Configure two vLCs in a high availability AWS environment

Two virtual log collectors can be configured in a high availability environment in AWS using a Network Load Balancer to reduce the risk of data loss. In this configuration, both log collector nodes are actively collecting data and are in the AWS environment.

Note: After you configure high availability, syslog still listens on both the log collector management IP address and the network load balancer IP address.

These resources are required:

Create a target group for the network load balancer

  1. Sign in to the EC2 management console.
  2. In the Load Balancing section, click Target Groups.
  3. Click Create target group.
  4. In the Basic configuration section, configure these settings:
    • Choose a target type — Select IP addresses.
    • Target group name — Enter the name of your vLC EC2 instance name. For example, vlc.
    • Protocol — Select TCP_UDP.
    • Port — Enter 514.
    • IP address typeSelect IPv4.
    • VPC — Select the VPC that your vLC is deployed in.
    • Health check protocol — Select TCP.
  5. In the Advanced health check settings section, configure these settings:
    • Health check port — Select Override, and then enter 514.
    • Healthy threshold — Enter 2.
    • Timeout — Enter 5.
    • Interval — Enter 5.
    • Keep the remaining settings as default.
  6. Click Next.
  7. In the IP addresses section, configure these settings:

    • Network — Select the VPC that the vLC is deployed in

    • For each vLC, click Add IPv4 address.

      • IPv4 — Enter the IP address of both vLCs that you want to send log traffic to.
        Note: There should be two IPv4 addresses listed, one for each vLC.

    • Ports — Enter 514.

  8. Select Include as pending below.
  9. Verify that the information you entered is correct, and then click Create target group.
  10. Click on the newly created target group, go to the Attributes tab, and then click Edit.
  11. Enable the Stickiness checkbox, and then click Save changes.

Deploy a network load balancer

  1. In the Load Balancing section, click Load Balancers.
  2. Click Create load balancer.
  3. In the Network Load Balancer section, click Create.
  4. In the Basic configuration section, configure these settings:
    • Load balancer name — Enter a name for the load balancer.
    • Scheme — Select Internal.
    • IP address type — Select IPv4.
  5. In the Network mapping section, configure these settings:
    • VPC — Select the VPC that the vLC is deployed to.
    • Mappings — Select the availability zones of the networks you want to mirror.
  6. In the Security groups section, select the same security groups as the vLCs.
    Note: Remove any security group that was pre-populated.
  7. In the Listeners and routing section, configure these settings:
    • Protocol — Select TCP_UDP.
    • Port — Enter 514.
    • Default action — Select the target created in Create a target group for the network load balancer
    • Attribute (Optional) — If you have subnets in different zones, enable Cross-zone load balancing.
    • Keep the remaining fields as default.
  8. Click Create load balancer.

Configure log sources to send data to the NLB

  1. Sign in to the EC2 management console.
  2. Go to Load Balancing > Load Balancers.
  3. Under Network & Security, select Network Interfaces.
  4. Search for your recently created NLB.
  5. Locate the IP address for the NLB is listed under Primary private IPv4 address.
  6. Configure syslog forwarding from your log sources to send log data to the IP address of the AWS NLB.
    Note: If you use AD Sensor and NXLog, we recommend reconfiguring them to send log data to the IP address of the AWS NLB. Contact your CST for assistance.
    After you have completed the high availability configuration, contact your Arctic Wolf Concierge Security® Team (CST) to confirm that configuration was successful.