AlienVault. Unified Security Management (USM) 4.8-5.x Initial Setup Guide

AlienVault Unified Security Management (USM) 4.8-5.x Initial Setup Guide

Contents USM v4.8-5.x Initial Setup Guide Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks, or service marks are the property of their respective owners. USM v4.8-5.x Initial Setup Guide Page 2 of 42

Contents Contents Introduction... 5 Audience... 5 Related Documentation... 5 Preparing for Initial Setup... 6 Before You Start... 6 DHCP or Manual Network Configuration Requirements... 6 Task Overview by USM Solution... 7 Managing USM with a Virtual Appliance... 10 Managing USM with a Hardware Appliance... 12 Local and Remote Appliance Management Requirements... 12 Local and Remote Appliance Management Best Practices... 13 Managing the USM Hardware Appliance Locally... 13 Managing the USM Hardware Appliance Remotely... 14 Recommendations Prior to Configuring IPMI... 14 Cabling an Appliance and Configuring Remote Management... 14 Cabling a USM Remote Sensor and Configuring Remote Management... 19 Configuring IPMI with Your Browser... 22 Configuring a VLAN for IPMI Access... 23 Configuring the Management Interface... 24 Configuring the Network Interface Manually... 25 Configuring the Network Interface to Use a DHCP Server... 25 Appliance Setup... 27 Accessing the AlienVault Setup Menu... 27 Changing the Root Password... 29 Registering the Appliance... 29 Registering the Appliance Online Through the AlienVault Console... 30 Registering Your Appliance Off Line... 30 Registering the Appliance with the Web UI... 31 USM v4.8-5.x Initial Setup Guide Page 3 of 42

Contents Configuring the Appliance Hostname... 32 Changing the Default Time Zone... 33 Configuring the Appliance to Synchronize with an NTP Server... 34 Configuring USM to Recognize Your Local Keyboard... 35 Configuring a USM Sensor... 36 Configuring a USM Enterprise Server and Enterprise Database... 38 Configuring a Logger... 40 USM v4.8-5.x Initial Setup Guide Page 4 of 42

Audience Introduction Audience Related Documentation Audience This guide is for use by AlienVault Unified Security Management (USM) v.4.8 5.x customers who must set up the All-in-One or Standard/Enterprise versions of the product using either USM Hardware Appliance or USM Virtual Appliance. Related Documentation Refer to the following related information on the AlienVault Documentation Center for the USM release you have purchased: USM Release Notes for the version you are deploying System Requirements for USM Virtual Appliances for the version you are deploying USM Deployment Planning Guide for the version you are deploying AlienVault Offline Key Action Running the Getting Started Wizard Asset management documentation area for final configuration of Standard and Enterprise components. For relevant third-party documentation, see the IPMI user documentation, available from the Supermicro website. USM v4.8-5.x Initial Setup Guide Page 5 of 42

Before You Start Preparing for Initial Setup Before You Start Task Overview Before You Start Review the following prerequisites to ensure an efficient setup and configuration of all USM solutions: You should have already planned and implemented your USM network topology, including failover appliances. See the USM Deployment Planning Guide on the AlienVault Documentation Center for the version you are deploying. If your network accesses the Internet, you must first open the ports on all the appliances you plan to deploy. For port requirements, see the USM Deployment Planning Guide on the AlienVault Documentation Center for the version you are deploying. Note: If your network is an intranet that may not access the Internet, you may disregard the port information. If you have a USM virtual client, review release-specific information in the System Requirements for USM Virtual Appliances documentation on the AlienVault Documentation Center. DHCP or Manual Network Configuration Requirements You may configure the network connection either manually or through DHCP (Table 1). Table 1. USM network connection requirements. DHCP Network Configuration Manual Network Configuration A DHCP server running on the same network as the AlienVault appliance. A dedicated IP address for every USM instance. Network gateway and subnet mask. IP addresses for the DNS server, or servers, used by the network. USM v4.8-5.x Initial Setup Guide Page 6 of 42

Task Overview by USM Solution Task Overview by USM Solution USM All-in-One and USM Standard deployments can be configured either on virtual servers, using VMware, or on one or more USM Hardware Appliances; while USM Enterprise deployment is only available on hardware appliances. Deployment of a single USM All-in-One instance takes the least time, because one deployment instance contains all required components. You initialize the appliances through the AlienVault Setup menu and complete final configuration through your browser, using the USM Getting Started Wizard if you are a USM All-in-One customer or, if you are a USM Standard or Enterprise customer, manually. If you deploy more than one instance of the USM All-in-One solution or if you deploy either the USM Standard or USM Enterprise solutions you must repeat the basic tasks described in Table 2 for each instance. Example If you have multiple All-in-One instances, you must repeat steps 2-10 and step 11. Important: If you have purchased either the USM Standard or the USM Enterprise solution, you must set up and configure the USM Server first and the Sensors second. Otherwise, you cannot configure the USM Sensor. USM v4.8-5.x Initial Setup Guide Page 7 of 42

