Set up Alert Logic Log Manager for Amazon Web Services (Linux)

This document is to walk the user through setting up Alert Logic Log Manager, purchased directly from Alert Logic, on AWS using a system running Linux.

Before you begin

Review the Requirements for Alert Logic Log Manager for Amazon Web Services.

Alert Logic no longer supports ECS Classic. You must upgrade from that EC2 platform to the most current EC2 platform offered by AWS.

As an AWS direct customer, you can use the Alert Logic agent, CloudTrail, and S3 log collection methods. For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.

Alert Logic agent

Download the agent

To download the agent:

  1. In the Alert Logic console, open the Settings menu, and then click Support Information.
  2. From the menu bar, click Quick Install Guide and Downloads.
  3. Download the appropriate agent and follow the on-screen instructions.
    • For Windows users, click Windows Agents, and then select the desired agent.
    • For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
  4. Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.

If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.

Install the agent for Linux

If you have an active IAM role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.

Option 1: Install the agent

If you previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.

Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.

To install the agent:

  1. Copy package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514

If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.

  1. Run one of the following commands, depending on the distribution:
    • RPM: rpm -U al-agent-<version>*.rpm
    • Debian: dpkg –i al-agent-<version>*.deb
  1. (Optional) If you have set up a NAT, virtual, or physical appliance and want to specify it as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>

  2. (Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>

A TCP or HTTP proxy may be used in this configuration.

  1. Run the following command: /etc/init.d/al-agent start

Do not run this command if you want to capture the image of a virtual machine.

  1. Do one of the following:

add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

add the following lines to syslog-ng.conf:

  • destination d_alertlogic {tcp("localhost" port(1514));};
  • log { source(s_src); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.

Agent registration can take several minutes.

Option 2: Install the agent with image capture

If you previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.

Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.

To install the agent with image capture:

  1. Copy the package to the target machine.
  2. If you run SELinux, you must first run the following command:
    semanage port -a -t syslogd_port_t -p tcp 1514
  1. Run one of the following commands, depending on the distribution:
    • RPM : rpm -U al-agent-<version>*.rpm
    • Debian: dpkg –i al-agent-<version>*.deb
  1. (Optional) If you have set up a NAT, virtual, or physical appliance and want to specify it as a single point of egress for agents to use, run the following command:
    /etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>

Do not start the agent or reboot the image (which would cause the agent to start) before you capture the image of your virtual machine.

  1. (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
    *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

This configuration directs your local syslog to the agent on TCP port 1514.

  1. (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
    1. destination d_alertlogic {tcp("localhost" port(1514));};
    2. log { source(s_src); destination(d_alertlogic); };

This configuration directs your local syslog to the agent on TCP port 1514.

  1. Restart the syslog daemon.
  2. In the EC2 console, stop the running instance.
  3. To create a new AMI, right-click the stopped instance, then click Image, and then click Create Image. In Create Image enter a name and description for the new AMI, and then select No Reboot.
  4. (Optional) Start an instance from the newly-created AMI, and verify that the agent has registered with the Alert Logic console.
    If you need to edit your OS image, do not register the agent in the Alert Logic console.
    • To stop the agent, enter /etc/init.d/al-agent stop
    • If the following files are present, remove the files before you shut down and save the image: /var/alertlogic/etc/host_crt.pem and /var/alertlogic/etc/host_key.pem

Agent registration can take several minutes.

CloudTrail

Enable CloudTrail

To enable CloudTrail:

  1. Log in to the AWS console.
  2. Select CloudTrail.
  3. Click Configuration.
  4. Click Advanced.
  5. Complete the missing information, especially the options for Simple Notification Service (SNS).
  6. Click Save.
  7. Copy the S3 bucket name. You will need this information later to complete the CloudTrail configuration process.
  8. Click Turn on to activate logging.

Create an SQS queue

The SQS queue informs Alert Logic Log Manager of log messages to collect. Log Manager automatically queries this SQS queue and retrieves the CloudTrail log message from the queue. Alert Logic stores the CloudTrail log message in accordance with your log retention period, and you can query it from the Alert Logic console.

This SQS queue is in addition to the default SQS queue (which has a name that starts with outcomesbucket) created with your deployment.

To create an SQS queue: 

  1. In the AWS console, under Application Integration, click SQS.
  2. Click Create New Queue.
  3. In Queue Name, type a descriptive name, and then copy that name. You will need this information later to complete the CloudTrail configuration process.
  4. Keep the default configurations and click Create Queue.
  5. Select the check box next to the newly created queue, and then select Subscribe Queue to SNS Topic from the drop-down menu.
  6. In Choose a Topic, select the SNS topic used by your CloudTrail.
  7. Click Subscribe.
  8. To confirm successful configuration, click OK.
  9. Copy the Amazon Resource Name (ARN) for the queue. You will need this information later to complete the configuration process in the Alert Logic console.

Create an IAM policy and role for cross-account access

To provide Alert Logic with cross-account access to your AWS account and the resources necessary to perform this configuration, you must create an IAM policy and role in the AWS console.

Download and open this policy document. Make the following changes to the policy document:

  1. Replace <ARN_FOR_SQS_QUEUE> with the ARN you copied earlier.
  2. Replace <CLOUDTRAIL_S3_BUCKET_NAME> with the S3 bucket name you copied earlier.

Keep the policy document open so you can copy and paste the information during IAM role creation.

