Creating a Clone Template for Linux Server Sensor VMs

This topic describes how to create a clone template from a virtual machine with the Linux Server Sensor installed so that it can be duplicated and reused elsewhere in your virtual environment. The topic describes how to do this in AWS, but the same procedure can be used in other virtual environments, all of which provide tools to duplicate virtual machines.

The Challenge

Linux Server Sensors are uniquely identified by an Engine ID. No two Server Sensors can share the same Engine ID. Cloning a VM with the Linux Server Sensor installed results in two Server Sensors with the same Engine ID.

The Solution

You can get around this issue by resetting Engine IDs on individual VMs as you clone them. However, this can be tedious when you are creating multiple clones from a single VM.

As an improved solution, Stellar Cyber provides a clone template feature that temporarily removes the Engine ID from the Server Sensor so that it can be shut down, cloned, and then restarted. Both the source Server Sensor and each of the clones receive new, unique Engine IDs when they are restarted.

DP Settings Retained

Both the source Server Sensor and each of the clones retain the set cm/set aggregator settings from the source Server Sensor. Clones automatically add themselves to the same managing DP and must be authorized there. The source Server Sensor does not need to be reauthorized even though it will have a new Engine ID after it is restarted.

The Procedure

The following procedure describes how use the clone template feature:

1. Open an SSH connection to the Linux Server Sensor VM and start the sensor CLI with the following command:

   $ aella_cli

   Caution: The next step shuts down the Stellar Cyber services for the Server Sensor, temporarily taking it offline from the DP. Make sure you are ready to do this.

2. Create a clone template from the VM with the following command:

   DataSensor> create sensor_clone_template

3. Confirm your decision to create the template at the sensor's prompt.

   Once you confirm your decision, the following takes place:

   • The Stellar Cyber services for the Server Sensor are shut down. The host VM itself is not shut down.

   • The Engine ID is removed.

4. Shut down the host Linux VM so that it can be cloned.

5. Open the AWS Console and navigate to the EC2 | Instances list.

6. Right-click the entry for the Linux Server Sensor VM and select Images and templates | Create image from the context menu that appears.

7. Use the AWS documentation to complete creation of the image(s). When the new image(s) restart they automatically generates new, unique Engine IDs and add themselves to the same DP as the source Server Sensor.

8. Authorize the cloned Server Sensors.

9. Restart the clone source Linux Server Sensor. It automatically generates a new Engine ID for itself and also must be reauthorized.

Clone Templates for Linux Server Sensors Only

The clone template feature can only be used with Linux Server Sensors. If you need to create multiple virtual device sensors, simply redeploy the cloud-specific template for the device sensor multiple times using the instructions for your virtual environment:

• Installing a Modular, Network, or Security Sensor in AWS

• Installing a Modular Sensor in GCP

• Installing a Modular, Network, or Security Sensor in Hyper-V

• Installing a Modular Sensor in KVM

• Installing a Modular Sensor in Azure

• Installing a Modular Sensor in VMware