Alert Logic provisioning engineer.
To get the image:
- Log in to the SoftLayer portal.
- Navigate to Devices > Manage > Images.
- Find the Alert Logic shared image.
- Click the corresponding Actions button and based on your needs, select either Order Monthly Virtual Server or Order Hourly Virtual Server.
- Click Show for each configuration option, and make your desired selections.
See Cloud server size recommendations for sizing information.
- Click Continue Your Order.
- Review your order details, complete the missing fields, including payment information, and click Finalize Your Order.
Send appliance IP address to Alert Logic
Contact the provisioning department at Alert Logic and provide the external IP address for your new appliance. To do so, call (877) 484-8383 and select the appropriate option.
Contact Alert Logic to claim your appliance
To contact Alert Logic to claim your appliance:
- In the US, call (877) 484-8383 and select the appropriate option.
- In the EU, call +44 (0) 203 011 5533 and do the same.
After the appliance claim, the Alert Logic provisioning engineer adds your appliance details in the Alert Logic data center back end and establishes connectivity to your new appliance.
Download the agent
To download the agent:
- In the Alert Logic console, open the Settings menu, and then click Support Information.
- From the menu bar, click Quick Install Guide and Downloads.
- Download the appropriate agent and follow the on-screen instructions.
- For Windows users, click Windows Agents, and then select the desired agent.
- For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
- Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.
If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.
Install the agent for Linux
If you have previously installed a Linux version of the Alert Logic agent, you must uninstall that version before you install the current Alert Logic agent image.
Install the agent
To install the agent:
This method does not support image capture.
- Copy the package to the target machine.
- If you run SELinux, you must first run the following command:
semanage port -a -t syslogd_port_t -p tcp 1514
If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.
- Run one of the following commands, based on your distribution:
- RPM: rpm -U al-agent-<version>*.rpm
- Debian: dpkg –i al-agent-<version>*.deb
- (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify this as a single point of egress for agents to use, run the following command:
/etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP> - (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>
A TCP or HTTP proxy may be used in this configuration.
- Run the following command: /etc/init.d/al-agent configure --key <UNIQUEREGISTRATIONKEY>
If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
- (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat
This configuration directs your local syslog to the agent on TCP port 1514.
- (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("localhost" port(1514));};
- log { source(s_src); destination(d_alertlogic); };
This configuration directs your local syslog to the agent on TCP port 1514.
- Restart the syslog daemon.
-
Verify that the agent has registered with the Alert Logic console. To do so, navigate to the deployment the agent is assigned to, click Hosts and Sources, click Sources, and then search for the agent.
Agent registration can take several minutes.
Install the agent with image capture
To install the agent and capture the image:
- Copy the package to the target machine.
- If you run SELinux, you must first run the following command:
semanage port -a -t syslogd_port_t -p tcp 1514
If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.
- Run one of the following commands, based on your distribution:
- RPM : rpm -U al-agent-<version>*.rpm
- Debian: dpkg –i al-agent-<version>*.deb
- (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify this as a single point of egress for agents to use, run the following command:
/etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP> - (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>
A TCP or HTTP proxy may be used in this configuration.
- Run the following command: /etc/init.d/al-agent provision --key <UNIQUEREGISTRATIONKEY> --inst-type host
- Run the following command: /etc/init.d/al-agent start
- (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat
This configuration directs your local syslog to the agent on TCP port 1514.
- (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("localhost" port(1514));};
- log { source(s_src); destination(d_alertlogic); };
This configuration directs your local syslog to the agent on TCP port 1514.
- Restart the syslog daemon.
- Verify that the agent has registered with the Alert Logic console.To do so, clickDeployments, click the deployment the agent is assigned to, clickHosts and Sources, click Sources, and then search for the agent.
Agent registration can take several minutes.
Create an assignment policy
An assignment policy is a set of rules that indicates to appliances how to handle incoming traffic; the appliance will either accept or ignore the traffic. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.
To create an assignment policy:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- In the left navigation area, click Policies.
- Click the Assignment tab.
- Click the Add icon ().
- In Appliance Assignment Policy Name, enter a name.
- In Appliances, select an appliance.
- Click Save.
Assign a policy to a protected host
To assign a policy to a protected host:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the All Deployments tile.
- In the left navigation pane, click Networks and Hosts, and then click the Protected Hosts tab.
- Click the pencil icon ( ) for the desired protected host.
- Select Use an Existing Assignment Policy.
- From the Existing Assignment Policy drop-down menu, select the assignment policy you want to use.
- Click SAVE.