To create a cross-account access role:

  1. In the AWS Console, click IAM, located under Security, Identity & Compliance.
  2. From the IAM Management Console, click Policies, and then click Create Policy.
  3. Click the JSON tab.
  4. Copy and paste the contents of your policy document into the JSON window.
  5. Click Review policy.
  6. On the Review Policy page, type a Policy Name and Description for the policy.
  7. Click Create policy.
  8. From the IAM Management Console, click Roles, and then click Create role.
  9. On the Create role page, click Another AWS account.
  10. Enter the following information for Alert Logic:
    • Account ID—Type the AWS account that Alert Logic uses to collect logs:
      • If you are using the US data center: 239734009475
      • If you are using the EU data center: 857795874556
    • Select Require external ID.
    • External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
    • Require MFA—make sure the option is not selected.
  11. Click Next: Permissions.
  12. Select the policy you created above, and then click Next: Review.
  13. Type a Role Name and Role description, and then click Create Role.
  14. In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Log Manager console.

Create an AWS CloudTrail collection source

You must create an AWS CloudTrail log source in the Alert Logic console to collect CloudTrail logs. To complete this action, you need the following AWS account information:

  • SQS queue name
  • IAM role credentials

To create an AWS CloudTrail collection source:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the deployment tile for which you want to create a CloudTrail collection source.
  3. In the left navigation area, click Log Sources.
  4. Click the Add icon ().
  5. From Source Log Type, select AWS CloudTrail.
  6. In Source Name, type a descriptive name.
  7. For the Enable Collection switch, keep the default Enabled selection (to the right).
  8. In Collection Alerts, click the field and select one or more alert options.
  9. In the SQS Queue Name field, type the name of the SQS queue you created in the previous steps.
  10. From AWS Region, specify the region in which you created the SQS queue in the previous steps.
  11. Select or create a new IAM Role.
    • To use an existing IAM Role, select Use an existing IAM Role, and then select the IAM Role to use.
    • To create a new IAM Role, select Create a new IAM Role, and then complete the following fields:
      • In Credential Name, enter a descriptive name.
      • In Role ID, enter the Role ARN you previously copied.
      • In External ID, enter the external ID you previously used.
  12. Click Save.

S3

Create cross-account access role in the AWS console

You must create a role with cross-account access in order to allow access to other resources, such as resources between AWS and Alert Logic.

To create a cross-account access role:

  1. In the AWS console, click IAM.
  2. Click Roles, then click Create New Role.
  3. Select Role for Cross-Account Access.
  4. In Allow IAM users from a 3rd party AWS account to access this account click Select.
  5. In Account ID, type 239734009475
  6. In External ID, create and type a unique External ID such as your Customer ID or other unique string.
  7. Click Next Step.
  8. Search for the correct policy.
  9. Select the correct policy.
  10. Click Next Step.
  11. In Role Name, type a descriptive label.
  12. Click Create Role.

Create an S3 collection policy

To create a collection policy:

  1. In the Alert Logic console,click CONFIGURATION, and then select Log Management.
  2. In the left navigation, select Policies, and then click the S3 tab.
  3. In the table of collection policies, in the Actions column, click the gear icon (), and then select New S3 Policy.
  4. In S3 Policy Name, type a descriptive name.
  5. In Policy Template, select Customized.
  6. In Multiline Handling, select a multiline handling option:
    • If all your flat-file log messages contain a single line, keep the selection: File contains single line log messages.
    • If all of your flat-file log messages do not contain a single line, select File contains log messages with multiple lines. Also, select and enter a configuration:
      • If the length of your log messages are consistent:

        Keep the selection: Each log message spans a fixed number of lines, and then in Number of lines, type the number of lines.

      • If the lengths of your log messages are not consistent:
        1. Select Each log message follows a known pattern.
        2. Select the appropriate Pattern application.
        3. Type the Pattern that takes place in the log message.
        4. Select Regular expression to use a Perl Compatible Regular Expression (PCRE).

  7. Select a Timestamp Rule option.

    • To use the timestamp from the collector, keep the selection, Set message time as collect time.
    • To use an existing timestamp, select Parse times from messages using a pre-defined timestamp format, and then select a format from Format a date string.
    • To use a custom timestamp, select Parse times from messages using a custom timestamp format, and then enter a format for the date string in the expanded configuration area.

      In the Format of date string field, type a format for the date string, and then follow the on-screen instructions.

  1. Click Save.

Create and assign S3 collection source

To create an AWS S3 collection source:

  1. In the Alert Logic console, click CONFIGURATION, and then click Deployments.
  2. Click the Manual Deployments tile.
  3. In the left navigation area, click Hosts and Sources.
  4. Click the Sources tab.
  5. Click the Add icon ().
  6. From Source Log Type, select S3.
  7. In Source Name, type a descriptive name.
  8. Keep the Enable Collection switch set to Enabled (to the right).
  9. In Bucket, type the bucket name, followed by the directory name. This bucket name must use a DNS-compliant name. For more information, visit the AWS documentation site.

    10. s3bucketname/root_folder

  10. In File Name or Pattern, type the file name or date pattern of the file log.
  11. In Collection Policy:
    • To use an existing policy, select Use an existing Policy, and then select a policy.
    • To create a new policy, select Create New Policy and select the settings you want. For more information, see Create a S3 collection policy.
  12. In Collection Alerts, click the field and select one or more alert options.
  13. From Time Zone, select a time zone.
  14. Select or create a new IAM Role.
    • To use an existing IAM Role, select Use an existing IAM Role. Next, in Existing IAM Role, select the IAM Role to use.
    • To create a new IAM Role, select Create a new IAM Role, and then complete the missing fields:
      • In Credential Name, enter a descriptive name.
      • In Role ID, enter the Role ARN you previously copied.
      • In External ID, enter the external ID you previously used.
  15. In Collection Internal, type a value, in minutes, to indicate how often Log Manager retrieves S3 logs.
  16. In the Tags field, type an easily filtered tag.
  17. Click Save.

Related topics

Related Topics Link Icon