Set up Alert Logic Threat Manager for Amazon Web Services Marketplace (Linux)
This topic describes set up procedures for Alert Logic Threat Manager with and without ActiveWatch. If you have Threat Manager with ActiveWatch, in addition to the activation and login credentials emails discussed below, you will also receive a service contract for ActiveWatch.
If you signed up for Threat Manager for AWS Marketplace (Linux) prior to April 19, 2017, use the documentation located here.
Before you begin
Before you set up Threat Manager, you should review the Requirements for Alert Logic Threat Manager for Amazon Web Services.
To set up Threat Manager for AWS Marketplace, you must perform tasks in the AWS console, and in the Alert Logic console.
In addition, note the following:
- As an AWS Marketplace customer, you can use the Alert Logic agent and CloudTrail.
-
For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.
Alert Logic updated the appearance of the Alert Logic console, though all functionality remains. If you elected to use the new console, please note that portions of the product documentation could describe the classic Alert Logic console.
Sign up for an Alert Logic User Account and ActiveWatch service
After you sign up and fill out the contact information form to create your Alert Logic account, check your inbox for your Alert Logic activation email and click the link to activate your account. You will then receive an additional email with your login credentials that will allow you to log in to our platform where you can complete your Threat Manager configuration.
Create a deployment
Alert Logic allows you to create deployments that specify the assets you want to monitor. When you first log into theAlert Logic console, you must access the Deployments page and create your first deployment.
To create a deployment:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the add icon ().
- Select the appropriate cloud service.
- Enter the requested information.
- For an AWS deployment:
- Enter the Role ARN.
- Check the box at the bottom if you want to use cross-account CloudTrail to centralize CloudTrail log collection, and then enter the Role ARN for the receiving account.
- For a Microsoft Azure deployment:
- Enter the Environment Name
- Enter the Subscription ID
- Enter the Active Directory ID
- Enter the User Name
- Enter the Password
- Click SAVE.
Set up AWS cross-account roles
Before Alert Logic can manage the protection of your AWS accounts, you must:
- Log into your AWS account to create a cross-account role to allow Alert Logic to access your AWS accounts.
- Log into the Alert Logic console to configure credentials for each discovered AWS account.
For more information about setting up cross-account roles, see Configure Alert Logic Cloud Defender AWS cross-account role access.
Create a Threat Manager for AWS instance
In the AWS Marketplace, an "instance" refers to a virtual appliance.
To create a Threat Manager for AWS instance:
- Log into the AWS EC2 Console.
- From the menu bar, click the Region drop-down, and then select the region where you want to deploy your Threat Manager virtual appliance.
- From the menu bar, click the Services drop-down, and then select EC2.
- In the left navigation area, under Images, click AMIs.
- Select Private Images.
- From the list of AMIs, select "AlertLogic TMC - P13", and then click Launch.
- Select an instance type based on factors described in Virtual appliance types in AWS, and then click Next: Configure Instance Details.
- Fill out the instance details, and ensure you:
- Select a VPC.
- Provide subnet information.
The subnet must be a public subnet.
- Click Next: Add Storage.
- Click Next: Add Tags.
- Click Next: Configure Security Groups.
- On the Configure Security Group page:
- Select Create a new security group.
- Provide a name for your security group.
- Provide a description for your security group.
- Click Add Rule for each inbound appliance rule you need to add, as outlined below.
Rules with source of 0.0.0.0/0 allow all IP addresses to access your instance. Alert Logic recommends limiting access to only known IP addresses.
After you claim your appliance, you can edit your security group inbound and outbound rules with settings recommended by Alert Logic. - Click Review and Launch.
- Review choices and click Launch.
- From the Key Pair drop-down menu, select Launch without key pair, and then click Launch Instances.
- Click Accept Terms.
- Set up outbound appliance rules.
- Return to the EC2 Console, and then click Security Groups.
- Select the Threat Manager security group you want to edit.
- Click the Outbound tab.
- Click Edit.
- Set up the appropriate rules, as outlined below.
- Click Save.
When an appliance is automatically provisioned, the system creates one or two assignment policies, using the following guidelines:
- Alert Logic creates an assignment policy for each appliance during the provisioning process.
- If no VPC assignment policy exists, Alert Logic creates one and assigns the appliance to it.
- If a VPC assignment policy exists, Alert Logic assigns the appliance to it.
Download and install the agent
Download the agent for Linux
To download the agent:
- In the Alert Logic console, click the Settings icon (), and then click Support Information.
- From the Details page, click Install Guides & Downloads.
- Download the appropriate agent and follow the on-screen instructions.
