Virtual Log Collector Deployment on a Standalone ESXi Server
Updated Sep 13, 2023Deploy a vLC on a standalone ESXi server
The Arctic Wolf® Virtual Log Collector (vLC) is a virtualized log collector for syslog. Arctic Wolf Managed Detection and Response (MDR) uses one or more vLC deployments to monitor events in your network and identify potential threats. You can use a vLC independently or with Arctic Wolf network sensors. Arctic Wolf supports vLC installation in a standalone ESXi server environment.
Requirements
-
ESXi version 6.5 or higher
-
The appropriate Arctic Wolf permissions to complete the virtual scanner deployment. Contact your Concierge Security® Team (CST) to confirm who in your organization has these permissions.
-
These system resources:
Note: Reducing or limiting resource allocations below the specified requirements impacts vLC performance.
- 8 vCPUs
- 16 GB RAM
- 40 GB storage
Before you begin
- Make sure you have the appropriate Arctic Wolf permissions to complete the vLC deployment. Contact your Concierge Security Team© (CST) to confirm who in your organization has these permissions.
- Add all necessary IP addresses, ports, and services to your allowlist for full vLC functionality.
Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Sensors.
- If you rate-limit the vLC with Quality of Service (QoS), remove this for best performance.
- If your firewall provides SSL/TLS inspection, do not perform this inspection on the vLC management IP address.
- If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the vLC management IP address.
Steps
- Download the virtual appliance image.
- Deploy the virtual appliance.
- Configure the virtual appliance.
- Activate the vLC.
Step 1: Download the virtual appliance image
Note: The virtual appliance image file must be downloaded on or after June 14, 2023. For appliance images downloaded prior to June 14, 2023, see Legacy vLC Installation.
- Sign in to the Arctic Wolf Portal.
- Click Account > Downloads.
- In the Virtual Network Appliances section, click Download Virtual Network Appliance to start the OVA file download.
Tip: If your browser downloads the OVA file in
.ovf
format, rename the file to change the file extension to.ova
.
Step 2: Deploy the virtual appliance
- Log in to your ESXi web UI.
- Click Create / Register VM.
- On the Select creation type page, select Deploy a virtual machine from an OVF or OVA file, and then click Next.
- On the Select OVF and VMDK files page, in the Enter a name for the virtual machine field, enter a name for the virtual machine.
Note: You must provide a unique name for the virtual machine. Re-using a current or past name may prevent activation in the management portal.
- Click Click to select files or drag/drop.
- Select the
.ova
file you downloaded, and then click Open. - Click Next.
- On the Deployment options page, in Deployment type, select Virtual Log Collector (vLC).
- Click Next.
- On the Additional setting page, click Next.
- On the Ready to complete page, click Finish.
Step 3: Configure the virtual appliance
-
In the ESXi web UI, right-click your virtual machine, and then click Power > Power On.
-
Right-click your virtual machine, and then click Console > Open Console.
-
When prompted, press Enter three times to initiate the serial console session.
-
At the Select an option to configure your management interface with prompt, select DHCP or enter a static IP address for the vLC management interface.
Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors.
-
Click Next.
-
At the Use a proxy? prompt, do one of these actions:
- If your vLC traffic needs to go through a proxy server, select Yes, and then configure these fields:
- Server IP address — Enter the proxy server IP address for your appliance.
- Server port — Enter the proxy server port.
- If your vLC traffic does not need to go through a proxy server, select No.
- If your vLC traffic needs to go through a proxy server, select Yes, and then configure these fields:
-
Click Next.
-
At the Do you want to verify your network connection? prompt, select one of these options:
-
Yes
A series of connectivity tests run.
-
No
-
-
Click Next.
-
At the Tell us about the application you are configuring prompt, configure these settings:
-
In the Shorthand field, enter the shorthand name for the vLC.
-
Select VLC.
-
-
Click Next.
-
When prompted, do one of these actions to connect the vLC to the Arctic Wolf Platform:
- Using a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
- Using a web browser — Enter the displayed URL into a web browser, and then follow the on-screen prompts.
Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.
After the vLC successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to go to the Arctic Wolf Appliance Management.
Step 4: Activate the virtual appliance
-
In the Arctic Wolf Portal, click Account > Arctic Wolf Appliance Management.
-
Locate the name or the serial number of the vLC you want to activate.
-
In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.
The console displays Appliance activation in progress, please wait.
-
When prompted, press Enter three times to activate the console.
Remove a virtual appliance
- Decommission the virtual appliance:
-
In the Arctic Wolf Portal, click Account > Arctic Wolf Appliance Management.
A list of deployed virtual appliances appear on this page.
-
Locate the name or serial number of the virtual appliance that you want to decommission.
-
Under Actions, select the Trash icon, and then click Decommission Virtual Appliance when prompted.
-
- In the ESXi web UI, shutdown the virtual appliance.
- Delete the virtual appliance:
- In the ESXi web UI, select the virtual appliance.
- Click Actions, and then select Delete.
- Click Delete.
Reconfigure a virtual appliance
- In the ESXi web UI, select the virtual appliance.
- Open the virtual console.
- When prompted, press Enter three times to initiate the serial console session.
- Change the required settings.