Set up Alert Logic Log Manager for Amazon Web Services (Windows)
This document is to walk the user through setting up Alert Logic Log Manager, purchased directly from Alert Logic, on AWS using a system running Microsoft Windows.
Before you begin
Review the Requirements for Alert Logic Log Manager for Amazon Web Services.
Alert Logic no longer supports ECS Classic. You must upgrade from that EC2 platform to the most current EC2 platform offered by AWS.
As an AWS direct customer, you can use the Alert Logic agent, CloudTrail, and S3 log collection methods. For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.
Alert Logic agent
Download the agent
To download the agent:
- In the Alert Logic console, open the Settings menu, and then click Support Information.
- From the menu bar, click Quick Install Guide and Downloads.
- Download the appropriate agent and follow the on-screen instructions.
- For Windows users, click Windows Agents, and then select the desired agent.
- For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
- Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.
If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.
Install the agent for Windows
If you have an active IAM role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
Option 1: Install the agent via the GUI
To install the agent:
This method does not support image capture.
- Run the MSI package.
- Leave the Provisioning API Key field blank.
- In Proxy Setting, select a connection method if you want traffic to pass through a proxy. You can connect via Direct Connection or a web proxy. You can also enter the URL of the proxy server.
- In Provision, select After Setup.
- Click Install.
Option 2: Install the agent via command prompt with image capture
To install the agent:
- Copy the MSI file to the target machine.
- Type the following command:
msiexec /i [path to MSI file] install_only=1 /q
- /i installs the agent normally
- Command prompt example:
msiexec /i c:\downloads\al-agent-1.0.33.msi install_only=1 /q
- (Optional) If you set up a NAT or virtual appliance that you want to use as a single point of egress, enter the corresponding host name or IP address or port via the following command prompt parameters:
- sensor_host=[host] indicates the IP address where the agent should forward logs.
- sensor_port=[port] indicates the TCP port where the agent should connect.
- When image preparation is complete configure the Alert Logic agent to start automatically after reboot: sc config al_agent start= auto
- In the EC2 console, stop the running instance.
- To create a new AMI, right-click the stopped instance, then click Image, and then click Create Image. In Create Image, enter a name and description for the new AMI, and then select No Reboot.
- (Optional) Start an instance from the newly created AMI, and verify that the agent has registered with the Alert Logic console.
If you need to edit your OS image, do not register the agent in the Alert Logic console.- To stop the agent, enter sc stop al_agent
- If the following files are present, remove the files: %CommonProgramFiles(x86)%\AlertLogic\host_crt.pem and %CommonProgramFiles(x86)%\AlertLogic\host_key.pem where %CommonProgramFiles(x86)% refers to "C:\Program Files\Common Files" for x86 versions of windows and "C:\Program Files (x86)\Common Files" for amd64 and ia64 versions.
CloudTrail
Enable CloudTrail
To enable CloudTrail:
- Log in to the AWS console.
- Select CloudTrail.
- Click Configuration.
- Click Advanced.
- Complete the missing information, especially the options for Simple Notification Service (SNS).
- Click Save.
- Copy the S3 bucket name. You will need this information later to complete the CloudTrail configuration process.
- Click Turn on to activate logging.
Create an SQS queue
The SQS queue informs Alert Logic Log Manager of log messages to collect. Log Manager automatically queries this SQS queue and retrieves the CloudTrail log message from the queue. Alert Logic stores the CloudTrail log message in accordance with your log retention period, and you can query it from the Alert Logic console.
To create an SQS queue:
- In the AWS console, under Application Integration, click SQS.
- Click Create New Queue.
- In Queue Name, type a descriptive name, and then copy that name. You will need this information later to complete the CloudTrail configuration process.
- Keep the default configurations and click Create Queue.
- Select the check box next to the newly created queue, and then select Subscribe Queue to SNS Topic from the drop-down menu.
- In Choose a Topic, select the SNS topic used by your CloudTrail.
- Click Subscribe.
- To confirm successful configuration, click OK.
- Copy the Amazon Resource Name (ARN) for the queue. You will need this information later to complete the configuration process in the Alert Logic console.
Create an IAM policy and role for cross-account access
To provide Alert Logic with cross-account access to your AWS account and the resources necessary to perform this configuration, you must create an IAM policy and role in the AWS console.
Download and open this policy document. Make the following changes to the policy document:
- Replace
<ARN_FOR_SQS_QUEUE>
with the ARN you copied earlier. - Replace
<CLOUDTRAIL_S3_BUCKET_NAME>
with the S3 bucket name you copied earlier.
Keep the policy document open so you can copy and paste the information during IAM role creation.
To create a cross-account access role:
- In the AWS Console, click IAM, located under Security, Identity & Compliance.
- From the IAM Management Console, click Policies, and then click Create Policy.
- Click the JSON tab.
- Copy and paste the contents of your policy document into the JSON window.
- Click Review policy.
- On the Review Policy page, type a Policy Name and Description for the policy.
- Click Create policy.
- From the IAM Management Console, click Roles, and then click Create role.
- On the Create role page, click Another AWS account.
- Enter the following information for Alert Logic:
- Account ID—Type the AWS account that Alert Logic uses to collect logs:
- If you are using the US data center: 239734009475
- If you are using the EU data center: 857795874556
- Select Require external ID.
