Cloning Windows Server Sensor VMs

This topic describes how clone a virtual machine with the Windows Server Sensor installed so that it can be reused elsewhere in your virtual environment.

The Challenge

Windows Server Sensors are uniquely identified by an Engine ID. No two Server Sensors can share the same Engine ID. Cloning a VM with the Windows Server Sensor installed results in two Server Sensors with the same Engine ID.

The Solution

You can get around this issue by resetting Engine IDs on individual VMs as you clone them. However, this can be tedious when you are creating multiple clones from a single VM.

As an improved solution, you can create a VM that can be used as a clone template by deleting the Windows Registry keys that contain the Engine ID. Then you can shut down the VM, clone it multiple times, and restart both the source and the clones. Both the source Server Sensor and each of the clones receive new, unique Engine IDs when they are restarted.

DP Settings Retained

You will have to reapply a token used to authorize and configure the Server Sensors. Once you have done so, the clones will automatically register themselves with the DP from which you obtained the token.

The Procedure

The following procedure describes how to clone a VM with the Windows Server Sensor installed:

  1. Open the Registry Editor on the VM where the Windows Server Sensor is installed.

  2. Delete the following Registry Keys depending on whether you installed a 32-bit or 64-bit server sensor:

    32-Bit (x86) Server Sensors:

    Copy 
    HKEY_LOCAL_MACHINE\\SOFTWARE\\StellarCyber\\engid_method
    HKEY_LOCAL_MACHINE\\SOFTWARE\\StellarCyber\\engid_val
    HKEY_LOCAL_MACHINE\\SOFTWARE\\StellarCyber\\internal_engid_val

    64-Bit (x64) Server Sensors:

    Copy 
    HKEY_LOCAL_MACHINE\\SOFTWARE\WOW6432Node\engid_method
    HKEY_LOCAL_MACHINE\\SOFTWARE\WOW6432Node\engid_val
    HKEY_LOCAL_MACHINE\\SOFTWARE\WOW6432Node\internal_engid_val

  3. Shut down the host VM so that it can be cloned.

  4. Clone the VM.

  5. Start the cloned and source VMs

  6. Reapply the token used to authorize and configure the cloned Server Sensors.