Task Overview by USM Solution Table 2. Task overview for setup of all USM 4.8-5.x solutions. Solution Type/Component Task No. Task Description All 1 Review the network and individual solution prerequisites. See the USM Release Notes for the version you want to deploy. See also the USM Deployment Planning Guide. USM VMware Virtual Appliance USM Hardware Appliance 2 Deploy the USM Virtual Appliance. See Managing USM with a Virtual Appliance. When done, go to task 3 then 4. Decide if you will manage appliances locally or remotely. See Managing USM with a Hardware Appliance. When done, go to task 3 then 3 #. AlienVault Setup Menu All 3 Configure the network interface settings you prefer: Manually See Configuring the Network Interface Manually. DHCP See Configuring the Network Interface to Use a DHCP Server. USM Enterprise Server 3 # Configure the USM Enterprise Server Hardware Appliance. See Configuring a USM Enterprise Server and Enterprise Database. All 4 Change the default root password. See Changing the Root Password. 5 Register the product in one of three ways: Through the Setup menu via ssh. Offline. Through the Web browser. See Registering the Appliance. 6 Configure appliance hostname. See Configuring the Appliance Hostname. 7 (Optional) Change default time zone. See Changing the Default Time Zone. 8 (Recommended) Configure the appliance to synchronize time with an NTP server. See Configuring the Appliance to Synchronize with an NTP Server. USM v4.8-5.x Initial Setup Guide Page 8 of 42

Task Overview by USM Solution Solution Type/Component Task No. Task Description 9 (Non-U.S. keyboard users only) Configure USM to recognize your local keyboard. See Configuring USM to Recognize Your Local Keyboard. Deploying a single USM All-in-One instance? You are done with the Setup menu. Go to task 10. Deploying multiple USM All-in-One instances? Repeat tasks 2-9. When done, go to task 10. Just completed setup of the first USM Std./Enterprise Server? This completes your USM Server setup. Repeat tasks 2 through 9 for your first USM Sensor. When done, go to task 11. Repeat for each sensor. Completed setup and configuration of all USM Sensors? Repeat tasks 2 through 9 for the USM Std./Enterprise Logger, if applicable. Go to task 12. All-in-One 10 Launch the USM web UI in a browser window; place all components into service by running the Getting Started wizard. For information, see the guide Running the Getting Started Wizard on the AlienVault Documentation Center. USM Sensor 11 If you are a USM Standard, Enterprise, or Remote Sensor user, configure the USM Sensor on the AlienVault Setup menu. Repeat tasks 2 through 9, and then the current task See Configuring a USM Sensor. When finished, if you have a separate USM Logger appliance, go to task 12. USM Logger 12 Configure the USM Logger, using the USM web UI. See Configuring a Logger. USM v4.8-5.x Initial Setup Guide Page 9 of 42

Task Overview by USM Solution Managing USM with a Virtual Appliance This procedure is valid for deployment of both free AlienVault USM trials and licensed versions. Note: This procedure is specifically for the vsphere client. For instructions specific to a different VMware client, consult the vendor documentation. To load the OVF template containing the USM image on a VMware ESXi instance 1. In VMware Manager, under File, choose Deploy OVF Template. VMware Manager displays the Deploy OVF Template screen. 2. In the Deploy OVF Template screen, browse to the USM virtual image file; click Next. VMware Manager displays the OVF Template Details screen. 3. On each of the following screens, click Next: OVF Template Details Name and Location Storage Disk Format Network Mapping 4. On the Ready to Complete screen, select Power on after deployment, located below the list of deployment settings and click Finish. Deployment of the virtual image requires several minutes. After deployment is finished, VMware Manager displays: Deployment Completed Successfully. 5. Click Close. 6. Connect to the console of the USM Virtual Appliance in one of the following ways: On the Inventory screen, click Virtual Machine and in its submenu; click Open Console. In the console toolbar, click the console icon. The monitor should now display the AlienVault Setup management interface configuration menu. USM v4.8-5.x Initial Setup Guide Page 10 of 42

Task Overview by USM Solution Next Proceed to Configuring the Management Interface. USM v4.8-5.x Initial Setup Guide Page 11 of 42

Local and Remote Appliance Management Requirements Managing USM with a Hardware Appliance Local and Remote Appliance Management Requirements Local and Remote Appliance Management Best Practices Managing the USM Hardware Appliance Locally Managing the USM Hardware Appliance Remotely Local and Remote Appliance Management Requirements Hardware and power requirements are identical, whether you are managing your appliances locally or remotely (Table 3). Table 3. USM Hardware Appliance requirements for both local and remote management. Local and Remote Hardware Management Requirements Cables 2 AC power cables 1 Ethernet cable AC Power Source Standard systems require either: Two 2A circuits @ 120V or Two 1A circuits @220V. Heat output = 641.31 BTU/hr Enterprise systems require either: Two 3A circuits @120V or Two 2A circuits @220V Heat output = 942.88 BTU/hr Peripherals (USB or PS2 cx.) USM v4.8-5.x Initial Setup Guide Page 12 of 42

