Install the Alert Logic Agent

Alert Logic® provides you with an agent that gathers data - such as log messages, network traffic, metadata, and host identification information - that we need to collect for analysis of your environments. You are required to download the agent and deploy it to each host you want to be monitored or to collect log messages. Alert Logic provides agents for Windows and Linux hosts.

Utilize the following information to install the Alert Logic agent for either Windows or Linux and to understand the minimum system requirements needed to communicate with the physical appliance.

Note: This information and more can also be found within Alert Logic Product Documentation.

Windows

Download the Agent

To download the Alert Logic agent, select your desired Windows Agent Installer:

• MSI file - Latest Windows Agent Installer (MSI format)
• Compressed file - Latest Windows Agent Installer (ZIP format)

Install the Agent

Via the Graphical User Interface

Note: This method does not support image capture.

Follow the below steps to install the Alert Logic agent for Windows via graphical user interface:

1. Run the MSI package.
   
   
2. For data center deployments only: In the Provisioning API Key field, paste your Unique Registration Key. This can be found within the Alert Logic console at the three vertical dot icon () in the top right corner > Support Information > Details.
   
   
3. In Provision, select During Setup.
   
   
4. In Proxy Setting, select a connection method if you want traffic to pass through a proxy. You can connect via Direct Connection or a web proxy. You can also enter the URL of the proxy server.
   
   
5. Click Install.
   
   
6. Verify that the agent has registered with the Alert Logic console. Note: Agent registration can take several minutes.
   
   Managed Detection & Response customers: Navigate to main menu () > Configure > Deployments > the deployment the agent is assigned to > Configure Log Sources in the bottom left corner and search for the agent by name in the search bar.
   
   Cloud Defender customers: Navigate to Configuration > Deployments > the deployment the agent is assigned to > Hosts or Log Sources and search for the agent by name in the search bar in the top right corner.

Via Command Prompt

Follow the below steps to install the Alert Logic agent for Windows via command prompt:

1. Copy the MSI file to the target machine.
   
   
2. Type the following command:
   

   msiexec /i [path to MSI file] prov_key=[unique registration key] install_only=1 /q

   - /i installs the agent normally
   
   - prov_key=[unique registration key] is your Unique Registration Key, which can be found within the Alert Logic console - for Cloud Defender customers: at the three vertical dot icon () in the top right corner > Support Information > Details: for Managed Detection & Response customers: at main menu > Configure > Deployments > a data center deployment > Installation Instructions. Enter this for data center deployments only. Do not enter this key for Amazon Web Services and Microsoft Azure deployments.
   
   - Command prompt example:

   msiexec /i c:\downloads\al-agent-2.1.2.msi prov_key=da39EXAMPLEd3255bfef95641890dnu80799 install_only=1 /q

   Note: Your system may reboot to complete this installation. If you want to avoid the system reboot and, consequently, pause the installation process until you manually reboot, append to the below command prompt. The system may reboot if you have previously installed the agent, if you are running a Windows Server 2019 variant, or for other reasons.

   REBOOT=ReallySuppress

3. When you are finished preparing the image, set the agent service start type to Automatic with the following command prompt:

   sc config al_agent start= auto

   Note: Do not start the agent or reboot the image before capturing the image of your virtual machine.
   
   
4. Optional: Capture an image of the virtual machine that contains the installed agent.
   
   
5. Optional: Start an instance of the saved image and verify that the agent has registered with the Alert Logic console.
   
   Managed Detection & Response customers: Navigate to main menu () > Configure > Deployments > the deployment the agent is assigned to > Configure Log Sources in the bottom left corner and search for the agent by name in the search bar.
   
   Cloud Defender customers: Navigate to Configuration > Deployments > the deployment the agent is assigned to > Hosts or Log Sources and search for the agent by name in the search bar in the top right corner.
   
   
6. Optional: If you need to edit your OS image at any point, ensure when saving that the Alert Logic agent is not registered. You can accomplish this by stopping the agent with the following command prompt:

   sc stop al_agent

   If the agent is present, remove the files with the following command prompts:

   %CommonProgramFiles(x86)%\AlertLogic\host_crt.pem
   
   %CommonProgramFiles(x86)%\AlertLogic\host_key.pem

   Here, %CommonProgramFiles(x86)% refers to "C:\Program Files\Common Files" for x86 versions of Windows and "C:\Program Files (x86)\Common Files" for amd64 and ia64 versions.
   
   
7. Type the following command prompt to start the agent:

   sc start al_agent

Optional: Command-Prompt Installation Parameters

To use command-prompt parameters during the Alert Logic agent installation, review the following details:

/quiet

/q[level]

/log [log file]

l*vx [log file]

sensor_host=[host]

sensor_port=[port]

use_proxy={0|1}

installdir=[directory]

reboot=ReallySuppress

Linux

Download the Agent

Linux users can select either Debian- or RPM-based agent installers. Both are available in 32- or 64-bit formats. To download the Alert Logic agent, select your desired Linux Agent Installer:

• Debian, 32-bit - Latest Linux Agent Installer (32-bit Debian format)
• Debian, 64-bit - Latest Linux Agent Installer (64-bit Debian format)
• RPM, 32-bit - Latest Linux Agent Installer (32-bit RPM format)
• RPM, 64-bit - Latest Linux Agent Installer (64-bit RPM format)

Install the Agent

Follow the below steps to install the Alert Logic agent for Linux:

1. Copy the package to the target machine.
   
   
2. If you run SELinux, first run the following command:

   semanage port -a -t syslogd_port_t -p tcp 1514

   Note: If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain it. Alert Logic recommends that you consult with your system administrator to verify.
   
   
3. Run one of the following commands, based on your distribution:
   
   - RPM:

   rpm -U al-agent-<version>*.rpm

   -Debian:

   dpkg -i al-agent-<version>*.deb

4. Optional: if you have set up a proxy and you want to specify it as a single point of egress for agent use, run the following command:

   /etc/init.d/al-agent configure -- proxy <PROXYID/PROXYHOST>

   Note: A TCP or HTTP proxy may be used in this configuration.
5. For data center deployments only, run the following command:

   /etc/init.d/al-agent provision --key <UNIQUEREGISTRATIONKEY>

   To access your Unique Registration Key, navigate to the Alert Logic console.
   
   Managed Detection & Response customers: open the main menu > Configuration > Deployments > a data center deployment > Configuration Overview > Installation Instructions.
   
   Cloud Defender customers: click the three vertical dot icon () in the top right corner > Support Information > Details.
   
   
6. For image capture on physical machines only, run the following command:

   /etc/init.d/al-agent start

7. Complete one of the following based on which daemon you are using:
   
   - rsyslog daemon:
   
   Add the following line to rsyslog.conf, which will direct your local syslog to the agent on the TCP port 1514:

   *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

   - syslog-ng daemon:
   
   Add the following lines to syslog-ng.conf, which will direct your local syslog to the agent on TCP 1514:

   destination d_alertlogic {tcp("localhost" port(1514));};

   log { source(s_sys); destination(d_alertlogic); };

8. Restart the syslog daemon.
   
   
9. Verify that the agent has registered with the Alert Logic console. Note: Agent installation can take several minutes.
   
   Managed Detection & Response customers: From the main menu, navigate to Respond > Health > Appliances and Agents and search for the agent by name in the search bar in the top right.
   
   Cloud Defender customers: Navigate to Configuration > Deployments > the deployment the agent is assigned to > Hosts or Log Sources and search for the agent by name in the search bar in the top right corner.

Via Image Capture

You also have the option to install the agent with image capture, but Alert Logic recommends image capture only when you want to install the agent for the purpose of creating a system image to be used by more than one host in the future. With image capture, the agent is installed but does not assign the host an identity. If you want to install the agent for Linux with image capture, follow these procedures:

1. Copy the package to the target machine.
   
   
2. If you run SELinux, run the following command:

   semanage port -a -t syslogd_port_t -p tcp 1514

   Note: If the semanage command is not present in your system, you can install the policycoreutils-python package to obtain it. Alert Logic recommends that you consult with your system administrator to verify.
   
   
3. Run one of the following commands, based on your distribution:
   
   - RPM:

   rpm -U al-agent-<version>*.rpm

   Debian:

   dpkg -i al-agent-<version>*.deb

4. To access your Unique Registration Key, navigate to the Alert Logic console.
   
   Managed Detection & Response customers: open the main menu > Configuration > Deployments > a data center deployment > Configuration Overview > Installation Instructions.
   
   Cloud Defender customers: click the three vertical dot icon () in the top right corner > Support Information > Details.
   
   
5. Run the following command:

   /etc/init.d/al-agent configure --key <UNIQUEREGISTRATIONKEY>

6. Complete one of the following based on which daemon you are using:
   
   - rsyslog daemon:
   
   Add the following line to rsyslog.conf, which will direct your local syslog to the agent on the TCP port 1514:

   *.* @@127.0.0.1:1514;RSYSLOG_FileFormat

   - syslog-ng daemon:
   
   Add the following lines to syslog-ng.conf, which will direct your local syslog to the agent on TCP 1514:

   destination d_alertlogic {tcp("localhost" port(1514));};

   log { source(s_sys); destination(d_alertlogic); };

7. Restart the syslog daemon.
   
   
8. Shut down the target machine and save your operating system image.
   
   
9. Optional: Start an instance of the saved image and verify that the agent has registered with the Alert Logic console. Note: Agent registration can take several minutes.
   
   Managed Detection & Response customers: Navigate to main menu > Configure > Deployments > the deployment the agent is assigned to > Configure Log Sources in the bottom left corner and search for the agent by name in the search bar.
   
   Cloud Defender customers: Navigate to Configuration > Deployments > the deployment the agent is assigned to > Hosts or Log Sources and search for the agent by name in the search bar in the top right corner.
   
   
10. Optional: If you need to edit your OS image at any point, you must ensure when saving that the Alert Logic agent is not registered. You can accomplish this by stopping the agent with the following command:

    /etc/init.d/al-agent stop

    If the agent is present, remove the files with the following command prompts before shutting down and saving the resulting image:

    /var/alertlogic/etc/host_crt.pem

    /var/alertlogic/etc/host_key.pem