At install/activation, the Alert Logic® agent uses the customer provisioning key from the UI to connect to our datacenter services using server side SSL encryption. During this initial exchange, the agent identity is activated and an agent-specific key/identity is placed locally on the host system running the agent.
All further communication is carried out via the same server side SSL encryption exchange, with the agent using the key to establish its identity.
Agent-to-Appliance Traffic Security
The agent's private TLS RSA keys are stored in the following files:
- On Linux: /var/alertlogic/etc/host_key.pem
- The SSL certificate using this key is host_crt.pem
- On Windows (32-bit): C:\Program Files\Common Files\AlertLogic\host_key.pem
- On Windows (64-bit): C:\Program Files (x86)\Common Files\AlertLogic\host_key.pem
The file access masks/lists are modified so that only root/administrators/localsystem can read these files. They are in PEM format (base64-encoded ASN1 blob). No passphrase is used.
The keys are used at handshake only to exchange a shared AES key. Beyond that, symmetric AES encryption is used. The key and its associated certificate can be deleted, at which point a service is required for the host to obtain a new key, and with it a new identity. The exception is hosts migrated from LM2 (those will use the LM2 agent ID when requesting an identity, and so it will get the same one). The provisioning key must be entered at Windows installation (PROV_KEY=parameter or in GUI), or input after Linux install with "/etc/init.d/al-log-agent configure --key ...") in order for this to work. Otherwise, an agent will sit there waiting for keys. With a new identity, a host will register a new list of default sources (event log for Windows, syslog for Linux), so this will not work for flat file sources. These need to be recreated manually.