Deployment Assets: Hosts

The Hosts page lists the hosts and appliances in the selected deployment to which you provisioned agents. The Hosts page allows you to ensure your provisioned hosts and appliances always have the latest agent installed, and create both log sources and protected hosts.

Hosts appear on the table, sorted by host name. To narrow the list of hosts, you can use the search field to search for a specific host name or tag, or you can use the filters to list hosts with the following characteristics:

  • OS Type
    • Windows
    • UNIX
  • Host Status
    • Online
    • Offline
  • Host Type
    • Host
    • Host (Auto Scaling)
    • Appliance
  • Tags

The host status indicates if a host is online or offline. If a host is offline, you cannot add it as a log source or a protected host.

Edit an updates policy for a host

An updates policy schedules hosts to update to the latest version of the agent software at the agent's specified check-in. By default, Alert Logic assigns the Default Update Policy, which sends software updates, as they become available, to your hosts. If the maintenance strategy for your organization requires a scheduled maintenance window, you can specify the time frame in Updates.

Updating detection or policy configurations affects all interconnected configurations.

To edit an updates policy for a host:

  1. In the Actions column, click the pencil icon ().
  2. In the Host Name field, enter a descriptive name.
  3. Select or create an updates policy as follows:
  4. In the Tags field, type a tag to use in filters. Press the Enter key to save each tag.
  5. Click Save.

Add log sources and protected hosts

From the Hosts page, you can add any online host as a log source from which Alert Logic collects log messages, or as a protected host.

Add a host as a protected host

When you create a protected host, you assign an assignment policy and a protected host policy to the appliance. Policies dictate how Network IDS interacts with its environment.

An assignment policy is a set of rules that indicates the traffic that appliances should either accept or ignore. An assignment policy directs protected hosts to encrypt traffic and send traffic to specific appliances. In a dynamic environment where IP addresses often change, an assignment policy ensures that hosts always correspond to their appliances.

To create a protected host:

  1. On the left navigation menu of the selected deployment, click Hosts.
  2. Click the Add () icon for the host you want to add as a protected host.
  3. In the New Protected Host slideout panel, provide the appropriate values. Use the table below for guidance.
  4. Field/Option Description Sample Value

    Visible

    Source Name Name of this source. It will show on the display list and other areas of this product. Server-tmdocs Always
    Use an existing Assignment Policy Select this option to choose a policy from the existing Assignment Policy list. Not applicable Always
    Create a new Assignment Policy Select this option to open the Create a new Assignment Policy section. Not applicable Always
    Existing Assignment Policy list Select a policy from this list to assign it to the protected host. cali-ngtm-01 Assignment Visible when Use an existing Assignment Policy is selected.

    Create new Assignment Policy mini-form

    Visible when you select Create new Assignment Policy

    Field/Option Description Sample Value

    Visible

    Appliance Assignment Policy Name Policy name. This name will be added to the Existing Assignment Policy list. cali-ngtm-01 Assignment Visible when Create a new Assignment Policy is selected.
    Appliances/
    Secondary Appliances
    An appliance on your network. i-27273bcb Visible when Create a new Assignment Policy is selected.
    Restrict Network Select this option if you want to include a netmask. Not applicable Visible when Create a new Assignment Policy is selected.
    Netmask One CIDR address. 10.0.0.0/16; partial address specifications are not acceptable. Visible when Create a new Assignment Policy is selected.
    Use existing Whitelist Policies Select this option to choose a policy from the Existing Whitelist Policy list. Not applicable Visible when Create a new Assignment Policy is selected.
    Create a new Whitelist Policy Select this option to open the Create a new Whitelist Policy section. Not applicable Visible when Create a new Assignment Policy is selected.
    Existing Whitelist Policy list Select a policy from this list to assign it to the protected host. SF01183529 Pentest Visible when Create a new Assignment Policy and Use existing Whitelist Policies is selected.

