Step 3 - Deploy Remote Log Collector Service in AWS

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode
 

This topic tells you how to deploy your remote log collection service in an AWS environment using automated scripts, as well as deploying your remote log collection service manually.

Procedure - Using Scripts to Deploy Remote Log Collector Service

After you configure your Remote Log Collector Service, you need to deploy your Remote Log Collector Service in an AWS environment by following the steps provided below.

Note: If you are using scripts, follow the steps below. Or, to manually deploy your remote log collector service, refer to the steps in the Manually Deploy Remote Log Collector Service section.

Prerequisites

Before you download the AWS scripts, you need to:

  • Install wget in your instance (refer to the following instructions)
  • Log in as root user (refer to steps 1 and 2 below)

Check to See if wget is Installed

To check if wget is installed in your instance, run the following command:

rpm -qa wget

You should see output similar to what is shown in the following example:

wget-1.12-1.4.e16.i686

Install wget

If wget is not installed in your instance, you need to install it by running the following command:

yum -y install wget

Note: All AWS scripts are downloaded into the directory from where the wget command is run.

Download AWS Scripts

To use scripts to set up your Remote Log Collector Service in AWS, complete the following steps.

Note: Each script requires you to enter your username and password credentials in https://community.rsa.com.

Download the following AWS scripts onto your server in the order listed below:
1. AWS PreInstall Script
aws_vlc_preinstall.sh
https://community.rsa.com/docs/DOC-53180
wget --no-check-certificate --user <username> --ask-password https://community.rsa.com/servlet/JiveServlet/downloadBody/53180-102-1-38306/aws_vlc_preinstall.sh
Password for user <username>: Enter <password>
2. AWS Post Install Script
aws_vlc_postinstall.sh
https://community.rsa.com/docs/DOC-53201

wget --no-check-certificate --user <username> --ask-password https://community.rsa.com/servlet/JiveServlet/downloadBody/53201-102-1-38307/aws_vlc_postinstall.sh
Password for user <username>: Enter <password>
3. AWS Start Services Script
aws_vlc_start_services.sh
https://community.rsa.com/docs/DOC-53202

wget --no-check-certificate --user <username> --ask-password https://community.rsa.com/servlet/JiveServlet/downloadBody/53202-102-1-38309/aws_vlc_start_services.sh
Password for user <username> : Enter <password>

Run AWS Scripts

1. Set up a root user using the following commands:
sudo password root
Passwd
(enter your password and re-type it)

2. Log in as root and enter the following command:
su root

3. Run the aws_vlc_preinstall.sh script.
This script creates an sa.repo file that installs all required dependencies and packages.
You are required to pass two parameters as input -LiveAccountUsername and LiveAccountPassword
Be sure to use input parameters inside a single quote separated by a space, as shown in the following command:
./aws_vlc_preinstall.sh '<LiveAccountUsername> '<LiveAccountPassword>'

 

4. Run the aws_vlc_postinstall.sh script. This script changes the Hostname and provides a Security Analytics Server address.
You are required to pass two parameters as input - Hostname and SA IP Address. Be sure to use input parameters inside a single quote separated by a space, as shown in the following command:
./aws_vlc_postinstall.sh '<hostname>' '<IP Address of the SA Server>'

Note: Refer to the Troubleshooting using AWS section if errors occur during provisioning.

 

5. Run the aws_vlc_start_services.sh script. This script starts all the required services.
./aws_vlc_services.sh

6. Run the following command to enable the remote log collector service on the Security Analytics Server:
puppet agent --t --waitforcert 30

Manually Deploy Remote Log Collector Service

To manually deploy your remote log collector service, follow these steps.

Note: Script deployment is recommended.

Note: To edit a file using vi, you need to press "i" to enter insert mode, make your changes, then press <Escape>:wq! to save your changes to the file.

1. Set up a root user using the following commands:

sudo passwd root

password (enter your password and re-type it.

2. Log in as root.

3. Enter the following command:

su root

4. Use the following commands to set up a repo file that pulls the following dependencies:

cd /etc/yum.repos.d

vi sa.repo

Note: Contents of the SA repo file should have the baseurl comprised of the username and password from your Live account, similar to the contents shown in the following example.

[sa]

name=SA Yum Repo

baseurl=https://<LiveAccountUsername>:<LiveAccountPassword>@smcupdate

.emc.com/nw10/rpm/

enabled = 1

protect = 0

gpgcheck = 0

sslVerify = 1

metadata_expire = 1d

failovermethod=priority

5. Save the sa.repo file.
Press <Escape>:wq! to save your changes to the file.

6. Run the following commands to download and install dependencies.

yum install nwconsole

yum install nwappliance

yum install nwsdk

yum install nwlogcollector

yum install nwsupport-script

yum install (res-protobuffs,rsa-audit-rt,rsa-collectd,rsasa-

sshconfig,rsa-sms-runtime-rt,rsa-sa-tools,rsa-gpgpubkeys,

rsa-mcollective-agents)

yum install mcollective-*

yum install puppet

These commands install all dependencies.

Note: You can use your Live account to download the logcollector-content using the Security Analytics server that is connected to your remote log collector service after the remote log collector is enabled.

7. Edit the hostname file to add the hostname in two places, as shown below.

vi /etc/hostname

vi /etc/sysconfig/network

8. Enter the following command:

sudo reboot

9. In order to make the log collection service discover as a remote log collector, run the following command:

vi /etc/netwitness/ng/logcollection/logCollectionType

10. Run the following commands to ensure that all services are running:

start nwlogcollector

service puppet start

service rabbitmq-server start

service mcollective start

11. In order to make the remote log collector service acknowledge the Security Analytics Server as its master, you need to edit the hosts file.

Add the hostname that you added in the hostname file and also add the Security Analytics IP Address as puppetmaster.local.

Use the following command to display the contents of the hostname file:

vi /etc/hosts

Hostname file contents should resemble something similar to the contents shown in the following example:

Line 1: 127.0.0.1 <hostname> localhost.localdom
Line 2: localhost::1 <hostname> localhost.localdom localhost ip6-localhost ip6-loopback
Line 3: <SA IP> puppetmaster.local

12. Determine the Node ID from the Node_ID file.

cat /etc/puppet/scripts/node_id.py

13. Edit the puppet.conf file and add certname="node_id".

vi /etc/puppet/puppet.conf

The file contents should look similar to this:

[main]

rundir = /var/run/puppet

logdir = /var/log/puppet

ssldir = $vardir/ssl

certname = <node_id>

[agent]

localconfig = $vardir/localconfig

classfile = $vardir/classes.txt

server = puppetmaster.local

14. Run the following Puppet command on the remote log collector service in order to enable the remote log collector service on the Security Analytics Server.

puppet agent --t --waitforcert 30

You are here: AWS (CloudTrail) Collection Configuration Guide > Configure and Deploy Remote Log Collector Service into AWS > Step 3 - Deploy Remote Log Collector Service in AWS

Attachments

    Outcomes