You will need to configure the USM Appliance Logger if you are deploying one of the following:
- USM Appliance Standard or Enterprise solution
- Using USM Appliance All-in-One, but deploying one or more additional USM Appliance Loggers to the one that comes with the All-in-One
Unlike the Standard/Enterprise USM Appliance Server and Sensors, the USM Appliance Logger can only be configured through the USM Appliance web UI.
Note: If you want to configure high availabilityTerm describing the practice of protecting from single points of failure, which will take mission critical systems offline, by using technology to ensure resources are always available. See also “HA”. in a USM Appliance Standard or Enterprise deployment, do not complete this logger configuration task until after you have completed HA configuration of your two USM Appliance Logger nodes. See Configuring High Availability for USM Appliance Standard Loggers .
- You must have already deployed the USM Appliance Server and USM Appliance Logger, and completed the initial setup tasks.
- If using USM Appliance version 5.5.1 or later, you must set a remote key on the USM Appliance Server for the USM Appliance Logger to authenticate the system. To set the key, go to Configuration > Administration > Main > Login Methods/Options > Remote login key. While there is no constraint on the key, AlienVault recommends that you use something difficult to break, such as a GUID (Globally Unique Identifier).
- If you intend to configure VPN in your USM Appliance deployment, you must set up the VPN tunnel beforehand. This provides you with a VPN IP address that you use in this configuration task. For details, see About Configuring a Virtual Private Network.
- If you do not plan to use a VPN, be aware that USM Appliance Logger receives events through TCP/40001. Make sure traffic can go through that port on your network.
Add USM Appliance Server to USM Appliance Logger
After deploying the USM Appliance Logger and finishing the initial setup tasks, you need to establish the connection between the USM Appliance Logger and the USM Appliance Server or the USM Appliance All-in-One.
Important: Because the USM Appliance Server forwards events to the USM Appliance Logger, the logger is considered the parent server. For this reason, you must add the USM Appliance Server as a child to the USM Appliance Logger, and then configure event forwarding on the USM Appliance Server.
To add the USM Appliance Server to the USM Appliance Logger
- Log into the USM Appliance Logger web UI.
Navigate to Configuration > Deployment > Servers and click Add Server.
Type the IP address and root password of the USM Appliance Server; click Save.
Important: If this USM Appliance deployment uses VPN, substitute the VPN IP for the physical IP address.
- Return to the Servers screen, and select the USM Appliance Logger; click Modify.
- On the next page, click No for all the options on the form except Log; click Yes there.
Configure Log Forwarding
Next, you need to configure log forwarding on the USM Appliance Server or USM Appliance All-in-One.
To configure log forwarding
- Log into the USM Appliance Server web UI.
Go to Configuration > Deployment > Servers.
You should now see both the USM Appliance Server and the USM Appliance Logger listed.
- Select the USM Appliance Logger and click Modify.
On the next page, type the credentials for the Remote Admin User and the Remote Password.
These are the admin user credentials to log into the Logger.
- To populate the remote URL field automatically, click anywhere within the field.
Click Set Remote Key.
Warning: Starting from version 5.5.1, the remote key cannot be empty. You need to use the same key on every USM Appliance Server connecting to the USM Appliance Logger. A warning displays if the key is not set. See Prerequisites for more details.
- Return to the Servers page, select the USM Appliance Server and click Modify.
- Set the option for Log to No.
In the Forward Servers section of the page, click Add Server.
This extends the form and displays a list labeled Server.
Select the USM Appliance Logger and click Add New.
The Logger and its IP address appears in the Server field.
- Click Save.
- Return to the Servers page, click Apply Changes.
To verify that you added the USM Appliance Logger successfully, click Server Hierarchy.
You should now see that there is an arrow extending from the USM Appliance Server to the USM Appliance Logger, where previously they were each floating freely in the graph.
The Logger becomes active immediately. To view logger activity on the USM Appliance Server or USM Appliance All-in-One, go to Analysis > Raw Logs.
Note: The Server column displays the name of the USM Appliance Logger, indicating these events are not stored locally.
Checking System Status of the USM Appliance Logger
After the USM Appliance Logger starts receiving raw logs, it will fill up if left unattended. Therefore, AlienVault recommends that you check the system status of the USM Appliance Logger frequently. To determine how many events your USM Appliance Logger stores every day and how often you should check, refer to Establishing Baseline Network Behavior.
To check system details of the USM Appliance Logger
- Log into the USM Appliance Logger using the web UI.
- Go to Configuration > Deployment > AlienVault Center.
Double click the logger for which you want to check the status.
The System Details page of the logger displays, where you can find disk usage, as well as RAM, Swap, and CPU usage:
In addition to checking the System Details page, USM Appliance issues a warning when the system has less than 25% or 10% of the total disk space available. You can find these warnings in the Message CenterInbox in the USM Appliance web UI which lists messages publicizing availability of various AlienVault product updates plus other messages such as system errors and warnings. on the USM Appliance Logger.