I Have a Corelight Sensor. What Do I Do to Make It Work with AC-Hunter?
I have a Corelight sensor. What do I do with it to make it work with AC-Hunter?
1. Set the time zone on the sensor to UTC/GMT or Britain [UK]/London depending upon your available options:
2. Configure the Corelight sensor to export its Zeek logs to your AC-Hunter box over SFTP.
a. When asked for a hostname to send the logs to, put in the IP address or hostname of your AC-Hunter box. (The sensor should be able to place outgoing ssh (tcp port 22) connections to this hostname/IP).
b. The Username to use is “dataimport”.
c. Ask the Corelight sensor to send the logs to /opt/zeek/remotelogs/sensorname/ , where sensorname is the name of this Corelight sensor, made up of the following characters and 52 characters or less: a-z A-Z 0-9 _ ^ + =
d. The Zeek log format to use is “Standard Zeek format (TSV)”.
e. The Rotation interval should be 1 hour.
f. The sensor will generate an SSH key to use; append the key to the file /home/dataimport/.ssh/authorized_keys on your AC-Hunter box.
g. Once your Corelight sensor has sent over one set of logs, find the directory that holds the logs on the AC-Hunter box. In the above example where we ask for the files to be placed under /opt/zeek/remotelogs/sernsorname/ , Corelight will actually place them under /home/dataimport/opt/zeek/remotelogs/sensorname/logs/ . To make them show up in the right directory, edit /etc/fstab with the following (substitute your favorite editor):
sudo vi /etc/fstab
Add the following line, replacing both instances of the sensorname and making sure the first directory matches where Corelight sends the logs:
/home/dataimport/opt/zeek/remotelogs/sensorname/logs/ /opt/zeek/remotelogs/sensorname/ none defaults,bind 0 0
Save the file and exit.
h. Please run the following commands, substituting your actual Sensor name for sensorname :
sudo mkdir -p /home/dataimport/opt/zeek/remotelogs/sensorname/logs/ sudo chown -R dataimport.dataimport /home/dataimport/opt/zeek/remotelogs/sensorname/logs/
i. Reboot – the reboot step is required here.
j. If you’re not able to do the above for some reason, contact [email protected] and ask them to connect the upload directory to the directory where the logs are being placed.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2031