Local and Remote Appliance Management Best Practices Local and Remote Hardware Management Requirements Keyboard Mouse Monitor Local and Remote Appliance Management Best Practices Review the following best practices for secure management of your appliances. Even if you intend to manage your appliances locally, it is a good idea to set up remote (IPMI) management ahead of time for an emergency situation. See Managing the USM Hardware Appliance Remotely. The default behavior of the IPMI LAN mode in the appliances is to fail over from the IPMI port to LAN0 (eth0) or LAN1 (eth1). If you want the IPMI port to be dedicated, you must explicitly configure it to be so. For instructions, see the IPMI vendor documentation from Supermicro. Managing the USM Hardware Appliance Locally This method of appliance management requires you to connect a monitor, mouse, and keyboard to the appliance. For hardware and power requirements, see Table 3. To manage the USM Hardware Appliance locally 1. Make sure that the appliance is powered off. (The power switch is located on the opposite side of the appliance from the cable ports.) 2. On the rear of the appliance, connect the monitor cable to the VGA port, as applicable (Figure 1). Figure 1. All-in-One Hardware Appliance ports. 3. Connect the keyboard and mouse to either of the following port types: PS2 connector Keyboard connects to the purple port; mouse connects to the green port. USB connector Keyboard and mouse connect to either USB ports. USM v4.8-5.x Initial Setup Guide Page 13 of 42

Managing the USM Hardware Appliance Remotely 4. Connect one end of an Ethernet cable to the Eth0 port, which is reserved for Administrative setup, and the other to the network Switch. 5. Cable the two power cables to each of the power ports on the left-rear side of the appliance and plug the other ends into a power strip. 6. Power on the appliance and turn on the monitor. The monitor should now display the AlienVault Setup management interface configuration menu. Managing the USM Hardware Appliance Remotely This topic describes how to configure management of your appliance from a remote location, using Intelligent Platform Management Interface (IPMI). Appliance management through IPMI can be very useful if your system must recover from a disruption in service, excluding power outages. The appliance has an IPMI port in addition to its two Ethernet ports (Figure 1). This port is also compatible with Gigabit Ethernet switches and wiring. For hardware and power requirements, see Table 3. Recommendations Prior to Configuring IPMI It is a good idea to configure it when you first set up the product, so that it is ready to use when and if you have an emergency. For complete information on IPMI configuration, review the relevant IPMI vendor documentation, available from Supermicro web site. AlienVault recommends that you deploy IPMI on an isolated network segment or virtual LAN (VLAN). See Configuring a VLAN for IPMI Access. If the IPMI port must be accessed outside of the network security perimeter, set up a VPN server to provide that access. Stay abreast of all IPMI firmware upgrades, particularly those connected to security updates. Cabling an Appliance and Configuring Remote Management Follow these steps to cable and configure network settings for remote management through IPMI of each USM Hardware Appliance except the Remote Sensor. Note: For cabling and network configuration for remote management of the Remote Sensor, see Cabling a USM Remote Sensor and Configuring Remote Management. USM v4.8-5.x Initial Setup Guide Page 14 of 42

Managing the USM Hardware Appliance Remotely To cable and configure remote management of the USM Hardware Appliance 1. Ask the person responsible for network management to give you an IP address, netmask IP, and Gateway IP for each appliance you plan to manage remotely. 2. Make sure that the appliance is powered off. 3. Connect a keyboard, mouse, and monitor to the appliance. PS2 connector Keyboard connects to the purple port; mouse connects to the green port. USB connector Keyboard and mouse connect to either USB ports. 4. Connect one end of an Ethernet cable to the IPMI port on the rear of the appliance (Figure 1) and the other connector to an already operational switch. 5. Connect the two power cables to each of the power ports on the left-rear side of the appliance and plug the other ends into a power strip. 6. Power on the appliance. The appliance should begin startup. 7. During startup, press and continuously hold Delete on the keyboard. The BIOS SETUP UTILITY screen appears on the monitor. 8. Use the Tab or the Up/Down and Right/Left Arrow keys to navigate to the Advanced tab. 9. Navigate to IPMI Configuration (Figure 2); press Enter/Return. USM v4.8-5.x Initial Setup Guide Page 15 of 42

Managing the USM Hardware Appliance Remotely Figure 2. Advanced Settings menu of the BIOS SETUP UTILITY. USM v4.8-5.x Initial Setup Guide Page 16 of 42

Managing the USM Hardware Appliance Remotely The IPMI Configuration panel appears (Figure 3). Figure 3. Set LAN Configuration selection on the IPMI Configuration panel. 10. Choose Set LAN Configuration and press Enter. The IPMI Configuration Set LAN Configuration panel appears (Figure 4). USM v4.8-5.x Initial Setup Guide Page 17 of 42

