Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Legacy Virtual Log Collector Installation in a VMWare Environment

Updated Apr 3, 2024

Legacy Virtual Log Collector Installation in a VMWare Environment

This procedure is for Arctic Wolf® virtual appliance images that were downloaded before June 14, 2023. For appliance images that were downloaded on or after June 14, 2023, see Install a vLC on a standalone ESXi server.

Install a vLC using VMware vSphere

You can install and manage a Virtual Log Collector (vLC) by downloading the vLC as an OVA package and deploying it onto a VMware ESXi hypervisor.

Requirements

Note: Reducing and/or limiting resource allocations below the specified requirements impacts vLC performance.

Steps

  1. Deploy the vLC OVA using the vCenter Server.
  2. (Optional) Encrypt the vLC VM.
  3. Verify that the vLC deployed correctly.
  4. Connect the vLC to the Arctic Wolf Platform.
  5. Activate the vLC.

Notes:

  • Each vLC VM only supports a single network interface. If you need additional network interfaces, you must deploy additional vLC VMs.
  • If deploying multiple vLC instances, Arctic Wolf recommends reusing the OVA file. You must repeat the installation and activation process for each vLC.
  • Cloning a vLC instance is not supported because this method introduces operational errors in both the original vLC and the cloned instance.

Step 1: Deploy the vLC OVA using vCenter Server

  1. Open the Deploy OVF Template wizard.

  2. In the Select an OVF template section, select the virtual appliance OVA file, and then click Next.

  3. In the Select a name and folder section, enter a name for the virtual machine (VM) of the virtual appliance, and the VM folder that it will deploy to, for example <site_name>_Arctic-Wolf, and then click Next.

  4. In the Select a compute resource section, select the ESXi host or cluster that you want to deploy the virtual appliance to, and then click Next.

  5. In the Review details section, verify the VM template details that you set, and then click Next.

  6. In the Configuration section, select Virtual Log Collector (vLC).

  7. In the Select Storage section:

    1. Select the virtual disk format and the storage volume that you want to deploy the virtual appliance to.
    2. Click Next.
  8. Under Select networks:

    1. Choose the Destination Network to connect the vLC to. Log traffic is sent to the vLC over this network.

      Notes:

      • If your firewall performs SSL/TLS inspection, allowlist the sensor management IP address and verify that your firewall allows outbound access from that IP address over port 443 to all required IP addresses. To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click > Allowlist Requirements, and then view the IP addresses in the section for your product.

      • It is important to check if other applications or services might impede the vLC from communicating with Arctic Wolf.

      • Make sure the Arctic Wolf endpoints have been added to allowlists for any IDS or Layer 7 inspection devices within your environment. Arctic Wolf uses OpenVPN to complete the secure connection to the Arctic Wolf infrastructure.

    2. Click Next.

  9. If you are configuring a proxy server, in the Customize template section, configure these settings:

    1. Select the Use Proxy checkbox.
    2. In the Proxy Server IP field, enter the proxy server IP address.
    3. In the Proxy server port field, enter the proxy server port number.
    4. Configure other fields as needed, and then click Next.
  10. In the Additional settings section:

    Tip: If needed, expand these fields to set the corresponding values.

    1. In the Identification field, enter a short name to identify the virtual appliance instance in the MDR Dashboard.

    2. In the Network Configuration field, select DHCP or enter a static IP address for the virtual appliance network interface configuration.

      Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors, or assign a static IP address.

    3. Click Next.

  11. In the Ready to complete section, review the summary of the virtual appliance deployment, and then click Finish to start the deployment.

    Note: The OVA image upload can take a while to upload. You can see the progress of the upload in the Recent Tasks tab in the vSphere Client.

  12. After the deployment is complete, turn the virtual appliance VM power on.

Step 2: (Optional) Encrypt the vLC VM

While optional, Arctic Wolf strongly recommends that you encrypt the virtual appliance. This provides one more layer of protection to all data that is stored on or moving through the appliance.

See the VMware vSphere product documentation for steps to encrypt an existing virtual machine or virtual disk.

Step 3: Verify that the vLC deployed correctly

  1. If the virtual appliance is off, power on the virtual appliance VM.
  2. In the vCenter Server or vSphere Client, make sure the virtual appliance VM is running.
  3. Verify that the VM IP address is reported in the VM summary.

Step 4: Connect the vLC to the Arctic Wolf platform

  1. Select one of these options to open the newly deployed virtual appliance VM console:

    • Launch Web Console — Opens the VM console in a web browser window.
    • Launch Remote Console — Launches the VMware Remote Console application.
  2. Look for a QR code:

    • If a QR code appears — Continue to the next step.
    • If a QR code does not appear — The virtual appliance cannot access the services required to connect, likely because of internet connectivity.
  3. Connect the virtual appliance to the Arctic Wolf Platform using one of these methods:

    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.

      Tip: If needed, sign in to your Arctic Wolf account on your mobile device as part of this process.

    • In a web browser — Enter the URL that appears below the QR code. Or, go to https://auth.arcticwolf.com/activate, and then enter the eight-character device activation code displayed in the console window in this hyphenated format: AAAA-AAAA.

    Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

    After the virtual appliance successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to sign in to the MDR Dashboard, and then click Accounts > Arctic Wolf Appliance Management.

Step 5: Activate the vLC

Note: Only the user who completed Connect the vLC to the Arctic Wolf platform can activate a deployed vLC.

  1. Sign in to the MDR Dashboard.

  2. Click Accounts > Arctic Wolf Appliance Management.

  3. Find the appliance that you want to activate.

  4. In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.

    After the virtual appliance successfully connects to the Arctic Wolf Platform, the Arctic Wolf logo appears in the console. The logo can take up to 15 minutes to appear.

    If the logo does not appear after 15 minutes, contact your Concierge Security® Team (CST) at security@arcticwolf.com.

The activated vLC can now collect and forward security-relevant logs.

Reconfigure a vLC using VMware vSphere

You can change these network settings for a deployed Arctic Wolf :

To change these settings:

  1. Shut down the virtual appliance that you want to reconfigure.

  2. Wait for the VM to shut down.

  3. In vCenter Server or vSphere Client, select the Configure tab.

  4. Select vApp Options from the navigation pane.

    Note: Do not disable vApp Options for a deployed virtual appliance. Disabling this functionality removes all properties used to configure the network settings of the VM.

  5. For each network setting you want to configure, complete these steps:

    1. In the Properties section, select the virtual appliance item that you want to reconfigure.

      For example, select the option that lets you reconfigure the network interface.

    2. Above the table, click Set Value and enter the new value for the property.

      Note: Do not click Edit. The Edit option lets you edit the name of the property, not the value assigned to it.

  6. Restart the virtual appliance VM.

Uninstall a vLC using VMware vSphere

  1. Decommission the sensor:

    1. Sign in to the MDR Dashboard.
    2. Click Account > Arctic Wolf Appliance Management.
    3. Find the appliance that you want to decommission.
    4. In the Actions column, click Decommission Virtual Appliance, and then select Decommission Virtual Appliance when prompted.
  2. Power down the virtual appliance VM.

  3. In the vCenter Server or vSphere Client, select the virtual appliance deployment, and then select Delete from Disk.