Deploying Server Sensors

Stellar Cyber uses a wide variety of sensors to collect data to ingest into its security data base. One type of sensor is a Server Sensor. Server Sensors are installed in a host as a system daemon process. The System | Agents screen helps you deploy both Linux and Windows Server Sensors — there are separate tabs for each.

For more information regarding sensors that are currently installed, see the Sensor Overview page.

Linux Deployment

The Linux deployment option appears by default when the System | Agents screen first appears, as in the image below:

The Linux deployment leverages the widely-used Ansible system. The user must provide a playbook file (which contains the instructions on how to install the agent software) and an inventory file (which contains a list of target systems). See the following section for sample files.

The controls on this screen include:

  • Select Playbook File – This is a browser file-select tool to select the file on the local system that contains the Ansible playbook.

  • Select Inventory File – This is a browser file-select tool used to select the file on the local system that contains the Ansible inventory file.

  • Upload – Select to upload the files selected above.

  • Deploy – Select to initiate execution of the Ansible playbook.

The right hand side of the screen shows the current status log. It updates once a deployment is in progress.

Sample Ansible Files

The following files are provided to illustrate how the Ansible files might appear. Some modification of these files to accommodate the local installation will be required.

These files may be used via the user interface as describe above or run from an Ansible administrator system.

Playbook file

The playbook file is a YAML-format file similar to the following:

--- - hosts: target become_method: sudo become: yes gather_facts: true vars: cm_ip: 192.168.1.223 cloud_url: acps.stellarcyber.ai version: 3.8.0 tasks: - name: Installing Data Sensor Agent - CentOS/Redhat - Please wait... when: (ansible_distribution == "CentOS" or ansible_distribution == "Red Hat Enterprise Linux") and (cloud_url == "acps.stellarcyber.ai") shell: | curl -k -u user310:HMTe3dJ3cmAPK https://{{cloud_url}}/release/{{version}}/datasensor/ds_centos_install.sh -o /tmp/ds_centos_install.sh --fail bash /tmp/ds_centos_install.sh -v {{version}} --cm {{cm_ip}} args: warn: off - name: Installing Data Sensor Agent - Ubuntu/Debian - Please wait... when: (ansible_distribution == "Ubuntu" or ansible_distribution == "Debian") and (cloud_url == "acps.stellarcyber.ai") shell: | curl -k -u user310:HMTe3dJ3cmAPK https://{{cloud_url}}/release/{{version}}/datasensor/ds_ubuntu_install.sh -o /tmp/ds_ubuntu_install.sh --fail bash /tmp/ds_ubuntu_install.sh -v {{version}} --cm {{cm_ip}} args: warn: off - name: Display post install message debug: msg: - 'Aella Agent Data Sensor Installation Done' - name: wait for config received from CM in case network slow pause: seconds=60 - name: get hostname coming back from CM shell: egrep 'cm_assigned_name =' /etc/aella/aos.yaml | awk '{print $4}' register: device - name: Display Agent Assigned Name from CM debug: var=device.stdout - name: get engid shell: egrep 'engid =' /etc/aella/aos.yaml | awk '{print $4}' register: engid - name: Display engid debug: var=engid.stdout

The required modifications to this file include:

  1. In the vars: section change the cm_ip value to the IP address that is assigned to the data processor. This is the address that the installed sensor will use to send data.

The file can then be used as described above.

To download the sample Ansible install file, use the following command:

curl -k -u AellaMeta:WroTQfm/W6x10 -o aella-agent-install.yml https://acps.stellarcyber.ai/release/4.3.7/datasensor/aella-agent-install.yml

Inventory File

A sample Ansible inventory is shown as follows:

Copy 
[hosts_centos]
192.168.1.113

[hosts_centos:vars]
ansible_connection=ssh
ansible_port=22
ansible_user=aella
ansible_ssh_pass=aella
ansible_become_pass=aella
ansible_ssh_common_args='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

[target:children]
hosts_centos

The modifications to this file include:

  1. Update the [hosts-centos] section to include the IP addresses of all target systems.
  2. Change the ansible_ssh_pass value.
  3. Change the ansible_become_pass value.

The file may then be used as describe above.

To download the sample Ansible inventory file, use the following command:

curl -k -u AellaMeta:WroTQfm/W6x10 -o aella-agent-inventory https://acps.stellarcyber.ai/release/5.5.0/datasensor/aella-agent-inventory

For more information on installing Linux Agent sensors, see the Linux Agent install page.

Windows Deployment

Click the Windows tab to deploy Windows Server sensors in a screen similar to the following:

There are two independent functions on this page.

  • Agent – This section configures an MSI image and downloads it to the local browser environment as an MSI file.
  • GPO - Bulk Installations – This section downloads an MST image to the local browser environment which can be used in a Windows Active Directory installation.

Agent

Supply the following information to download a customized Agent installer:

  • Architecture – Only 64-bit is supported.
  • Tenant Name – The Tenant to which the sensor will be assigned. If there is no particular tenant, use the Root Tenant option.
  • CM Address – This field accepts either an IP address or a DNS address of the Data Processor. The installed sensor will connect to this address.
  • Primary Aggregator (optional) – Select an optional primary aggregator to be used for this Server Sensor, if any. The dropdown list includes all configured aggregators.
  • Secondary Aggregator (optional) – This field appears if you select a primary aggregator. You use it to select an optional secondary aggregator to be used for this Server Sensor, if any. The dropdown list includes all configured aggregators except for the one selected as the primary aggregator.

When the form values are set, you can select the Agent Installer button. The MSI installation file will be downloaded into the download directory in the browser environment.

The form values Tenant Name and CM Address update the instructions that appear on the screen in the section. Specifically the Tenant ID number is provided, which is needed when the agent is installed.

The downloaded file can then be transferred to a target system and either executed by double-clicking it in the File Explorer or from a command line such as the one that follows.

msiexec /i <full_path_name_of_msi_file> /quiet /norestart CM_HOST=myportal.mydomain.com TENANT_ID=62802740 TENANT_NAME=CompanyABCD

See the Windows Agent installation page for more information on working with these files.

Arguments for Command Line Installations Using msiexec

You can use the following arguments when installing the Windows Server Sensor using msiexec. As indicated in the table below, all supplied values must be enclosed in quotation marks.

Argument (Short)

Description
CM_HOST=

Optional. You can use this argument to specify the IP address of the managing Stellar Cyber DP for this server sensor. Alternatively, you can do it after sensor installation using the instructions in Configuring the Server Sensor in the CLI.

TENANT_ID=

Optional. You can use this argument to specify the tenant ID for this server sensor. Alternatively, you can do it after sensor installation using the instructions in Configuring the Server Sensor in the CLI.

AGG_HOST1=

AGG_HOST2=

Optional. You can use these arguments to specify the primary and secondary aggregators for this server sensor. Alternatively, you can do it after sensor installation using the instructions in Configuring the Server Sensor in the CLI.

HTTP_PROXY=""

Optional. You can use this argument to specify the HTTP proxy used by the server sensor's host system, if any. If you do not specify a value for this option, the installation script attempts to determine if the host is using an HTTP proxy and automatically uses the IP address it locates, if successful.

GPO - Bulk Installations

This section provides no options. You can click the Configuration(MST) button to download the MST file into the browser environment's local download folder.

Refer to the Microsoft Active Directory Administrator's manual for further information on working with MST files.