LC AWS:Step 2 - Configure Remote Log Collector Service

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 10Show Document
  • View in full screen mode

This topic tells you how to configure your remote log collection service in an Amazon Web Services (AWS) environment.

Once you have downloaded the CentOS 6 (x86_64) - with Updates HVM template and created an instance, the next configuration step requires that you choose an Amazon Machine Image (AMI) and an Instance Type.

Note: You only need to download the CentOS 6 (x86_64) - with Updates HVM template once, which can then be used to create multiple instances.

Creating an Amazon Machine Image

An AMI is a template that contains the software configuration required to launch your instance.

Complete the following steps to choose an AMI.

  1. Select an AMI from the list that is displayed on your screen.

  2. Click the Select button to complete your selection.

Choose an Instance Type

An instance type comprises varying combinations of CPU, memory, storage, and networking capacity that provide the flexibility to choose an appropriate mix of resources for your applications. Each instance type includes one or more instance sizes that allow you to scale your resources to the requirements of your workload.

Complete the following steps to choose an instance type.

  1. Select an instance type from the drop-down list.
  2. Select either Current generation or All generations from the drop-down list.

    For detailed information, see tables below.

    For the best performance, Amazon Web Services recommends that you use the Current generation instance types when you launch new instances.

    Amazon Web Services offers Previous generation instances for users who have optimized their applications around these instances and have yet to upgrade.

  3. Select Next: Configure Instance Details.

The following table describes the fields shown in the above figure.


A general instance-type grouping that uses either storage or CPU capacity.

TypeA specification that defines the memory, CPU, storage capacity, and hourly cost for an instance. Some instance types are designed for standard applications, whereas others are designed for CPU-intensive, memory-intensive applications.
vCPUsThe number of virtual CPUs for the instance.
Memory (GiB)The amount of memory used for the instance.
Instance Storage (GB)The local instance store volumes that are available to the instance. The data in an instance store is not permanent - it persists only during the lifetime of the instance.
EBS-OptimizedIndicates whether the instance type supports EBS optimization. An EBS-optimized instance provides additional, dedicated throughput for Amazon EBS I/O. This provides improved performance for your Amazon EBS volumes and enables instances to use provisioned IOPs fully.
Network PerformanceIndicates the performance level of the rate of data transfer.

The following table lists the recommended CPU Specifications, Memory, and Disk size for the Remote Log Collector, based on events per second (EPS).

RateQuantity of CPUsRAMDisk
30,000 EPS815 GB150 GB

15,000 EPS


7.5 GB

150 GB

2,500 EPS23.75 GB150 GB

Configure Instance Details

Complete the following steps to configure instance details. Refer to the table below for detailed descriptions.

Note: Consult your AWS Administrator for the appropriate Configure Instance selections.

  1. Select Number of Instances from the drop-down list.

    Note: You can launch more than one instance at a time.

  2. (Optional) For Purchasing option, select the Request Spot Instances checkbox.
  3. Select a Network from the drop-down list.
  4. Select an Availability Zone from the drop-down list. 

  5. Select an IAM role from the drop-down list.
    Note that the default is None.
  6. Select Shutdown behavior from the drop-down list.
  7. (Optional) For Enable termination protection, select the Protect against accidental termination checkbox .
  8. (Optional) For Monitoring, select the Enable CloudWatch detailed monitoring checkbox .
  9. Click Next: Add Storage.

The following table provides information pertaining to the various instance configuration options.

Number of Instances

Enter the number of instances you want to configure. Note that you can configure more than one instance at a time.

(Optional) Purchasing
Option -
Request Spot Instances

Spot instances enable you to bid on unused EC2 instances, which can lower your Amazon EC2 costs significantly. The hourly price for a Spot instance (of each instance type in each Availability Zone) is set by Amazon EC2, and fluctuates depending on the supply and demand for Spot instances. Your Spot instance runs whenever your bid exceeds the current market price.

Select this purchasing option if you can be flexible about when your applications run and if your applications can be interrupted, such as running batch jobs and background processing tasks.


Selecting a network enables you to launch your instance into an Amazon Virtual Private Cloud (VPC). You can create a VPC and select your own IP address range, create subnets, configure route tables, and configure network gateways.
SubnetA range of IP addresses in your VPC that can be used to isolate different EC2 resources from each other or from the Internet. Each subnet resides in one Availability Zone.
Availability Zone (default is no preference)

A distinct location within a region that's designed to be isolated from failures in other Availability Zones, and provides inexpensive, low-latency network connectivity to other Availability Zones in the same region.

