Install the Alert Logic agent for Linux

Alert Logic provides a single agent that supports Threat Manager, Log Manager, and Web Security Manager. The agent gathers data that Alert Logic must collect for analysis, such as log messages and network traffic, as well as metadata and host identification information. You can assign a maximum of 500 agents per corresponding appliance in both Linux and Windows, regardless of appliance size. Refer to the Requirements for the Alert Logic agent page for the minimum system requirements to communicate with the physical appliance.

For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533

Download the agent

To download the agent:

  1. In the Alert Logic console, open the Settings menu, and then click Support Information.
  2. From the menu bar, click Quick Install Guide and Downloads.
  3. Download the appropriate agent and follow the on-screen instructions.
    • For Windows users, click Windows Agents, and then select the desired agent.
    • For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
  4. Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.

Install the agent

For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.

If you have an active IAM or RBAC role (for AWS or Azure, respectively), and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Install the agent

If you have previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.

Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.

To install the agent and not capture the image:

  1. Copy package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, based on your distribution:
    • RPM: rpm -U al-agent-<version>*.rpm
    • Debian: dpkg -i al-agent-<version>*.deb
  1. (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify it as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <LOGMANAGERAPPLIANCEIP>
  2. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>
    A TCP or HTTP proxy may be used in this configuration.
  3. Run the following command: /etc/init.d/al-agent provision --key <UNIQUEREGISTRATIONKEY>
  4. Run the following command: /etc/init.d/al-agent start

Do not run step 7 if you want to capture the image of a virtual machine.

  1. Do one of the following:

add the following line to rsyslog.conf:

*.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

add the following lines to syslog-ng.conf:

  • destination d_alertlogic {tcp("localhost" port(1514));};
  • log { source(s_sys); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.

  2. Verify that the agent has registered with the Alert Logic console. To do so, navigate to the deployment the agent is assigned to, click Collectors, and then search for the agent.

Agent registration can take several minutes.

Install the agent with image capture

If you have previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.

Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.

To install the agent with image capture:

  1. Copy the package to the target machine.
  2. If you run SELinux, you must first run the following command:

    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, based on your distribution:
    • RPM: rpm -U al-agent-<version>*.rpm
    • Debian: dpkg -i al-agent-<version>*.deb
  1. (Optional) If you have set up a NAT, virtual appliance, or physical appliance and you want to specify it as a single point of egress for agents to use, run the following command:

    /etc/init.d/al-agent configure --host <LOGMANAGERAPPLIANCEIP>
  2. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>

A TCP or HTTP proxy may be used in this configuration.

  1. Run the following command: /etc/init.d/al-agent configure --key <UNIQUEREGISTRATIONKEY>
  2. Do one of the following:

add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

add the following lines to syslog-ng.conf:

  • destination d_alertlogic {tcp("localhost" port(1514));};
  • log { source(s_sys); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.
  2. Shut down the target machine and save your operating system image.
  3. (Optional) Start an instance of the saved image and verify that the agent has registered with the Alert Logic console.
    If you need to edit your OS image at any point, you must ensure when saving that the Alert Logic agent is *not* registered. You can accomplish this by stopping the agent with:
    /etc/init.d/al-agent stop
    Then, if it is present, remove the files:
    /var/alertlogic/etc/host_crt.pem
    /var/alertlogic/etc/host_key.pem
    prior to shutting down and saving the resulting image.

Agent registration can take several minutes.

Related topics

Related Topics Link Icon