Managing the USM Hardware Appliance Remotely Figure 4. Set LAN Configuration panel with the Static selected. 11. Choose a method of assigning an IP address to the appliance: If you have a DHCP server in the same segment of the network as the USM Hardware Appliance, use the Arrow keys to select IP Address Source; then use the plus (+) or minus (-) key to change the label IP Address Source to DHCP. If you do not have a DHCP Server, use the arrow keys to select Static. 12. (Static IP address users only) Use the Arrow keys to access the IP Address, Subnet Mask, and Gateway Address fields and type the appropriate values in each for your device. Note: Each appliance comes with a default IP address; you may either use this IP address or configure a new one. 13. Save the changes by pressing F10, then exit the BIOS SETUP UTILITY by pressing Esc. 14. You must restart the appliance for your changes to take effect. Next Proceed to Configuring IPMI with Your Browser. If applicable, see Cabling a USM Remote Sensor and Configuring Remote Management. USM v4.8-5.x Initial Setup Guide Page 18 of 42

Managing the USM Hardware Appliance Remotely Cabling a USM Remote Sensor and Configuring Remote Management Like other appliances you want to manage remotely, the USM Remote Sensor requires its own IP address, netmask, and gateway IP addresses. Figure 5. Remote Sensor rear panel, showing IPMI port location. To cable and configure remote management of a USM Remote Sensor 1. Ask the person responsible for network management to give you an IP address, netmask IP, and Gateway IP for each appliance you plan to manage remotely. 2. Make sure that the appliance is powered off. 3. Connect a keyboard, mouse, and monitor to the appliance. PS2 connector Keyboard connects to the purple port; mouse connects to the green port. USB connector Keyboard and mouse connect to either USB ports. 4. Connect one end of an Ethernet cable to the IPMI port on the rear of the appliance (Figure 5) and the other connector to an already operational switch. 5. Insert the power cable connector into to the power port on the left-rear side of the appliance, then plug the other end into a power strip. 6. Power on the appliance. The appliance should begin startup. 7. During startup, press and continuously hold Delete on the keyboard. The Aptio Setup Utility appears on the monitor. 8. Using the Tab or Arrow keys, select the IPMI tab (Figure 6). USM v4.8-5.x Initial Setup Guide Page 19 of 42

Managing the USM Hardware Appliance Remotely Figure 6. IPMI tab for configuration of Remote Sensor network settings. 9. Select BMC network configuration; press Enter. USM v4.8-5.x Initial Setup Guide Page 20 of 42

Managing the USM Hardware Appliance Remotely Figure 7. Update IPMI LAN configuration on the BMC network configuration panel. 10. Use the Down Arrow to go to Update IPMI LAN configuration and press Enter (Figure 7). 11. Use the Tab or Right Arrow key to go to the column labeled [No]; toggle it to [Yes] by using the plus (+)/minus (-) keys and press Enter. 12. Choose a method of assigning an IP address to the appliance: If you have a DHCP server in the same segment of the network as USM Remote Sensor: a. Use the Tab key to go to the Configuration IP Address source row, then to Static in the right-hand column of that row. b. Toggle Static to DHCP, using the plus (+) or minus (-) key, and press Enter. If you do not have a DHCP Server, use the Tab or Arrow keys to go to Static; press Enter. 13. (Static IP address users only) Use the Tab key to access the Station IP address, Subnet mask, and Gateway IP address fields, and type the values applicable to your device in each; press Enter. Note: Each appliance comes with a default IP address; you may either use this IP address or configure a new one. USM v4.8-5.x Initial Setup Guide Page 21 of 42

Managing the USM Hardware Appliance Remotely 15. Commit the changes by pressing F4; exit by pressing Esc. 16. Restart the appliance so that your changes take effect. Next Proceed to Configuring IPMI with Your Browser. Configuring IPMI with Your Browser IPMI browser configuration requires the following: An Ethernet cable connected to the IPMI port on the appliance. IP address of the USM appliance to which you want to connect remotely. The USM appliance should be connected to a power supply, but does not need to be powered on at this time. You should be able to reach the appliance that you want to manage remotely over the Internet. The Java version recommended by Supermicro, the IPMI vendor. See the vendor website for up-todate information. To configure IPMI through your browser 1. Open a browser on the computer that can access USM and type the IP address of the USM appliance that you want to manage remotely. After a connection is made, the Supermicro Login screen appears. 2. Type the default factory username ADMIN and type the password AlienVault gave you in your Welcome letter; click Login. The main IPMI screen appears. 3. After you have successfully logged in, change the default password for security purposes. You must then log in with the new password. For information about how to change the password, see the Embedded BMC IPMI User's Guide, available from the Supermicro website. 4. After logging in again, enable display of the remote USM appliance console and configure redirection: a. On the top menu bar, click Remote Control. b. In the navigation pane at left, select Console Redirection. USM v4.8-5.x Initial Setup Guide Page 22 of 42

