Documentation Center
AlienVault® USM Anywhere™

AlienVault Agent Installation on Linux Hosts

  Role Availability   Read-Only   Analyst   Manager

To install the AlienVault Agent, you must run a script that you access from your USM Anywhere environment. When you run the installation on the Linux host system, the script downloads a .deb or .rpm file directly from USM Anywhere and the agent automatically registers with your USM Anywhere environment. The installation process also configures a default set of paths to automatically support File Integrity Monitoring.

You can generate a script that is specific to a selected assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and your USM Anywhere environment, or generate a bulk deployment script that you can use the install the agent on multiple Linux host systems.

Note: At this time, AlienVault Agent support is limited to host systems running a 64-bit OS. Dependent libraries for 32-bit to support the AlienVault Agent are not currently available.

When you first deploy new AlienVault Agents on your host systems, you should install just a few so that you can assess the events that are collected by the agent and the impact to your data consumption.

Warning: AlienVault does not provide a script to uninstall the AlienVault Agent on a host system. If you need to uninstall an Agent deployed on a Linux host system, you can use the appropriate package manager to remove the alienvault-agent.

For example, apt-get remove alienvault-agent removes the Agent but leaves the configuration files and log files behind. The apt-get purge alienvault-agent command removes everything.

It could take up to an hour for the disconnected Agent to be reflected in the USM Anywhere web UI.

Prerequisites

Before you install the AlienVault Agent on a Linux host system, make sure that you have the prerequisites in place for that system.

  • The 64-bit Linux host system is running a Red Hat or Debian-based distribution, such as Ubuntu or Mint

    Note: The AlienVault Agent installation has been tested on Ubuntu 14 and 16, a recent version of CentOS, Amazon Linux, and a handful of other Linux types. It is designed to work on any Linux version on 64-bit Intel that uses either APT or RPM to install packages.

  • rsyslog is installed on the host system (see https://www.rsyslog.com/).
  • cURL is installed on the host system (see https://curl.haxx.se/download.html).
  • You have login credentials for the host system with sudoA program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges.
  • Your firewall is configured to allow ongoing outbound connectivity from the host system using the HTTPS application protocol over port 443 to two USM Anywhere endpoints.

    prod-api.agent.alienvault.cloud

    <AWS region>-agent-entrypoint.alienvault.cloud

  • Important: For endpoints that rely on the AWS region, the endpoint to use will depend on the AWS region where your USM Anywhere instance is deployed. If you are unsure, consult your administrator who set up your USM Anywhere domain.

    Region Endpoint
    Asia Pacific (Tokyo)

    ap-northeast-1-agent-entrypoint.alienvault.cloud

    Asia Pacific (Mumbai)

    ap-south-1-agent-entrypoint.alienvault.cloud

    Asia Pacific (Sydney)

    ap-southeast-2-agent-entrypoint.alienvault.cloud

    Canada (Central)

    ca-central-1-agent-entrypoint.alienvault.cloud

    EU (Frankfurt)

    eu-central-1-agent-entrypoint.alienvault.cloud

    EU (Ireland)

    eu-west-1-agent-entrypoint.alienvault.cloud

    EU (London)

    eu-west-2-agent-entrypoint.alienvault.cloud

    US East (N. Virginia)

    us-east-1-agent-entrypoint.alienvault.cloud

    US West (Oregon)

    us-west-2-agent-entrypoint.alienvault.cloud

Agent Installation on a Single Host System

For a Linux host system that is already identified as an asset in your USM Anywhere environment, you can install the agent using a generated bash script to run on that Linux host system. You can generate this script for the specific asset from the Agents page or from the Asset Details page for the asset.

Note: If a single host system is not in your Asset inventory through discovery by a deployed USM Anywhere Sensor, you can manually add the asset using its IP address or FQDN. For more information, see Adding Assets.

Alternatively, you can use a script for multiple assets and then use the information provided by the unassociated agent to create a new asset.

Agent Installation on Multiple Host Systems

If you have multiple Linux host systems that are not currently in your USM Anywhere asset inventory or you don't want to generate a separate script for each asset, you can install the agent using a generated bash script on any Linux host system that meets the prerequisite requirements and supports the package type for the script. You can generate this script from the Agents page.

Note: If you use a multiple asset installation script to execute bulk deployment across multiple host systems, the script does not have the unique asset ID. In this case, USM Anywhere attempts to associate the agent with an existing asset if there is enough information and it can make a definitive match. After a successful deployment of the agent on a host, it sends only heartbeat events until it is has an asset association. These heartbeat events include basic information about the host system, including network interfaces and IP address, as well as a temporary asset ID.

When a deployed agent does not have an associated asset, you must make this association in USM Anywhere in order to enable queries and log collection for the host system. For more information, see Agent and Asset Associations.

You can generate this script from the Agents page. After you use the script to deploy the agent on your Linux host systems, you can view the list of unassigned agents and then associate each agent with an existing asset or add a new asset using the information provided by the agent.

To generate an agent deployment script for multiple host systems

  1. In USM Anywhere, go to DATA SOURCES > AGENTS.
  2. Click Linux Deployment Script.

    In the dialog, the Multiple Assets tab is selected by default.

  3. Select the Package Manager type for the Linux distribution.

    The deb type is selected by default. If the asset uses a Red Hat distribution, select the rpm type.

  4. Click Copy to clipboard.

    Click Copy to clipboard to copy the generated bash script

  5. Run the script on each Linux host system where you want to deploy the agent.

    • Use an SSH client to connect and log in to the asset host system.
    • Run the copied bash script.