Cloning Windows Server Sensor VMs

This topic describes how clone a virtual machine with the Windows Server Sensor installed so that it can be reused elsewhere in your virtual environment.

The Challenge

Windows Server Sensors are uniquely identified by an Engine ID. No two Server Sensors can share the same Engine ID. Cloning a VM with the Windows Server Sensor installed results in two Server Sensors with the same Engine ID.

The Solution

You can get around this issue by resetting Engine IDs on individual VMs as you clone them. However, this can be tedious when you are creating multiple clones from a single VM.

As an improved solution, you can create a VM that can be used as a clone template by deleting the Windows Registry keys that contain the Engine ID. Then you can shut down the VM, clone it multiple times, and restart both the source and the clones. Both the source Server Sensor and each of the clones receive new, unique Engine IDs when they are restarted.

DP Settings Retained

Both the source Server Sensor and each of the clones retain the set cm/set aggregator settings from the source Server Sensor. Clones automatically add themselves to the same managing DP. Because the Engine IDs have changed, both the source Server Sensor and the clones must be authorized on the managing DP.

The Procedure

The following procedure describes how to clone a VM with the Windows Server Sensor installed:

  1. Open the Registry Editor on the VM where the Windows Server Sensor is installed.

  2. Delete the following Registry Keys depending on whether you installed a 32-bit or 64-bit server sensor:

    32-Bit (x86) Server Sensors:

    Copy 
    HKEY_LOCAL_MACHINE\\SOFTWARE\\StellarCyber\\engid_method
    HKEY_LOCAL_MACHINE\\SOFTWARE\\StellarCyber\\engid_val
    HKEY_LOCAL_MACHINE\\SOFTWARE\\StellarCyber\\internal_engid_val

    64-Bit (x64) Server Sensors:

    Copy 
    HKEY_LOCAL_MACHINE\\SOFTWARE\WOW6432Node\engid_method
    HKEY_LOCAL_MACHINE\\SOFTWARE\WOW6432Node\engid_val
    HKEY_LOCAL_MACHINE\\SOFTWARE\WOW6432Node\internal_engid_val

  3. Shut down the host VM so that it can be cloned.

  4. Clone the VM.

  5. Start the cloned and source VMs

  6. Authorize the cloned and source Server Sensors.