Managing the USM Hardware Appliance Remotely c. On the Console Redirection screen, click Launch Console. Note: If the browser blocks it, click the top of the menu bar and select Download File. Then open it from your Downloads folder. 5. When you receive the Java prompt asking whether you want to run the application, click Run. Note: If you receive a warning that the application is untrusted and asking if you want to make an exception, click Continue. Next (Recommended) Configuring a VLAN for IPMI Access. Configuring a VLAN for IPMI Access We recommend that you deploy IPMI as part of a VLAN. This procedure describes how to set it up for access by IPMI. To configure VPN VLAN IPMI network settings 1. Log into the appliance through the browser and enter the IPMI IP address previously configured. 2. Go to Configuration > Network. 3. Within the VLAN section of the page, click enable. 4. In the VLAN ID field, type a value between 1 and 4095 to identify the VLAN. 5. (Optional) In the LAN interface list, select Dedicate. By selecting Dedicate, you configure IPMI to connect only over the IPMI port at all times. Otherwise, it fails over automatically to the two LAN ports (eth0 and eth1). 6. Click Save. Next Proceed to Configuring the Management Interface. USM v4.8-5.x Initial Setup Guide Page 23 of 42

Managing the USM Hardware Appliance Remotely Configuring the Management Interface The Management Interface provides the means for communication between the web UI and the AlienVault Server. The AlienVault Setup Management Interface panel appears automatically when the following occurs: Local Hardware Appliance users When you switch on a local appliance for the first time the panel shown in Figure 8 appears on your monitor. Virtual Hardware Appliance users At the completion of Managing USM with a Virtual Appliance for any one appliance, the panel shown in Figure 8 appears. Remote Hardware Management (IPMI) When you access an appliance for the first time after completion of Configuring IPMI with Your Browser, the panel shown in Figure 8 appears. Figure 8. Initial Management Interface configuration menu. Note: After you complete this configuration, this menu never appears again. You must configure the interface in one of two ways: Manually See Configuring the Network Interface Manually. Using the settings of your DHCP server, if you have one See Configuring the Network Interface to Use a DHCP Server. For specific manual and DHCP configuration prerequisites, see Table 1. USM v4.8-5.x Initial Setup Guide Page 24 of 42

Configuring the Network Interface Manually Configuring the Network Interface Manually This task describes how to complete the network interface configuration manually. To configure the network interface manually 1. Select the default menu item, Manual Configuration, by pressing Enter (Figure 8). 2. Type the IP address of the appliance and press Enter. Note: Write down the IP address for each appliance; you must use it later on in the configuration process. It is also useful to have on hand for technical support or service. 3. Type the Netmask IP address for the network and press Enter. 4. Type the Gateway address for the network and press Enter. 5. Type the IP address of the DNS server and press Enter. Note: If you have multiple DNS servers, type each of their IP addresses, separated by a comma. 6. Verify the values you entered previously. If the values look correct, press Enter. If you discover that you made an error, return to the previous screens to correct the value by pressing No. If you need to reach an earlier screen, press Cancel until you reach the one you need to update. Then re-enter the data and press Enter until you reach the verification panel again. Note: If your appliance has sensor capacity and multiple Ethernet ports to support multiple subnets, you may now connect those ports to the network. Next Proceed to Appliance Setup. Configuring the Network Interface to Use a DHCP Server This task describes how to complete the network interface configuration by using your DHCP server network settings. USM v4.8-5.x Initial Setup Guide Page 25 of 42

Configuring the Network Interface to Use a DHCP Server To configure the network interface to use DHCP 1. Press the Tab key to move to the DHCP selection on the menu and press Enter (Figure 8). The next panel displays the network settings assigned by your DHCP server. 2. Confirm or reject the values displayed: To accept the values displayed, press Enter to select the default (Yes). The appliance accepts these settings and the If the settings displayed need correction, use the Tab key to move to No and press Enter. Next Proceed to Appliance Setup. USM v4.8-5.x Initial Setup Guide Page 26 of 42

Accessing the AlienVault Setup Menu Appliance Setup This topic describes required appliance setup configuration using the AlienVault Setup menu. You must use this menu to perform initial configuration for every USM appliance, regardless of how you manage it. Important: If you have purchased either the USM Standard or the USM Enterprise solution, you must set up and configure the USM Server first, the Sensors second. Otherwise, you cannot configure the USM Sensor. You perform these initialization procedures following successful configuration of appliance management and network interface management. Accessing the AlienVault Setup Menu Changing the Root Password Registering the Appliance Configuring the Appliance Hostname Changing the Default Time Zone Configuring the Appliance to Synchronize with an NTP Server Configuring USM to Recognize Your Local Keyboard Configuring a USM Sensor Configuring a USM Enterprise Server and Enterprise Database Accessing the AlienVault Setup Menu You access the AlienVault Setup menu in one of the following ways: Local Management--By using monitor, keyboard, and mouse connected directly to the USM Hardware Appliance. Virtual Management Virtual Appliance users access the console as a vsphere client or through an ssh-enabled telnet utility such as PuTTY. IPMI Remote Management After IPMI remote configuration, with the IPMI port cabled to a router, you can access the console by any computer connected to the same subnet in which the appliance runs, through the IPMI connection. For procedural simplicity, the following task steps reference the user interface (UI) of the telnet utility PuTTY as means to explain how to access the AlienVault console. USM v4.8-5.x Initial Setup Guide Page 27 of 42

Accessing the AlienVault Setup Menu To access the AlienVault console 1. Launch PuTTY or any other telnet utility, and in the Host Name (or IP address) field, type the IP address of the appliance. 2. Make sure that ssh is selected. This is usually the default setting. 3. Click Open. 4. Enter the user credentials you use to log into the telnet utility. The AlienVault splash screen for USM appears and displays the root username and a randomly generated password for you to enter (Figure 9). Figure 9. Sample initial AlienVault login screen, showing the default username and password. 5. In the login: field, enter root. 6. In the password field, enter the displayed randomly generated password, then press Enter.. 7. When prompted whether you would like to change your password, click Yes. USM v4.8-5.x Initial Setup Guide Page 28 of 42

Changing the Root Password Important: If your AlienVault USM is on version 4.13 or earlier, the password is alienvault instead. We recommend that you change your password immediately. See Changing the Root Password. Next Proceed to Changing the Root Password. Changing the Root Password After initial login using the default username and randomly generated password, AlienVault prompts you to change the password. To change the root password 1. On the first Change Root Password panels, type your new password in the New root password field and press Enter. Note: The cursor is not visible on the field. To verify that your cursor is in the right location, look for a black left border at the start of the field. This tells you that your cursor is where it should be. 2. On the second Change Root Password panels, confirm the password you just entered by retyping it; press Enter. 3. On the third, and final, Change Root Password panel, a confirmation message appears, showing that you successfully updated the password. The system verifies that you are connected to the Internet, because you need a connection to register the product online, which is the next procedure. The application now prompts you to log in again, using the newly created password. Next Proceed to Registering the Appliance. Registering the Appliance You can register the product in one of three ways: Online. See Registering the Appliance Online Through the AlienVault Console. USM v4.8-5.x Initial Setup Guide Page 29 of 42

Registering the Appliance Offline. See Registering Your Appliance Off Line. Online through a Web browser. See Registering the Appliance with the Web UI. Registering the Appliance Online Through the AlienVault Console Prerequisites The appliance license key that you received from AlienVault. To register the appliance through the AlienVault console 1. Log into the AlienVault console. The AlienVault Setup menu appears. Register this Appliance is now the default selection. 2. To register the appliance, press Enter since OK is the default. 3. On the Online Registration screen, tab to Online registration and press Enter. 4. Type the license key, then press Enter. The registration process can take several seconds. A status message shows you a registration progress bar. 5. When registration has completed, message box displays: AlienVault USM activated successfully. 6. To continue, press Enter. The AlienVault Setup menu appears again, but this time without the Register this Appliance menu option. Registering Your Appliance Off Line Prerequisites A license key file called alienvault-license.deb, obtained from AlienVault Support for a specific appliance. See About the license key. A USB flash drive formatted as FAT32, onto which you must copy the license file. (For instructions on how to format the USB flash drive for Windows, Mac, and Linux, see the AlienVault Offline Key Activation document, available on the AlienVault Documentation Center.) About the license key file Before AlienVault Support can generate and send you a.deb license key file that can be used on a FAT32 USB flash drive, you must first send AlienVault Support the system_id of each USM USM v4.8-5.x Initial Setup Guide Page 30 of 42

Registering the Appliance appliance. The system_id is available from the AlienVault Setup menu under About this Installation. Note: Make sure that you associate each license key file with the correct appliance in your deployment. To register the appliance offline 1. Save the license file alienvault-license.deb you received from AlienVault to a computer desktop or other location where you can easily retrieve it. 2. Insert a FAT32-formatted USB flash drive into the same computer. 3. Copy the license file alienvault-license.deb to the root directory of the formatted USB flash drive. 4. Open an ssh-enabled shell on Linux or a telnet window on MS Windows and enter the username root and the IP address of the USM appliance. The AlienVault Setup menu appears with Register this Appliance as the default selection. 5. To register the appliance, press Enter since OK is the default. 6. Tab to Offline registration and press Enter. 7. Connect the flash drive to the USB port of the appliance and press Enter (OK). Registering the Appliance with the Web UI All USM appliances may be registered through the web UI with the exception of the USM Sensor. USM Sensor registration must occur through the AlienVault console. To register your appliance through the web UI 1. Open a web browser from the appliance connected to the Internet and type the appliance IP address into the address bar. The AlienVault Free Trial Activation screen appears. 2. Click on click here to enter your product license key. 3. On the Welcome to AlienVault Unified Security Management <version> screen, type the license key in the Product License Key field and click Send. AlienVault displays an information box telling you that AlienVault USM activated successfully. 4. Click Finish. USM v4.8-5.x Initial Setup Guide Page 31 of 42