    Create new Whitelist Policy mini-form

    Visible when you select Create new Assignment Policy and Create a new Whitelist Policy

    Field/Option Description Sample Value

    Visible

    Name Policy name. This name will be added to the Existing Whitelist Policy list. SF01183529 Pentest Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
    Enabled Select this option to activate the policy. Not applicable Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
    Rules Click to add rules to the Whitelist Policy. This includes Protocol, CIDR, and Port. Not applicable Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
    Protocol Select the internet protocol for the current rule. tcp Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
    CIDR Type the Classless Inter-Domain Routing address for the current rule. 10.0.0.0/16 Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
    Port Type the port for the current rule. 22 Visible when you select Create new Assignment Policy and Create a new Whitelist Policy.
    Field/Option Description Sample Value

    Visible

    Use existing Host Policies Select this option to choose a policy from the Existing Host Policy list. Not applicable Always
    Create new Host Policy Select this option to open the Create a new Host Policy section. Not applicable Always
    Existing Host Policy list Select a policy from this list to assign it to the protected host. Default-test Visible when Use existing Host Policies is selected.

    Create new Host Policy mini-form

    Visible when you select Create new Host Policy

    Field/Option Description Sample Value

    Visible

    Name Policy name. This name will be added to the Existing Host Policy list. Default-test Visible when you select Create new Host Policy.
    Encrypt Select this option to encrypt traffic from the agent to the appliance. Not applicable Visible when you select Create new Host Policy.
    Tags A tag is a customer defined identifier that can be assigned to one or more sources. A customer can use tags to organize or search for specific types of sources. High usage Always

     

  5. Click SAVE.

Add a host as a log source

If you want to collect log messages from a host, you must add it as a log source and configure a log collection policy. When you configure a log source, you instruct the agent to collect logs based on the definitions within the policy.

Many log sources can belong to a given host or role; each log message originates from exactly one log source.

Available log source types are:

For all deployments:

  • Flat file logs—A collection of text-based files from the host file system
  • Syslog—A way for network devices to send event messages to a logging server
  • Windows event logs—A Windows log file that tracks significant events, like user logins or program errors, on a Windows server

For AWS deployments:

  • AWS CloudTrail logs—Log files that record AWS API calls for your account
  • AWS S3 logs—Access log records that provide details about a single access request, such as the requester, bucket name, request time, request action, response status, and any error codes

For Azure deployments:

  • Azure Activity logs—Logs that provide insight into the operations performed on resources in your subscription
  • Azure App Service web server logs—Logs that provide detailed error information for HTTP failure status codes, failed requests, or HTTP transactions using the W3C extended log file format
  • Azure SQL auditing logs—Logs that provide information on database events

Additional options

You can also mass edit hosts, archive hosts, or export a list of hosts. To access these options, click the gear icon ().

Mass edit hosts

Mass edit provides the option to edit updates policies, edit tags, and archive multiple hosts at once.

To mass edit hosts:

  1. Click the gear icon () in the top right corner of the page.
  2. Select Mass Edit.
  3. Under Apply changes to, select from:
    • All Hosts
    • Only Filtered Hosts
  4. Under Tags, select a tag option, and then in the Tags field, enter the applicable tag(s).
  5. Under Archive Hosts, select an option.
  6. Click Apply.

Archive or unarchive a host

Archive a host to visibly remove the entry from the Alert Logic console. After you archive it, you can bring it back with the unarchive feature.

To archive a host:

  1. Find the desired host in the Hosts list.
  2. Click the archive icon ().
  3. Click ARCHIVE.

To restore an archived host:

  1. Above the Hosts list, click the Show Archive slider.
  2. In the Hosts list, find host you want to restore, and then click the archive icon ().
  3. Click UNARCHIVE.

Export hosts

You can export your hosts to a file you can save locally.

To export hosts:

  1. Click the gear icon () in the top right corner of the page.
  2. Select Export.
  3. Under Export, select to export one of the following:
    • All Hosts
    • Only Filtered Hosts
  4. Select a file format from the following list of formats:
    • CSV
    • TXT
    • XLS
    • XLSX
  5. Click EXPORT.