Accenture MDR Quick Start Guide for Amazon Web Service (AWS) Linux
This quick start guide will help Accenture MDR customers configure AWS Linux to collect logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
LCP | CloudWatch | 443 (TCP) | Default Port |
Configuring AWS Linux
Pre-requisites:
An AWS account that you can sign in to.
A user who's a Global Administrator or AWS EC2, System Manager, CloudWatch, IAM Administrator.
Device Configuration Steps
These steps are specifically for EC2 Instance-based Linux Deployments
Configure Unified CloudWatch Agent to fetch logs from the EC2 Linux instances.
Setup IAM Roles
Create IAM Role
b. Attach all the policies displayed in below image and save the Role.
c. Attach the Role created to Linux EC2 server.
2. To install Cloud Watch Agent on Linux server,
a. Navigate to AWS Systems Manager > Run Command
b. Select AWS-ConfigureAWSPackage
c. Add AmazonCloudWatchAgent as a Name in Command Parameter.
d. Select target Linux machine(s) where you want to install AWS CloudWatch Agent.
e. Scroll down and click Run.
f. Once the command executed. Select the instance id and view the output. There should not be any error in output.
3. Create Configurations file and save it to AWS Systems Parameter Store
a. Login to the Instance which has been selected as the target for CloudWatchAgent installation in the previous step.
b. Start terminal and launch "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard"
c. Provide the response to every query asked on the config_wizard. (Based on the requirements)
Only select “YES” for CollectD if it is installed otherwise the configuration file will fail.
d. In case of Linux, MxDR supports /var/log/secure and /var/log/messages
files so provide Log file path twice and provide appropriate Log group name as well
e. In case of SUSE, MxDR supports /var/log/messages
only.
4. Once it is done, the Systems Manager Parameter store can be checked for the newly created configuration file with the parameters provided as an input.
a. Navigate to AWS Systems Manager > Parameter Store
b. Copy the newly created Parameter Store name.
5. Start the Agent while pointing to the configuration file using AWS Systems Manager
a. In order to start the newly configured Cloud Watch Agents on the instances, we need to use Run Command.
b. Navigate to AWS Systems Manager > Run Command
c. Navigate to next page and search for the specific command using the search box.
d. Search for "AmazonCloudWatch-ManageAgent"
e. Specify the name of newly created Parameter Store Configuration file
f. Select target (Linux Machine) where you want run the command. Scroll down and click Run.
g. Use default Values for Other parameters i.e., timeout time is kept 600 Seconds
h. Keep default Rate control
i. We are not sending any events to S3 bucket for now. Keep it unchecked.
j. SNS Notifications are not enabled and once enabled can be configured with the details of the SNS. Keep it unchecked.
k. AWS command line interface (CLI) command has not been altered as utilized the default value.
l. Once complete with all the above configurations, click RUN > Systems manager will start the CloudWatch Agent on the instance and the log Flow will start.
6. Navigate to CloudWatch > Logs to see the logs getting collected. The newly created Log Groups will automatically be created once the logs are getting shipped through the instance by the agents.
In case of SUSE, we need to enable RSYSLOG traditional file format which gives timestamp in the expected format.
Please open "
/etc/rsyslog.con
f"Comment out this one line: "
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
"
Please refer below page to check required IAM user policies.
Accenture MDR Quick Start Guide in Configuring IAM User and KMS Key Policies
Below are the URL details which we need to allow for connectivity (Please identify URLs by referring AWS document according to your services and regions):
IAM: For any logging source IAM URL should be allowed
https://docs.aws.amazon.com/general/latest/gr/iam-service.html
Cloudwatch: For cloudwatch logging source, cloudwatch URL should be allowed.
https://docs.aws.amazon.com/general/latest/gr/cwl_region.html
Please note that if the LCP is installed on AWS, please select “Application running on an AWS compute service” while creating access key.
LCP Configuration Parameters:
MxDR supports log collection using role based access control (RBAC) or access key ID and secret method.
To create access key ID and secret please refer
To support log collection using RBAC please refer
Table 1-2: AWS Linux event collector (API - 3905) properties to be configured by MDR are given in the table.
Property | Access Key and Secret | RBAC |
---|---|---|
Region | Enter region (Eg: us-west-2) | Enter region (Eg: us-west-2) |
AWS Access Key ID Or Role ARN | Enter Access Key | Provide Role ARN |
AWS Secret Access Key Or External ID | Enter Secret | Enter external ID |
Logging Source | Cloudwatch | Cloudwatch |
S3 Bucket/Log Group(s)/SQS Queue URL | Provide cloudwatch log group | Provide cloudwatch log group |
Bucket Prefix Path(s) | Leave Empty | Leave Empty |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.