Configuring the Appliance Hostname The Welcome screen appears and contains a form that you must fill out to create the administrator account for the web UI. 5. Fill out the form and, when done, click Start Using AlienVault. The AlienVault User Login screen appears. 6. Type the username admin and the password you created on the previous screen, then click Login. Next Proceed to Configuring the Appliance Hostname. Configuring the Appliance Hostname After registering a USM appliance, you should always configure a hostname for it. This helps you to identify each one uniquely, which is particularly important if you need to make an AlienVault Support call. For guidelines on how to create good hostnames, see RFC 1178. To configure a hostname for an appliance 1. Launch the console and AlienVault Setup menu and select System Preferences by pressing Enter (OK). 2. From System Preferences, use the Tab key to select Configure Hostname; press Enter (OK). 3. From Configure Hostname, enter the name for this host in the Hostname; press Enter (OK). The Setup menu displays the information that you must apply these changes on the main Setup menu and reboot the appliance. 4. Press OK. The System Preferences menu reappears. 5. Use the Tab key to move from OK to Back and press Enter. This returns you to the AlienVault Setup main menu. 6. On the AlienVault Setup menu, scroll down and select Apply all Changes; select OK. The application prompts you to confirm your choice. 7. Confirm by selecting Yes. The services restart. 8. On the Apply all Changes screen, press Enter (OK). 9. Return to the AlienVault Setup main menu and select Reboot Appliance. USM v4.8-5.x Initial Setup Guide Page 32 of 42

Changing the Default Time Zone Next Proceed to Changing the Default Time Zone. Changing the Default Time Zone The default time zone for AlienVault appliances is Pacific Time (UTC -7h). If you are not operating the appliance in that time zone, you must change it. Otherwise, the ability of USM to timestamp events accurately will be compromised, for example. To change the default time zone 1. Launch the console and AlienVault Setup menu and select System Preferences by pressing Enter (OK). 2. Use the Tab key to select Change Location; press Enter (OK). 3. Select Date and Time; press Enter (OK). 4. Select Configure Time Zone; press Enter (OK). An information panel advises you that the time zone will be changed and that your profile and the mysql services will be changed. 5. Press Enter (Yes) or return to the previous panel by selecting No and pressing Enter. The Package Configuration panel appears, where America is the default setting. This includes all time zones in both North and South America. Note: If you want to set another time zone within the United States and its possessions, you can also scroll down using the Down Arrow key until you reach U.S. All menu entries are alphabetical. 6. Locate the applicable region or continent for the appliance: a. Use the Up or Down Arrow key to scroll up or down until you locate the appropriate continent or region. Select OK. b. If you selected a country or continent with multiple time, zones, expose those by clicking OK. c. Make a selection by pressing Enter or use the Side Arrow key to select OK. After you make your selection, the application returns you to the Date and Time menu; press Enter (OK). The application prompts you to confirm your choice. USM v4.8-5.x Initial Setup Guide Page 33 of 42

Configuring the Appliance to Synchronize with an NTP Server 7. Press Enter (Yes), which returns you to the Package Configuration menu. 8. Select Cancel. 9. Select Back and press Enter until you progress back to the AlienVault Setup menu. 10. On the AlienVault Setup menu, scroll down the menu and select Apply all Changes; select OK. The application prompts you to confirm your choice. 11. Confirm by selecting Yes. The services restart. 12. On the Apply all Changes screen, press Enter (OK). Next Proceed to Configuring the Appliance to Synchronize with an NTP Server. Configuring the Appliance to Synchronize with an NTP Server Use of an NTP server in your network helps ensure that all system components are correctly synchronized. This is particularly important for timestamp accuracy and auditability in your efforts to comply with certain regulatory standards. Note: The NTP server requires use of port 123 over UDP. To enable or disable synchronization with an NTP server 1. Launch the console and AlienVault Setup menu and select System Preferences by pressing Enter (OK). 2. Use the Tab key to select Change Location; press Enter (OK). 3. Tab to select Date and Time; press Enter (OK). 4. Tab to select Configure NTP Server; press Enter (OK). 5. Enable the NTP Server by selecting Enable with your cursor. After successful selection, an asterisk appears. 6. Confirm the selecting by pressing Enter (OK). (To disable synchronization, select Disable instead.) USM v4.8-5.x Initial Setup Guide Page 34 of 42

Configuring USM to Recognize Your Local Keyboard 7. Type the hostname or the IP address of the NTP Server; press Enter (OK). The application returns you to the Date and Time menu. 8. Select Back and press Enter until you progress back to the AlienVault Setup menu. 9. On the AlienVault Setup menu, scroll down the menu and select Apply all Changes; select OK. The application prompts you to confirm your choice. 10. Confirm by selecting Yes. A progress screen appears showing you that the services are restarting and the percentage of job completion. 11. On the Apply all Changes screen, press Enter (OK). Next If you do not use a U.S. keyboard, proceed to Configuring USM to Recognize Your Local Keyboard. If you are a USM All-in-One user, see the document Running the Getting Started Wizard on the AlienVault Documentation Center. If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Server, complete all of the applicable foregoing tasks for the USM Sensor. Then, proceed to Configuring a USM Sensor. If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Logger, proceed to Configuring a Logger. Configuring USM to Recognize Your Local Keyboard Follow this procedure if you use a keyboard that does not use U.S. key layout. To change the default U.S. keyboard to another layout 1. Launch the console and AlienVault Setup menu and select System Preferences by pressing Enter (OK). 2. Use the Tab key to select Change Location; press Enter (OK). 3. Accept the default setting (Change Keyboard) on the Change Location menu by pressing Enter (OK). 4. On the Package configuration panel, scroll the list of keyboards using the Down or Up Arrow keys until you identify yours, then select it by pressing Enter (OK). 5. If a secondary Package configuration panel appears based on your selection, find your model and press Enter (OK). USM v4.8-5.x Initial Setup Guide Page 35 of 42

