A remote collector collects, compresses, and encrypts log data from the configured remote machines to send directly to Alert Logic. A remote collector can only collect syslog data.
A remote collector is useful because:
- It can be installed on a Windows or Linux machine
- It can be upgraded remotely
- It does not require a virtual VMware instance, unlike a virtual appliance
- Hosts without an agent can send syslog data to Alert Logic via a remote collector
- Log status is reported directly to Alert Logic
You can install the Alert Logic universal agent and syslog remote collector on the same host. This will allow the syslog remote collector to collect forwarded logs, while the universal agent collects local logs and network traffic for network intrusion detection and audit purposes. This setup ensures that the syslog remote collector host is protected the same way as all your other assets in a deployment.
When a universal agent and a syslog remote collector are installed on the same host, you must change the default syslog listen port (set to 1515) of the default syslog remote collector policy (or a custom syslog policy attached to the remote collector) to avoid port conflicts between the collectors. For more information about syslog policies, see the Log Management Syslog Policies documentation.
After you install the syslog remote collector, you must adjust any active network policies (such as SELinux, iptables, and security groups) to allow incoming connections on the port specified in the default syslog remote collector policy. Alert Logic recommends restricting these policies to allow connections only from specific hosts or private networks.
Note: This information and more can also be found within Alert Logic Product Documentation.
Access your Unique Registration Key
Note: For data center deployments only, you must locate and copy your Unique Registration key, which you will need to install the agent. Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.
Managed Detection & Response customers -
- In the Alert Logic console, navigate to the main menu () > Configure > Deployments.
- Open the relevant data center deployment.
- Under Configuration Overview, Click Installation Instructions.
- Copy your Unique Registration Key.
Cloud Defender customers -
- In the Alert Logic console, open the Settings menu ().
- Click Support Information.
- Copy your Unique Registration Key.
Install the Remote Collector for Linux
Download a Remote Collector
To download the agent, select the link of the desired agent installers:
Agent Installer | Processor | Link |
Debian | 32-bit | https://scc.alertlogic.net/software/al-log-syslog_LATEST_i386.deb |
Debian | 64-bit | https://scc.alertlogic.net/software/al-log-syslog_LATEST_amd64.deb |
RPM | 32-bit | https://scc.alertlogic.net/software/al-log-syslog-LATEST-1.i386.rpm |
RPM | 64-bit | https://scc.alertlogic.net/software/al-log-syslog-LATEST-1.x86_64.rpm |
Install the Remote Collector
Install for RPM-Based Distributions
- Download the RPM package to the target machine.
- Run the following commands and replace <version> and <UNIQUEREGISTRATIONKEY> with the desired version and your Unique Registration Key, respectively:
rpm -U al-log-syslog-<version>*.rpm
/etc/init.d/al-log-syslog provision --key <UNIQUEREGISTRATIONKEY>
/etc/init.d/al-log-syslog start
- Direct all syslogs to the remote collector on inbound port 1515.
- If you use an rsyslog daemon, add the following line to rsyslog.conf:
*.* @@yourIPaddress:1515;RSYSLOG_FileFormat
Note: This configuration will direct your local syslog to the remote collector on TCP port 1515. - If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
destination
d_alertlogic {tcp("yourIPaddress" port(1515));};
log { source(s_src); yourIPaddress(d_alertlogic); };
Note: This configuration will direct your local syslog to the remote collector on TCP port 1515.
Install for Debian-Based Distributions
- Download the Debian package to the target machine.
- Run the following commands and replace <version> and <UNIQUEREGISTRATIONKEY> with the desired version and your Unique Registration Key, respectively:
dpkg -i al-log-syslog-<version>*.deb
/etc/init.d/al-log-syslog provision --key <UNIQUEREGISTRATIONKEY>
/etc/init.d/al-log-syslog start
- If you use an rsyslog daemon, add the following line to rsyslog.conf to configure your syslog device to forward logs to port 1515:
*.* @@yourIPaddress:1515;RSYSLOG_FileFormat
- If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
destination d_alertlogic {tcp("yourIPaddress" port(1515));};
log { source(s_src); yourIPaddress(d_alertlogic); };
Note: This configuration will direct your local syslog to the remote collector on TCP port 1515.
Install the Remote Collector for Windows
Download a Remote Collector
To download the remote collector, click a link in the table:
Format | Link |
MSI | https://scc.alertlogic.net/software/al_log_syslog-LATEST.msi |
ZIP | https://scc.alertlogic.net/software/al_log_syslog-LATEST.zip |
Install a Remote Collector
Install Via the GUI
- Copy the MSI package to the target machine.
- Run the MSI package.
- In the AL Syslog Setup graphical user interface, paste your Unique Registration Key in the Provisioning API Key field.
- Click Install.
Install Via the Command Prompt
- Copy the MSI package to the target machine.
- Run MsiExec.exe, a Windows MSI package installer, with the following command-line parameter:
/i [path]al_log_syslog-[version]-[type].msi
- Optional - Run the installer with the following optional command-prompt parameters:
Optional Modes Description /quiet
/q[level]
This mode configures different levels of user interaction. you can use the following values to determine the desired [level].
- f offers user interface access, which shows all dialog. This value is the default when /q is omitted.
- r offers reduced interface access, which does not show any dialog requiring user input, other than error popups. Normally, this mode shows the progress status only.
- b for basic UI mode, which shows error popups and a simple progress bar only
- n (equivenalt to /q or /quiet), does not show any user interface/log [log file]
/l*vx [log file]
This mode troubleshoots installation failures. [log file] is the path, created by the installer, to the log file. /l*vx [log file] can be used for a more verbose log SENSOR_HOST=[host]
[host] is the IP address where the remote collector should forward logs SENSOR_PORT=[port]
[port] is the TCP port where the remote collector should connect USE_PROXY={0|1}
This mode specifies whether the remote collector should use WinHTTP proxy settings PROV_KEY=[key]
This command is required in provisioning only mode. [key] is your Unique Registration Key INSTALLERID=[directory]
[directory] is the folder where remote collector files should be installed REBOOT=ReallySuppress
This mode suppresses any reboot prompts, which leaves the installation incomplete until the next restart.
Example:
MsiExec.exe /i al_log_syslog-3.0.0.0-host.msi /log al_log_syslog_install.log /quiet PROV_KEY=da39a3ee5e6b40d3255bfef95601890afd80709
Comments
0 comments
Please sign in to leave a comment.