When creating virtual machines on a host Hyper-Visor (such as VMWare ESX), the final step is usually to configure the startup sequence for the guest VMs.
Startup sequences are important for when the VM Host system itself must be restarted – they specify the VM Guests that should be started once the VM Host system has rebooted, in order to restore expected services and systems hosted on the VM Host.
AlienVault USM Appliance supports multi-host configurations — those where there are separate USM Appliance Servers, USM Appliance Loggers and USM Appliance Sensors. With these configurations, there is an optimum startup order for the individual hosts, in order to minimize loss of visibility and have the systems back to full functionality in the smallest window of time.
That order is:
The top tier or parent AlienVault USM Appliance appliances (normally the USM Appliance Logger and/or Federated Server) receive alarms and events from appliances at the lower tier. It is for this reason that they should always be the first hosts to startup to avoid a backlog and/or data loss. Therefore, if an AlienVault USM Appliance Logger and/or an AlienVault USM Appliance Federated Server component is part of this deployment, they should be started up prior to starting any child servers or sensors.
Additional USM Appliance Servers (normally found in more complex deployments) should be started up only after its' parent server is operational.
The USM Appliance Sensors require a connection to the USM Appliance Server, and can be started (and restarted) at any time once the USM Appliance Server is running. However, sensors provide almost all visibility for USM Appliance, and a sensor that is offline means logs and packets are not being collected from the systems that the sensor covers.
USM Appliance Sensors that start up without an available USM Appliance Server to connect to, will eventually reconnect to the Server once it becomes available and forward any cached data. However, this is not optimal as it could lead to a sensor running out of disk space if the USM Appliance Server is offline for an extended period of time.
Note: When shutting down systems, reverse this order to ensure no loss of data.
Configuring Startup Sequence on VMware ESX
The VMware ESX platform is a common choice for deploying AlienVault OSSIM®/USM Appliance virtual machines. The following is a quick guide to configuring startup and shutdown ordering of AlienVault OSSIM VMs in the VSphere management client for ESX hypervisors.
In the vSphere client
- Open the Hypervisor Configuration Tab.
- Open “Virtual Machine Startup/Shutdown” from the left-hand menu block.
- Open the Properties box from the startup/shutdown config screen:
Your VM’s will be in the “manual startup” section at first…
- Select the VM’s and use the ‘Move Up’ buttons to relocate them into the “Automatic Startup” section.
By default, the ‘Default Startup Delay” is 120 seconds – each machine listed will be launched 2 minutes(120 seconds) after the prior one has been started. Order them according to the information given previously.
If the Virtual Appliances have the appropriate VMWare guest tools installed, it is highly recommended to switch the shutdown action to “Guest Shutdown” – this signals the guest VM to perform a proper system shutdown – the default is to power off the machine which presents a risk of filesystem corruption and lost data.
Note: Appropriate changes must be made to the Startup Delays in order to avoid data loss.
If your USM Appliance Sensor Virtual machine takes a little longer than this to start up completely, you may wish to select the USM Appliance Server and increase the startup delay to more than 120 seconds.
Similarly, if complete shutdown of a USM Appliance Sensor takes longer than 120 seconds, it may be advisable to increase the delay before shutting down the USM Appliance Server to ensure that all remaining data from the Sensor has been recorded to the server first.