Install a vLC using the Azure portal

The Arctic Wolf® Virtual Log Collector (vLC) is a virtualized log collector for syslog. You can use the vLC independently or with Arctic Wolf Sensors.

Note:
  • These steps only apply if you have a plan other than a Cloud Solution Provider (CSP) plan. If you have a CSP plan, see Install a vLC using the Azure portal with a CSP plan.
  • During connectivity tests, appliances may communicate with external IP addresses behind a cloud service that Arctic Wolf hosts.

These actions are required:

  • Make sure you have the appropriate Arctic Wolf permissions to install the appliance. Contact your Concierge Security® Team (CST) at security@arcticwolf.com to identify who in your organization has these permissions.
  • Add all necessary IP addresses, ports, and services to your allowlist for full appliance functionality.
    Tip: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
  • If you rate-limit the appliance with Quality of Service (QoS), remove this for best performance.
  • If your firewall provides SSL/TLS inspection, do not do this inspection on the appliance management IP address.
  • If you use an application proxy or layer 7 filter on your firewall, allow outbound traffic for the appliance management IP address.

Provide your Azure account information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Arctic Wolf Azure Appliance VM.
  5. On the Add Account page, configure these settings:
    • Account Name — Enter a unique and descriptive name for the account.
    • Subscription ID — Enter your Subscription ID. This can be found in your Azure account in the Subscriptions section.
    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

    See Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings - Microsoft 365 Enterprise for more information.

  6. Click Test and Submit Credentials.

    A message appears, indicating that the subscription confirmation was requested.

  7. After your Concierge Security® Team (CST) enables security monitoring for this account, make sure that the Azure account is listed on the Cloud Sensors page:
    1. In the navigation menu, click Data Collection > Cloud Sensors.
    2. Find the Azure account in the Cloud Sensors table.

    It can take up to 24 hours for the virtual appliance to become visible. Contact your CST if the account is unlisted after 24 hours.

Create a vLC instance

  1. Sign in to Microsoft Azure portal.
  2. In the My Marketplace section, click Private plans.
  3. Click AWN - Virtual Appliance.
  4. In the Plan list, select Arctic Wolf - Virtual Appliance.
  5. Click Create.
  6. In the Basics section, configure these settings:
    • Subscription — Create a new resource group or assign an existing resource group.
    • Instance details — For Virtual machine name, enter the virtual machine (VM) name.
    • Security type — Select Standard.
    • Size — Select Standard_D2as_v5 - 2 vcpus, 8 GiB memory.
      Note: Make sure to select the exact size. You cannot configure the vLC if you do not select the correct size.
  7. Click Next: Disks.
  8. In the Disks section, in the OS options > OS disk type section, select Standard SSD.
  9. Click Next: Networking.
  10. In the Networking section, configure these settings:
    • Virtual network — Select the virtual network.
    • Subnet — Select the subnet.
    • Public IP — Select None.
    • Public inbound ports — Select None.
  11. Click Review + create.
  12. Click Create.
  13. In the Generate a new key pair box, click Download private key and create resource.
    Note: The private key is not used by Arctic Wolf. You can delete it.
    After the private key is downloaded, Deployment is in progress displays.
  14. Click Go to resource.

Connect to the serial console

In the left navigation, click Serial console.

Configure the vLC

Use the serial console to configure the vLC. For more information on using the serial console, see Serial console.

  1. When prompted, press Enter three times to initiate the serial console session.
  2. Select Next.
  3. At the Use a proxy? prompt, do one of these actions:
    Note: Only management interface traffic over OpenVPN is sent to the proxy server.
    • If your virtual appliance management traffic goes through a proxy server, select Yes, and then configure these settings:
      • Server IP address — Enter the proxy server IP address for your appliance.
      • Server port — Enter the proxy server port.
    • If your virtual appliance management traffic does not go through a proxy server, select No.
  4. Select Next.
  5. At the Do you want to verify your network connection? prompt, select one of these options:
    • Yes

      A series of connectivity tests run. If a connectivity check fails, edit your network settings as needed, and then complete the connectivity checks again.

    • No
  6. Select Next.
  7. At the Tell us about the application you are configuring prompt, configure these settings:
    1. In the Shorthand field, enter a shorthand name for the virtual appliance.
    2. Select VLC.
  8. Select Next.
  9. When prompted, do one of these actions to connect the virtual appliance to Arctic Wolf:
    Note: Make sure you have the appropriate Arctic Wolf permissions to install the vLC. You can view the permissions in the Contacts page of the Unified Portal or contact your Concierge Security® Team (CST) at security@arcticwolf.com to identify who in your organization has these permissions.
    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
      Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.
    • In a web browser — Enter the displayed URL into the URL field, and then follow the on-screen prompts.

    After the virtual appliance successfully connects to Arctic Wolf, a prompt replaces the QR code.

Activate the vLC

Note: Only the user who configured the vLC can activate the vLC.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. If you are a Managed Service Provider (MSP), verify that you are viewing the correct customer organization.
  3. In the navigation menu, click Data Collection > Sensors.
  4. Find the virtual appliance that you want to activate, and then click View Sensor.
    Tip: Virtual appliances that are not activated have the Awaiting Activation status.
  5. Click Activate.
    The console displays Appliance activation in progress, please wait.
  6. If you are an MSP, select the same customer organization that you are currently viewing in the Unified Portal, and then Activate Virtual Appliance.
    Note: To activate the virtual appliance for a different customer, switch to that customer organization before completing this step.
    The serial console displays Appliance activation in progress, please wait.
  7. In the serial console, when prompted, press Enter three times to activate the console.