Alert Logic Web Security Manager for Amazon Web Services Direct (Linux)
- You will install Web Security Manager as part of the Threat Manager installation. You can deploy the Threat Manager/Web Security Manager package in the AWS public cloud.
- Review the Requirements for Alert Logic Web Security Manager for Amazon Web Services.
-
Alert Logic no longer supports ECS Classic. You must upgrade from that EC2 platform to the most current EC2 platform offered by AWS.
-
For your convenience, the Alert Logic agent activates collection for Threat Manager, Log Manager, and Web Security Manager. For more information, please contact Technical Support: US:(877) 484-8383, EU: +44 (0) 203 011 5533.
Create a security group for protected hosts
A security group acts as a firewall that controls the traffic allowed to reach your instances.
To create a security group for protected hosts:
- Log into the Amazon Web Services console, and then navigate to EC2.
- In the navigation pane, click Security Groups.
- Click Security Group.
- In Create Security Group:
- In Name, enter Alert Logic TM Protected.
- In Description, enter Alert Logic Threat Manager Protected Hosts.
- In VPC,
- If you do not have a VPC, select No VPC from the drop-down menu.
- If you have a VPC, select the desired VPC ID from the drop-down menu.
- Click Yes, Create.
Create a security group for the appliance
You can skip this step if you plan to use an existing security group for the appliance.
To create a security group for an appliance:
- Log into the Amazon Web Services console, and then navigate to EC2.
- In the navigation pane, click Security Groups.
- Click Security Group.
- In Create Security Group:
- In Name, enter Alert Logic TM Appliance.
- In Description, enter Alert Logic Threat Manager Appliances.
- In VPC,
- If you do not have a VPC, select No VPC from the drop-down menu.
- If you have a VPC, select the desired VPC ID from the drop-down menu.
- Click Yes, Create.
Set up rules for appliances and protected hosts
If you have a VPC, you must also set up the firewall rules for your protected hosts.
Be sure to set up the following rules:
- Inbound appliance rules
- Outbound appliance rules
- Rules for protected host security group
Set up inbound appliance rules
To edit a inbound appliance rules in a security group:
- Log into the Amazon Web Services console, and then navigate to the EC2 section.
- In the navigation pane, click Security Groups.
- Select the security group you want to edit.
- Click the Inbound tab.
- Apply the appropriate rules.
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates, agent routing, log collection |
208.71.209.32/27 | Appliance | TCP | 4849 | Appliance user interface |
204.110.218.96/27 | Appliance | TCP | 4849 | Appliance user interface |
204.110.219.96/27 | Appliance | TCP | 4849 | Appliance user interface |
Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
*Replace with “Alert Logic TM Protected Hosts” Security Group ID.
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 443 | Agent updates |
Agent(s) CIDR- network subnet range for the agent(s) | Appliance | TCP | 7777 | Agent data transport (between agent and appliance on local network) |
0.0.0.0/0 | Appliance | TCP | 80 | Appliance claim |
185.54.124.0/24 | Appliance | TCP | 4849 | Appliance user interface (Web Security Manager) |
- Click Apply Rule Changes.
Set up outbound appliance rules
Outbound firewall rules for AWS pertain only to VPC customers. By default, the outbound rules open any port to any destination. These firewall rules are acceptable, but you can edit them.
To edit outbound appliance rules in a security group:
-
Log into the Amazon Web Services console, and then navigate to the EC2 section.
-
In the navigation pane, click Security Groups.
-
Select the security group you want to edit.
-
Click the Outbound tab.
- Apply the appropriate rules:
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
Appliance | 204.110.218.96/27 | TCP | 443 | Updates |
Appliance | 204.110.219.96/27 | TCP | 443 | Updates |
Appliance | 208.71.209.32/27 | TCP | 443 | Updates |
Appliance | 208.71.209.32/27 | TCP | 4138 | Event transport |
Appliance | 204.110.218.96/27 | TCP | 4138 | Event transport |
Appliance | 204.110.219.96/27 | TCP | 4138 | Event transport |
Appliance | 204.110.219.96/27 | UDP | 123 | NTP, time sync |
Appliance | 208.71.209.32/27 | UDP | 123 | NTP, time sync |
Source | Destination | Protocol | Port | Description |
---|---|---|---|---|
Appliance | 185.54.124.0/24 | TCP | 443 | Updates |
Appliance | 185.54.124.0/24 | TCP | 4138 | Event transport |
Appliance | 8.8.8.8 | TCP/UDP | 53 | DNS |
Appliance | 8.8.4.4 | TCP/UDP | 53 | DNS |
Appliance | 0.0.0.0/0 | TCP | 80 | Appliance updates |
Appliance | 185.54.124.0/24 | UDP | 123 | NTP, time sync |
- Click Apply Rule Changes.
Set up rules for protected host security group
- Select VPC Security Groups, from the Viewing pull-down menu.
- Click the Outbound tab, and apply the following rules, as necessary:To use the US data center:
Create a new rule Port range Destination Custom TCP Rule 7777 <Appliances>* Custom TCP Rule 443 204.110.218.96/27 Custom TCP Rule 443 204.110.219.96/27 Custom TCP Rule 443 208.71.209.32/27 To use the EU data center:Create a new rule Port range Destination Custom TCP Rule 7777 <Appliances>* Custom TCP Rule 443 185.54.124.0/24 * In the above examples, replace <Appliances> with the Alert Logic TM Appliances security group ID.