Select an IAM role (default is none) IAM Role is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have any credentials (password or access keys) associated with it. If a user is assigned to a role, access keys are created dynamically and provided to the user.

Shutdown Behavior

Specify the instance behavior when an OS-level shutdown is performed. Instances can either be terminated or stopped.
Enable termination protection

You can protect instances from being accidentally terminated. Once enabled, you won't be able to terminate this instance via the API or the AWS Management Console until termination protection has been disabled.

(Optional) Monitoring - Enable CloudWatch Detailed Monitoring

Enables you to monitor, collect, and analyze metrics about your instances through Amazon CloudWatch. Additional charges apply if you enable this option.


You can choose to run your instances on physical servers fully dedicated for your use. The use of host tenancy requests you to launch instances onto Dedicated hosts, while the use of dedicated tenancy will launch instances as Dedicated instances. You can launch an instance with a tenancy of host or dedicated into a Dedicated Amazon Virtual Private Cloud (VPC).

Add Storage

Amazon EC2 enables you to assign flexible data storage options for your instances.

Complete the following steps to configure storage settings for your instance:

  1. Enter the storage size in the Size field.
    Volume size must be greater than zero or the size of the snapshot used. Provisioned IOPS (SSD) volumes must be at least 4 GB in size.
  2. Select Magnetic Volume Type from the drop-down list.
  3. Click Next: Tag Instance.

The following table describes the fields in the Add Storage screen.

TypeAmazon EBS is a block-level storage volume that persists independently from the lifetime of an EC2 instance, so you can stop and restart your instance at a later time. Ephemeral instance store volumes are physically attached to the host computer. The data on an instance store lasts only during the lifetime of the instance.
DeviceThe available device names for the volume. Depending on the block device driver of the selected AMI's kernel, the device may be attached with a different name than what you specify.
SnapshotA snapshot is a backup of an EC2 volume that's stored in S3. You can create a new volume using data stored in a snapshot by entering the snapshot's ID. You can search for public snapshots by typing text in the Snapshot field. Descriptions are case-sensitive.
SizeVolume size must be greater than zero or the size of the snapshot used. Provisioned IOPS (SSD) volumes must be at least 4 GB in size.
Volume Type

Magnetic Volumes deliver 100 IOPS on average, and can burst to hundreds of IOPS. This is a recommended low-cost option.

General Purpose (SSD) volumes can burst to 3,000 IOPS, and deliver a consistent baseline of 3 IOPS/GB.

Provisioned IOPs (SSD) volumes can deliver up to 20,000 IOPS, and are best for EBS-optimized instances.


Note: The requirements listed below are not required for the recommended Magnetic Volumes.

The requested number of I/O operations per second that the volume can support.

For Provisioned IOPS (SSD) volumes, you can provision up to 30 IOPS per GB.

For General Purpose (SSD) volumes under 1000 GB, you get a baseline performance of 3 IOPS per GB with bursts up to 3,000 IOPS.

For General Purpose (SSD) volumes above 1,000 GB you get a baseline performance of 3 per GB up to 10,000 IOPS.

Delete on TerminationEBS volumes persist independently from the running life of an EC2 instance. However, you can choose to automatically delete an EBS volume when the associated instance is terminated.
EncryptedVolumes that are created from encrypted snapshots are automatically encrypted, and volumes that are created from unencrypted snapshots are automatically unencrypted. If no snapshot is selected, you can choose to encrypt the volume.

Configure Tag Instance

A tag helps you manage your instances and consists of a case-sensitive key-value pair. 

Complete the following steps to configure a tag instance.

  1. Enter a name and value, such as AWS-VLC1.

    The following restrictions apply to tags:

    • Tag keys and values are case sensitive.
    • Maximum number of tags per resource is 10.
    • Maximum key length is 127 Unicode characters in UTF-8.
    • Maximum value length is 255 Unicode characters in UTF-8
    • Avoid using the aws: prefix in your tag names and values, because it is reserved for use by Amazon Web Services.
  2. Click Next: Configure Security Group.

Configure Security Group

You can configure a security group that acts as a virtual firewall that controls the traffic for one or more instances. You can add rules to your security group that allow traffic to and from its associated instances.

