I Have a Corelight Sensor. What Do I Do to Make It Work with AC-Hunter?

October 29, 2019
F
I Have a Corelight Sensor. What Do I Do to Make It Work with AC-Hunter?

I have a Corelight sensor. What do I do with it to make it work with AC-Hunter?

1. Set the time zone on the sensor to UTC/GMT or Britain [UK]/London depending upon your available options:

2. Configure the Corelight sensor to export its Zeek logs to your AC-Hunter box over SFTP.

a. When asked for a hostname to send the logs to, put in the IP address or hostname of your AC-Hunter box. (The sensor should be able to place outgoing ssh (tcp port 22) connections to this hostname/IP).

b. The Username to use is “dataimport”.

c. Ask the Corelight sensor to send the logs to /opt/zeek/remotelogs/sensorname/ , where sensorname is the name of this Corelight sensor, made up of the following characters and 52 characters or less: a-z A-Z 0-9 _ ^ + =

d. The Zeek log format to use is “Standard Zeek format (TSV)”.

e. The Rotation interval should be 1 hour.

f. The sensor will generate an SSH key to use; append the key to the file /home/dataimport/.ssh/authorized_keys on your AC-Hunter box.

g. Once your Corelight sensor has sent over one set of logs, find the directory that holds the logs on the AC-Hunter box. In the above example where we ask for the files to be placed under /opt/zeek/remotelogs/sernsorname/ , Corelight will actually place them under /home/dataimport/opt/zeek/remotelogs/sensorname/logs/ . To make them show up in the right directory, edit /etc/fstab with the following (substitute your favorite editor):

sudo vi /etc/fstab

Add the following line, replacing both instances of the sensorname and making sure the first directory matches where Corelight sends the logs:

/home/dataimport/opt/zeek/remotelogs/sensorname/logs/ /opt/zeek/remotelogs/sensorname/ none defaults,bind 0 0

Save the file and exit.

h. Please run the following commands, substituting your actual Sensor name for sensorname :

sudo mkdir -p /home/dataimport/opt/zeek/remotelogs/sensorname/logs/
sudo chown -R dataimport.dataimport /home/dataimport/opt/zeek/remotelogs/sensorname/logs/

i. Reboot – the reboot step is required here.

j. If you’re not able to do the above for some reason, contact [email protected] and ask them to connect the upload directory to the directory where the logs are being placed.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=2031

Category: Network Sensor Management
Tags: