Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Arctic Wolf Appliances


vLC Installation in an AWS Environment

Updated Apr 4, 2024

Install a vLC in an AWS environment

Notes:

  • vLCs do not support all Amazon Web Services (AWS)® service logs, including AWS Directory Service logs. Generally, if the structure of a log is not a single line of text, it is not supported.
  • vLCs do not support auto-scaling in AWS.

You can install an Arctic Wolf® Virtual Log Collector (vLC) in an AWS environment.

Before you begin

Steps

  1. Provide your AWS account IDs to Arctic Wolf.
  2. Create a vLC instance.
  3. Configure network settings for the vLC instance.
  4. Configure security group rules for the vLC instance.
  5. Launch and verify the EC2 instance.
  6. Configure the vLC.
  7. Activate the vLC.

Step 1: Provide your AWS account IDs to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.

  2. Click Telemetry Management > Connected Accounts.

  3. Click Add Account +.

  4. On the Add Account page, in the Account Type list, select Cloud Detection and Response.

  5. In the Search Services field, enter appliance.

  6. Click vSensor AMI.

  7. On the Add Account page, configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.
    • Account ID — Enter the AWS account number.
  8. Click Test and Submit Credentials.

Step 2: Create a vLC instance

  1. Sign in to the AWS console.

  2. In the Amazon Machine Images (AMI) section, click Arctic Wolf Appliance-<version>.

  3. Click Launch Instance from AMI.

  4. In the Name and tags section, enter a name for the instance.

  5. In the Application and OS Images (Amazon Machine Image) section, keep the default settings.

  6. In the Key pair (login) section, click Proceed without a key pair.

  7. In the Configure storage section, keep the default settings, unless you require more storage.

  8. In the Advanced details section, for Termination Protection, select the Enable checkbox.

  9. Click Save.

  10. In the Instance Type section, select t3.large.

Step 3: Configure network settings for the vLC instance

  1. In the AWS console, in the Network settings section, click Edit.
  2. Select one of these options:
    • VPC — The VPC to deploy the instance on.

    • Subnet — The subnet to deploy the instance on.

      Notes:

      • The private or public subnet option depends on your network. Arctic Wolf recommends that you use a private subnet.
      • Do not select No preference.
    • Auto-assign public IP — Select one of these options:

      • Enable
      • Disable — If you use a private subnet or if your environment requires you to enter a specific IP address.

Step 4: Configure security group rules for the vLC instance

  1. Find the Firewall (security groups) section.

  2. Do one of these actions:

    • To use an existing security group — Click Select an existing security group, select the appropriate security group, and then continue to Launch and verify the EC2 instance.
    • To create a new security group — Click Create a new security group.
  3. Remove default security rules.

  4. In the Security group name section, enter a name for the security group.

  5. In the Description section, enter a description for the security group.

  6. Add rules to enable:

    • All outgoing traffic

      Note: There could be a rule allowing all outgoing traffic by default.

    • Incoming traffic from the addresses or subnets of the log sources to be ingested by the vLC on these network ports, as applicable for the environment:

      • UDP port 514 for plaintext syslogs over UDP
      • TCP port 514 for plaintext syslogs over TCP
      • TCP port 6514 for TLS-encrypted syslogs
      • TCP port 9081 for logs in the Bluecoat SG format

Step 5: Launch and verify the EC2 instance

  1. Click Launch Instance.

  2. Click the instance ID, where the ID value is i-<hexadecimals>.

  3. Click the instance ID to view details.

    Note: If the instance ID does not appear, refresh the page.

  4. Verify that the Instance state is Running.

Step 6: Configure the vLC

Tip: During this procedure, see the Serial Console User Guide for more information.

  1. If you have not used the serial console before, complete these steps to configure serial console access:

    1. Click Actions > Account Attributes.
    2. In the Account Attributes section, select EC2 Serial Console.
    3. In the EC2 Serial Console section, select the Allow checkbox.
    4. Click Update.
  2. In the EC2 management console, select Instances, and then enter the vLC instance ID.

  3. Click Actions > Monitor and Troubleshoot > EC2 Serial Console > Connect.

  4. When prompted, or if the screen is blank, press the Enter key three times.

    Note: If you selected an unsupported EC2 instance type, an error message displays. To continue, terminate the vSensor and create a new one with a supported EC2 instance type.

  5. Click Next.

    A series of connectivity checks begin.

  6. If a connectivity check fails, edit the VPC, subnet, or security group as needed, and then complete the connectivity checks again.

  7. When the connectivity check passes, click Next.

  8. In the Shorthand section, enter a name for the vLC in the MDR Dashboard.

  9. Select the VLC deployment type.

  10. Click Next.

  11. When prompted, do one of these actions to connect the virtual appliance to the Arctic Wolf Platform:

    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.

      Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

    • In a web browser — Enter the displayed URL into the URL field, and then follow the on-screen prompts.

    After the virtual appliance successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to sign in to the MDR Dashboard, and then click Accounts > Arctic Wolf Appliance Management.

Step 7: Activate the vLC

Note: Only the user who completed configure the vLC can activate the vLC.

  1. Sign in to the MDR Dashboard.

  2. Click Account > Arctic Wolf Appliance Management.

  3. Find the appliance that you want to activate.

  4. In the Actions column, click Activate <appliance>, and then click Activate <appliance> when prompted.

    The console displays Appliance activation in progress, please wait.

  5. When prompted, press Enter three times to activate the console.

See also