Installing remote collectors in RHEL 7.x systems

Overview

You want to install additional remote collectors on VMs to use with Snare for Windows log collection.

Or you are using an old Sensage AP 5.X system (RHEL 5/6) but want to install standalone collectors manually on new RHEL 7 or 8 systems.

 

Information

Essentially you are seeking an alternative to collect Windows logs using Sensage AP 6.X/20XX.X remote collectors retrieving logs via Snare agents.

Sensage AP 6.X/20XX.X is only supported in RHEL 6 and 7 till now, so the Sensage installation would need to happen in RHEL 7. See this article.

 

Installing Sensage AP 20XX.X standalone collectors by manual package installation is not supported, as the install is designed to be performed from the Ambari Deployment interface.

The installation of Sensage AP 20XX.x requires a head node where the full Sensage AP installation is done with the mandatory components and it can operate as a remote collector as well. From this head node, the centralized Ambari Deployment interface can be used to install many new remote collector servers.

 

Installation Steps

Note: This installation process requires root access. For customers where SenSage Admins have a rootless environment, the SA (SysAdmin) team will perform tasks that require root-level access.

Install the Ambari agent in unattended mode after installing the Sensage AP Ambari server install interface.

The Ambari agent unattended install requires root:

 

The installation will install a small SLS instance in the Ambari host, so a Sensage AP license will be needed. After the installation ends, you will have the collector component successfully installed in the collector node:

And using the Ambari interface, you will be able to add more collectors by using the Add new Hosts option:

Once the remote collectors are installed, they can operate as standalone.

The Sensage AP 20XX.X remote collectors can be integrated with the Sensage 5.0.1 load collector via daisy chain, as the transfer of the files between remote and load collectors is performed via SFTP protocol which is standard. Setting up SSH trust between the load collector and the Sensage AP 20XX.X remote collectors will allow the daisy chain retrievers to work as expected.

 

Comments

0 comments

Please sign in to leave a comment.