- Click Apply Rule Changes.
- Repeat these instructions for every protected host security group associated with the appliance you configure.
You may see outbound TCP 443 or TCP 22 connections to public cloud infrastructure. Alert Logic attempts to contact the nearest regional cloud resource, and if that fails, it connects to the standard IP ranges for your assigned data center. The system attempts to use the closest resource first in future connection attempts. Cloud resources are dynamically assigned, and IP addresses are not static.
If you modified the VPC Network ACLs to be more restrictive than the default, then you must update the Network ACLs with the permit rules added for the Protected Hosts and Appliances.
Download the agent
To download the agent:
- In the Alert Logic console, open the Settings menu, and then click Support Information.
- From the menu bar, click Quick Install Guide and Downloads.
- Download the appropriate agent and follow the on-screen instructions.
- For Windows users, click Windows Agents, and then select the desired agent.
- For Linux users, click Linux Agents. Linux users can select either Debian-based agent installers or RPM-based agent installers. Both installers are available in a 32-bit or 64-bit format.
- Locate the Unique Registration Key from the Downloads screen. Copy your unique registration key. You will need to enter this key to install the agent.
If you have an active RBAC role, and have configured agents to automatically update, the agent you install automatically assigns itself to the local appliance and you need not enter the Unique Registration Key.
Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.
Install the agent for Linux
Install the agent
If you previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.
Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.
To install the agent:
- Copy package to the target machine.
- If you run SELinux, you must first run the following command:
semanage port -a -t syslogd_port_t -p tcp 1514
If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain the semanage command. Alert Logic recommends that you consult with your system administrator to verify.
- Run one of the following commands, depending on the distribution:
- RPM: rpm -U al-agent-<version>*.rpm
- Debian: dpkg –i al-agent-<version>*.deb
- (Optional) If you have set up a NAT, virtual, or physical appliance and want to specify it as a single point of egress for agents to use, run the following command:
/etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP> -
(Optional) If you have set up a proxy, and you want to specify the proxy as a single point of egress for agents to use, then run the following command: /etc/init.d/al-agent configure --proxy <PROXYIP/PROXYHOST>
A TCP or HTTP proxy may be used in this configuration.
- Run the following command: /etc/init.d/al-agent start
Do not run this command if you want to capture the image of a virtual machine.
- Do one of the following:
add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat
This configuration directs your local syslog to the agent on TCP port 1514.
add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("localhost" port(1514));};
- log { source(s_src); destination(d_alertlogic); };
This configuration directs your local syslog to the agent on TCP port 1514.
- Restart the syslog daemon.
Agent registration can take several minutes.
Install the agent with image capture
If you previously installed an older Linux version of an Alert Logic agent, you must uninstall that version before you install the current unified agent image.
Linux users can select either Debian-based agent installers or RPM-based installers. Both installers are available in a 32-bit or 64-bit format.
To install the agent with image capture:
- Copy the package to the target machine.
- If you run SELinux, you must first run the following command:
semanage port -a -t syslogd_port_t -p tcp 1514
- Run one of the following commands, depending on the distribution:
- RPM : rpm -U al-agent-<version>*.rpm
- Debian: dpkg –i al-agent-<version>*.deb
- (Optional) If you have set up a NAT, virtual, or physical appliance and want to specify it as a single point of egress for agents to use, run the following command:
/etc/init.d/al-agent configure --host <THREATMANAGERAPPLIANCEIP>
Do not start the agent or reboot the image (which would cause the agent to start) before you capture the image of your virtual machine.
- (Optional) If you use an rsyslog daemon, add the following line to rsyslog.conf:
*.* @@127.0.0.1:1514;RSYSLOG_FileFormat
This configuration directs your local syslog to the agent on TCP port 1514.
- (Optional) If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("localhost" port(1514));};
- log { source(s_src); destination(d_alertlogic); };
This configuration directs your local syslog to the agent on TCP port 1514.
- Restart the syslog daemon.
- In the EC2 console, stop the running instance.
- To create a new AMI, right-click the stopped instance, then click Image, and then click Create Image. In Create Image enter a name and description for the new AMI, and then select No Reboot.
- (Optional) Start an instance from the newly-created AMI, and verify that the agent has registered with the Alert Logic console.
If you need to edit your OS image, do not register the agent in the Alert Logic console.- To stop the agent, enter /etc/init.d/al-agent stop
- If the following files are present, remove the files before you shut down and save the image: /var/alertlogic/etc/host_crt.pem and /var/alertlogic/etc/host_key.pem
Agent registration can take several minutes.
Create an assignment policy
An assignment policy is a set of rules that indicates to appliances how to handle incoming traffic; the appliance will either accept or ignore the traffic. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.
To create an assignment policy:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- In the left navigation area, click Policies.
- Click the Assignment tab.
- Click the Add icon ().
- In Appliance Assignment Policy Name, enter a name.
- In Appliances, select an appliance.
- Click Save.
Assign a policy to a protected host
To assign a policy to a protected host:
- In the Alert Logic console, click CONFIGURATION, and then click Deployments.
- Click the All Deployments tile.
- In the left navigation pane, click Networks and Hosts, and then click the Protected Hosts tab.
- Click the pencil icon ( ) for the desired protected host.
- Select Use an Existing Assignment Policy.
- From the Existing Assignment Policy drop-down menu, select the assignment policy you want to use.
- Click SAVE.