TypeThe protocol to open to network traffic. You can choose a common protocol, such as SSH (for a Linux instance), RDP (for a Windows instance), and HTTP and HTTPS to allow Internet traffic to reach your instance. You can also manually enter a custom port or port ranges.
ProtocolThe type of protocol, for example TCP or UDP. Provides an additional selection for ICMP.
Port RangeFor custom rules and protocols, you can manually enter a port number or a port range.
See the table below for a list of service ports.

Determines the traffic that can reach your instance. Specify a single IP address, or an IP address range in CIDR notation (for example,

If connecting from behind a firewall, you need the IP address range used by the client computers. You can specify the name or ID of another security group in the same region.

To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup.

Complete the following steps to create a security group.

  1. Select either Create a new security group or Select an existing security group.
  2. Select a protocol type from the drop-down list.
  3. Enter a protocol.
  4. Enter a port range.
  1. Click Review and Launch.

Note: The security group in AWS must configure both Inbound and Outbound Ports that are attached to the Remote Log Collector.

CategoryProtocolPort NumberAppliancesDirection
SSHTCP22Remote Log Collector (AWS)Inbound
RabbitMQTCP15671Remote Log Collector (AWS)Inbound and Outbound
AMQPTCP5671/5672Remote Log Collector (AWS) to and from  Remote Log Collector (Corporate)Inbound and Outbound
PuppetTCP8140Remote Log Collector (AWS) to Security Analytics ServerOutbound


TCP61614Remote Log CollectorInbound and Outbound
Log CollectorTCP 50001/56001Remote Log Collector (AWS) to and from Security Analytics ServerInbound and Outbound




Event Source to Remote Log Collector (AWS)


Syslog UDP514Event Source to Remote Log Collector (AWS)Inbound




Event Source to Remote Log Collector (AWS)


SNMPUDP162Event Source to Remote Log Collector (AWS)Inbound





Remote Log Collector (AWS) to Event Source



ODBCTCPVariousRemote Log Collector (AWS) to Event SourceOutbound




Remote Log Collector (AWS) to Event Source


Configure Firewall Permissions to Allow Communication

Configure your firewall(s) to allow communication between the Remote Log Collector and AWS, and the Security Analytics components listed in the table above.

Note: You need to open ports between your Remote Log Collector and your Security Analytics Server, and you also need to open ports between your Log Collector on your Log Decoder.

The following table lists the Security Analytics hosts and their respective service ports:

From HostTo Local Collector in AWSTo Ports (Protocol)Comments
Security Analytics ServerRemote Log Collector

56001(TCP) or

Security Analytics ServerRemote Log Collector50101



Security Analytics ServerRemote Log Collector5672 (TCP)RabbitMQ
Security Analytics ServerRemote Log Collector50055 (TCP)RSA-SMS
Security Analytics ServerRemote Log Collector50056 (TCP)RSA-SMS
Remote Log CollectorSecurity Analytics Server8140 (TCP)Puppet
Security Analytics ServerRemote Log Collector61614 (TCP) MCollective

Remote Log Collector

Security Analytics Server

61614 (TCP)


Security Analytics ServerRemote Log Collector15671 (TCP)RabbitMQ

Remote Log Collector

Security Analytics Server

15671 (TCP)


In Pull Mode:  



Log Collector (on Log Decoder)

Remote Log Collector

5671 (TCP)


In Push Mode:    

Remote Log Collector

Log Collector (on Log Decoder)

5671 (TCP)


Review Instance Launch

Before you complete the Launch Instance Process, you have an opportunity to review and edit your AMI. If you do not want to make any changes to your AMI, select Launch. If you select Edit AMI, you can make changes and select Launch after your changes are complete. 

After you select Launch, the following dialog is displayed on your screen.

When you launch an instance, you should specify the name of the key pair you plan to use to connect to the instance. If you don't specify the name of an existing key pair when you launch an instance, you won't be able to connect to the instance. When you connect to the instance, you must specify the private key that corresponds to the key pair you specified when you launched the instance.

Click Launch Instances to complete the Launch Instance Process.

See Step 3 - Deploy Remote Log Collector Service in AWS for detailed instructions on how to deploy a remote log collection service in an AWS environment.

You are here
Table of Contents > Configure and Deploy Remote Log Collector Service into AWS > Step 2 - Configure Remote Log Collector Service