- For Windows users, click Windows Agents, and then select the desired agent.
- For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
- Click the Details tab.
- Copy your unique registration key. You will need this later to install the remote collector.
Install the agent for Linux
Alert Logic allows you to install the agent through a through a command line, or through image capture.
If you have an active IAM role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
Install the agent
If you previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.
Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.
To install the agent:
- Copy package to the target machine.
- If you run SELinux, you must first run the following command:
semanage port -a -t syslogd_port_t -p tcp 1514
If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.
- Run one of the following commands, depending on the distribution:
- RPM: rpm -U al-agent-<version>*.rpm
- Debian: dpkg –i al-agent-<version>*.deb
- (Optional) If you have set up a NAT, virtual, or physical appliance and want to specify it as a single point of egress for agents to use, run the following command:
/etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP> -
(Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>
A TCP or HTTP proxy may be used in this configuration.
- Run the following command: /etc/init.d/al-agent start
Do not run this command if you want to capture the image of a virtual machine.
- Do one of the following:
add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat
This configuration directs your local syslog to the agent on TCP port 1514.
add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("localhost" port(1514));};
- log { source(s_src); destination(d_alertlogic); };
This configuration directs your local syslog to the agent on TCP port 1514.
- Restart the syslog daemon.
Agent registration can take several minutes.
Install the agent with image capture
If you previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.
Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.
To install the agent with image capture:
- Copy the package to the target machine.
- If you run SELinux, you must first run the following command:
semanage port -a -t syslogd_port_t -p tcp 1514
- Run one of the following commands, depending on the distribution:
- RPM : rpm -U al-agent-<version>*.rpm
- Debian: dpkg –i al-agent-<version>*.deb
- (Optional) If you have set up a NAT, virtual, or physical appliance and want to specify it as a single point of egress for agents to use, run the following command:
/etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>
Do not start the agent or reboot the image (which would cause the agent to start) before you capture the image of your virtual machine.
- (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat
This configuration directs your local syslog to the agent on TCP port 1514.
- (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("localhost" port(1514));};
- log { source(s_src); destination(d_alertlogic); };
This configuration directs your local syslog to the agent on TCP port 1514.
- Restart the syslog daemon.
- In the EC2 console, stop the running instance.
- To create a new AMI, right-click the stopped instance, then click Image, and then click Create Image. In Create Image enter a name and description for the new AMI, and then select No Reboot.
- (Optional) Start an instance from the newly-created AMI, and verify that the agent has registered with the Alert Logic console.
If you need to edit your OS image, do not register the agent in the Alert Logic console.- To stop the agent, enter /etc/init.d/al-agent stop
- If the following files are present, remove the files before you shut down and save the image: /var/alertlogic/etc/host_crt.pem and /var/alertlogic/etc/host_key.pem
Agent registration can take several minutes.
Create security group for protected hosts
A security group acts as a firewall that controls the traffic allowed to reach one or more instances. After you set up your Alert Logic account, create a security group to protect hosts and appliances and, if necessary, you should update the assignment rules.
To create a security group for protected hosts:
- Log into the AWS EC2 console.
- In the navigation pane, click Security Groups.
- Click the Security Group tab.
- In the Create Security Group:
- In Name, type Alert Logic TM Protected.
- In Description, type Alert Logic Threat Manager Protected Hosts.
- In VPC:
- If you do not have a VPC, select No VPC from the drop-down menu.
- If you have a VPC, select the desired VPC ID from the drop-down menu.
- Click Yes, Create.
Update rules for protected host security group
After you create your AWS security group, you must configure it to allow communication between the Alert Logic appliances, agents, and the back end used for incident analysis and correlation.
To update your security group:
- Select VPC Security Groups, from the Viewing pull-down menu.
- Click the Outbound tab, and apply the following rules, as necessary:To use the US data center:
Create a new rule Port range Destination Custom TCP Rule 7777 <Appliances>* Custom TCP Rule 443 204.110.218.96/27 Custom TCP Rule 443 204.110.219.96/27 Custom TCP Rule 443 208.71.209.32/27 To use the EU data center:Create a new rule Port range Destination Custom TCP Rule 7777 <Appliances>* Custom TCP Rule 443 185.54.124.0/24 * In the above examples, replace <Appliances> with the Alert Logic TM Appliances security group ID.
- Click Apply Rule Changes.
- Repeat these instructions for every protected host security group associated with the appliance you configure.
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource, and if that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.
If you modified the VPC Network ACLs to be more restrictive than the default, then you must update the Network ACLs with the permit rules added for the Protected Hosts and Appliances.