Sending Zeek Logs to a New/Second AC-Hunter Server

August 9, 2022
F
Sending Zeek Logs to a New/Second AC-Hunter Server

If you’d like to have your sensors connect to a new instance of AC-Hunter (in addition to continuing to send to the old server or as a replacement for the old server) here are the steps.

On each Zeek server, perform the following steps:

(1) Edit /etc/cron.d/zeek_log_transport

    • If you’re sending logs to a second server: copy the existing line and edit the new line. In the new line, replace the old hostname/IP with the new hostname/IP.
    • If you’re sending logs to a new AC-Hunter server and no longer want to send the log to the old server: edit the existing line and replace the hostname/IP with the new hostname/IP.
    • Remember the user under which the file transfer is being run (field after the last * in that file, like “5 * * * * jparker ……”).

 

(2) Under that user, ssh to the new AC-Hunter server, like:

jparker$ ssh dataimport@new_achunter_hostname

and accept the ssh key.

If you get an error message indicating the “host key has changed”, jot down the known_hosts file offending line number mentioned in the error message. Your new server has either the same IP address or the same hostname as the old server, so you’ll need to tell ssh to use the new host key. The error message (“…the host key has changed…”) will mention a line number in ~/.ssh/known_hosts. Edit that file with your preferred editor and scroll down to the mentioned line. Delete the line and save the file.

Now retry the ssh command; the “host key has changed” error message should disappear and you should be asked to accept the new ssh host key. Please do so.

 

If your new server has both a different hostname and a different IP address from the old server, continue on.

 

(3) As that same user, send your ssh host keys to the new server with the following commands. Both commands (one starting with “cat” and the other starting with “ssh”) should each be on a single command line, even though they may wrap in this blog. You’ll be asked for the dataimport user’s password on that remote system by the first command, but not the second. Please replace “newserver” with the name/IP of the new server.

cat ~/.ssh/id_rsa_dataimport 2>/dev/null | ssh "dataimport@newserver" 'mkdir -p .ssh ; cat >>.ssh/authorized_keys ; chmod go-rwx ./ .ssh/ .ssh/authorized_keys'
ssh -i "$HOME/.ssh/id_rsa_dataimport" -o 'PasswordAuthentication=no' -o 'PreferredAuthentications=publickey' "dataimport@newserver" 'true' && echo "Key appears to be successfully installed"

If you get back “Key appears to be successfully installed” , you’re done.

 

(4) If you have more than 1 Zeek sensor that you wish to feed to this new server, please log in to the next sensor and restart at step 1.

 

If the steps above refuse to work, you can always rerun the script that connects a Zeek sensor to AC-Hunter. Follow the commands under “Automated instructions” at https://portal.activecountermeasures.com/support/faq/?Display_FAQ=863 .

If you continue to find problems, please feel free to contact us at [email protected] .

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=4947

Category: Logs, Databases & Storage Management
Tags: