Keeping your deployments organized by archiving unused assets is important for efficiently managing your Alert Logic® accounts. The following article explains how to best organize your deployments in the Alert Logic console for a more productive and valuable experience.
Amazon Web Services & Microsoft Azure Deployments
Hosts
Host management can be complicated due to the dependencies of certain host types. For example, if the host has a log source or protected host associated to it, you must first archive these dependencies before you can do the same to the host. To check if a host has any associated dependencies, and then to archive dependencies and the host, perform the following:
- In the Alert Logic console, click Configuration.
- Select your Amazon Web Services (AWS) or Microsoft Azure deployment.
- Click Hosts on the sidebar.
- Select the host you wish to archive. A side panel will appear - scroll down to find and copy the Host ID.
- Navigate to Log Sources in the left-hand menu and paste the Host ID into the Type Search Terms.
- If your host is associated with a log source, that dependency should appear. Archive that log source.
- Navigate to Networks and Protected Hosts in the left-hand menu > Protected Hosts and paste the Host ID into the Type Search Terms
- If your host is associated with a protected host, that dependency should appear. Archive that protected host.
- Navigate back to Hosts and select the Archive icon () to the right of the host you wish to archive.
Note: You can toggle the Show Archive button to show all previously archived hosts.
You can organize hosts by renaming or adding tags. This can be done by clicking the pencil icon () on the far right of the host you want to edit. For example, if you want to keep track of the hosts in a certain VPC, you can tag them as such. Alert Logic recommends that you add a terminated or decommissioned tag when network intrusion detection system (IDS) instances have been removed from VMware or AWS.
Log Sources
Log sources function similarly to hosts, with the exception that log sources have no dependencies. You can archive log sources without performing additional steps.
- In the Alert Logic console, click Configuration.
- Select your deployment.
- Click Log Sources in the sidebar.
- Select the Archive icon () to the right of the log source you wish to archive.
Networks and Protected Hosts
Networks cannot be used in AWS deployments; they are agent-only. Therefore, you should never add networks to the Networks and Protected Hosts page within the Alert Logic console if you are an AWS-only customer.
If a protected host has been terminated on your end, or is no longer in use, you can archive it instantly by selecting the Archive icon (). If your environment has grown beyond the point where you cannot archive protected hosts separately in a timely manner, you can mass edit them by clicking the gear icon () at the top right of the screen, and then archive based on a filter you have applied.
Log Collectors
The only log collector type you can deploy in AWS is a remote collector. In order to clear these from your deployment after they have been decommissioned, you must contact Alert Logic Support. When contacting Alert Logic Support to have a log collector decommissioned, provide the name of the appliance and the account that it resides in.
IDS Appliances
If you have terminated IDS appliances, Alert Logic Support will be able to identify this and will call you shortly after termination. If you would prefer that Support not contact you after you have decommissioned an appliance, inform Alert Logic in advance that you will be decommissioning the instance by opening a ticket with Support and providing the name of the appliance and the account that it resides in.
Further, check to ensure that no protected hosts are assigned to the appliance; this will halt the decommissioning process on Alert Logic’s end.
- In the Alert Logic console, navigate to Configuration > Deployments > your desired deployment > IDS Appliances.
- Click on the appliance you wish to decommission. A side panel will appear – scroll down to the Host ID and copy it.
- Navigate to Networks and Protected Hosts > Protected Hosts.
- Paste the Host ID into the Type Search Terms Any protected hosts associated with the appliance should appear.
- If these hosts are going to be pointing toward a different appliance going forward, provide them with the new assignment policy. If not, archive them via the archive icon ().
- Delete the assignment policy by going to Configuration > Network IDS > Policies > Assignment and clicking on the trash icon () on the assignment policy with the same Threat Manager EC2 ID, so that Alert Logic can proceed with decommission of the appliance.
Manual and Data Center Deployments
Hosts & Log Sources
Hosts and log sources in manual and data center deployments act identically to those in AWS and Azure deployments.
Networks and Protected Hosts
Networks are typically only used in manual and data center deployments when the IDS appliance is physical. Networks being used for data centers or physical appliances will show when span has been configured. When networks are in error, this indicates that you should look into the span configuration on the switches.
Note: Networks showing as in error are customer-specific; there is no universal solution that can be provided. Troubleshoot with Alert Logic Support.
If a protected host has been terminated on your end or is no longer in use, you can archive it instantly by selecting the Archive icon (). If your environment has grown beyond the point where you cannot archive protected hosts separately in a timely manner, you can mass edit them by clicking the gear icon () at the top right of the screen, and then archive based on a filter you have applied.
Log Collectors
Manual and data center deployments support all types of log collection deployments, including physical and virtual log collectors and remote collectors. If these are removed from your network at any point, you will need to open a ticket with Alert Logic Support and specify the appliance name in the console. Alert Logic Support will decommission the relevant device.
In order to see if any log sources are currently reporting to that appliance:
- In the Alert Logic console, navigate to Configuration > the applicable manual deployment > Log Collectors.
- Select the log source in question. A sidebar will appear; scroll to Host ID and copy it.
- Navigate to Log Sources in the left-side menu.
- Paste the Host ID into the Type Search Terms.
- Any log sources associated with your log collector will surface. If these log sources still need to report to a log collector in your network, provide them with a new Host ID or point it toward vaporator.alertlogic.com.
IDS Appliances
If an IDS appliance is physical and you intend to remove it, open a ticket with Alert Logic Support to let us know; make sure to reference the appliance’s name in the Alert Logic console. Alert Logic Support may request additional information from you in order to provide shipping labels for the return of the device.
If you have terminated a virtual IDS appliance, Alert Logic Support will be able to identify this and will call you shortly after termination. If you would prefer that Support not contact you after you have decommissioned an appliance, inform Alert Logic in advance that you will be decommissioning the instance by opening a ticket with Support and providing the name of the appliance and the account that it is in.
Further, check to ensure that no protected hosts are assigned to the appliance; this will halt the decommissioning process on Alert Logic’s end.
- In the Alert Logic console, navigate to Configuration > the applicable manual deployment > Log Collectors.
- Select the log source in question. A sidebar will appear; scroll to Host ID and copy it.
- Navigate to Log Sources in the left-side menu.
- Paste the Host ID into the Type Search Terms.
- Any log sources associated with your log collector will surface. If these log sources still need to report to a log collector in your network, provide them with a new Host ID or point it toward vaporator.alertlogic.com.
- Delete the assignment policy by going to Configuration > Network IDS > Policies > Assignment and clicking on the trash icon () on the assignment policy with the same Threat Manager EC2 ID, so that Alert Logic can proceed with decommission of the appliance.
Comments
0 comments
Please sign in to leave a comment.