- External ID—Use your Alert Logic Customer ID. To find your Customer ID, in the Alert Logic console, click Settings () > Support Information.
- Require MFA—make sure the option is not selected.
- Account ID—Type the AWS account that Alert Logic uses to collect logs:
- Click Next: Permissions.
- Select the policy you created above, and then click Next: Review.
- Type a Role Name and Role description, and then click Create Role.
- In the list of IAM roles, click the name of the role you created, and then note the Role ARN value, which you will need when you create the AWS credentials in the Log Manager console.
Create an AWS CloudTrail collection source
You must create an AWS CloudTrail log source in the Alert Logic console to collect CloudTrail logs. To complete this action, you need the following AWS account information:
- SQS queue name
- IAM role credentials
To create an AWS CloudTrail collection source:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the deployment tile for which you want to create a CloudTrail collection source.
- In the left navigation area, click Log Sources.
- Click the Add icon ().
- From Source Log Type, select AWS CloudTrail.
- In Source Name, type a descriptive name.
- For the Enable Collection switch, keep the default Enabled selection (to the right).
- In Collection Alerts, click the field and select one or more alert options.
- In the SQS Queue Name field, type the name of the SQS queue you created in the previous steps.
- From AWS Region, specify the region in which you created the SQS queue in the previous steps.
- Select or create a new IAM Role.
- To use an existing IAM Role, select Use an existing IAM Role, and then select the IAM Role to use.
- To create a new IAM Role, select Create a new IAM Role, and then complete the following fields:
- In Credential Name, enter a descriptive name.
- In Role ID, enter the Role ARN you previously copied.
- In External ID, enter the external ID you previously used.
- Click Save.
S3
Create cross-account access role in the AWS console
You must create a role with cross-account access in order to allow access to other resources, such as resources between AWS and Alert Logic.
To create a cross-account access role:
- In the AWS console, click IAM.
- Click Roles, then click Create New Role.
- Select Role for Cross-Account Access.
- In Allow IAM users from a 3rd party AWS account to access this account click Select.
- In Account ID, type 239734009475
- In External ID, create and type a unique External ID such as your Customer ID or other unique string.
- Click Next Step.
- Search for the correct policy.
- Select the correct policy.
- Click Next Step.
- In Role Name, type a descriptive label.
- Click Create Role.
Create an S3 collection policy
To create a collection policy:
- In the Alert Logic console,click CONFIGURATION, and then select Log Management.
- In the left navigation, select Policies, and then click the S3 tab.
- In the table of collection policies, in the Actions column, click the gear icon (), and then select New S3 Policy.
- In S3 Policy Name, type a descriptive name.
- In Policy Template, select Customized.
- In Multiline Handling, select a multiline handling option:
- If all your flat-file log messages contain a single line, keep the selection: File contains single line log messages.
- If all of your flat-file log messages do not contain a single line, select File contains log messages with multiple lines. Also, select and enter a configuration:
- If the length of your log messages are consistent:
Keep the selection: Each log message spans a fixed number of lines, and then in Number of lines, type the number of lines.
- If the lengths of your log messages are not consistent:
- Select Each log message follows a known pattern.
- Select the appropriate Pattern application.
- Type the Pattern that takes place in the log message.
- Select Regular expression to use a Perl Compatible Regular Expression (PCRE).
- If the length of your log messages are consistent:
-
Select a Timestamp Rule option.
- To use the timestamp from the collector, keep the selection, Set message time as collect time.
- To use an existing timestamp, select Parse times from messages using a pre-defined timestamp format, and then select a format from Format a date string.
- To use a custom timestamp, select Parse times from messages using a custom timestamp format, and then enter a format for the date string in the expanded configuration area.
In the Format of date string field, type a format for the date string, and then follow the on-screen instructions.
- Click Save.
Create and assign S3 collection source
To create an AWS S3 collection source:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the Manual Deployments tile.
- In the left navigation area, click Hosts and Sources.
- Click the Sources tab.
- Click the Add icon ().
- From Source Log Type, select S3.
- In Source Name, type a descriptive name.
- Keep the Enable Collection switch set to Enabled (to the right).
- In Bucket, type the bucket name, followed by the directory name. This bucket name must use a DNS-compliant name. For more information, visit the AWS documentation site.
- In File Name or Pattern, type the file name or date pattern of the file log.
- In Collection Policy:
- To use an existing policy, select Use an existing Policy, and then select a policy.
- To create a new policy, select Create New Policy and select the settings you want. For more information, see Create a S3 collection policy.
- In Collection Alerts, click the field and select one or more alert options.
- From Time Zone, select a time zone.
- Select or create a new IAM Role.
- To use an existing IAM Role, select Use an existing IAM Role. Next, in Existing IAM Role, select the IAM Role to use.
- To create a new IAM Role, select Create a new IAM Role, and then complete the missing fields:
- In Credential Name, enter a descriptive name.
- In Role ID, enter the Role ARN you previously copied.
- In External ID, enter the external ID you previously used.
- In Collection Internal, type a value, in minutes, to indicate how often Log Manager retrieves S3 logs.
- In the Tags field, type an easily filtered tag.
- Click Save.
s3bucketname/root_folder