Configuring a USM Sensor A new Package configuration information panel appears and prompts you to select which key should serve as the AltGr key. 6. Accept the default key or select another from the list and press Enter (OK). A new Package configuration information panel appears and prompts you to select which key should serve as the Compose key. 7. Accept the default key or select another from the list and press Enter (OK). 8. Select Back and press Enter until you progress back to the AlienVault Setup menu. 9. On the AlienVault Setup menu, scroll down the menu and select Apply all Changes; select OK. The application prompts you to confirm your choice. 10. Confirm by selecting Yes. A progress screen appears showing you that the services are restarting and the percentage of job completion. 11. On the Apply all Changes screen, press Enter (OK). Next If you are a USM All-in-One user, see the document Running the Getting Started Wizard on the AlienVault Documentation Center. If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Server, complete all of the applicable foregoing tasks for the USM Sensor. Proceed to Configuring a USM Sensor. If you are a USM Standard, Enterprise, or Remote Sensor user and you have just completed setup for a USM Logger, proceed to Configuring a Logger. Configuring a USM Sensor If your company purchased USM Standard, Enterprise, or Remote Sensors, you must configure the sensor by providing the USM Server IP address and Framework IP address through the AlienVault Setup menu. After that you must complete some final configuration steps on the web UI. Prerequisites If you are a USM All-in-One solution customer and want to configure a Remote Sensor, you must have already configured the USM All-in-One appliance before you can complete Remote Sensor configuration. USM v4.8-5.x Initial Setup Guide Page 36 of 42

Configuring a USM Sensor If you are a USM Standard or Enterprise solution customer, you must have already configured your USM Server and have its IP address available. To configure a USM Sensor 1. Launch the console and the AlienVault Setup menu and use the Tab key to go to Configure Sensor; press Enter (OK). 2. On the Configure Sensor menu, use the Tab key to select Configure AlienVault Server IP; press Enter (OK). 3. In the Enter Server IP field, type the IP address of the USM Server this sensor should contact; press Enter (OK). The Configure Sensor menu appears again. 4. Use the Tab key to select Configure Framework IP; press Enter (OK). 5. In the Enter Framework IP Address field, type the same IP address you did for the server in step 2; press Enter (OK). The application returns you to the Configure Sensor menu. 6. Select Back and press Enter until you progress back to the AlienVault Setup menu. 7. On the AlienVault Setup menu, scroll down the menu and select Apply all Changes; select OK. The application prompts you to confirm your choice. 8. Confirm by selecting Yes. A progress screen appears showing you that the services are restarting and the percentage of job completion. 8. On the Apply all Changes screen, press Enter (OK). 9. Launch the web UI through a browser and log into USM as administrator. 10. Navigate to Configuration > Deployment > Sensors. A warning message appears stating: Warning: The following sensors are being reported by as enabled by the server, but aren t configured. The warning message contains the sensor IP address and two links labeled Insert and Discard. 11. Click Insert. A new screen containing a form appears. 12. Fill out the form and click Save. 13. Repeat all of the foregoing procedures for every sensor you plan to deploy. USM v4.8-5.x Initial Setup Guide Page 37 of 42

Configuring a USM Enterprise Server and Enterprise Database Next If you are deploying a USM Standard or Enterprise solution, proceed to Configuring a Logger. If you have configured a USM All-in-One appliance using the Getting Started Wizard, and just completed Remote Sensor configuration, you are done! Configuring a USM Enterprise Server and Enterprise Database The AlienVault USM Enterprise Server component is hardware only. It ships with two devices, an Enterpriser Server and an Enterprise Database. The Enterprise Server needs to know the IP address and password of the Enterprise Database, and the Enterprise Database needs to know the IP address of the Enterprise Server, so that the two devices can communicate with each other. Both is done through the AlienVault Setup menu. To start the USM Enterprise Server configuration 4. Follow the steps in Configuring the Management Interface to assign an IP address to the Enterprise Server. 5. When the AlienVault MySQL Setup menu appears, put it on hold and proceed with configurating the USM Enterprise Database. To configure the USM Enterprise Database 1. Follow the steps in Configuring the Management Interface to assign an IP address to the Enterprise Database. 2. On the AlienVault Setup menu, use the Tab key to go to Configure Database; press Enter (OK). 3. On the Configure Database menu, use the Tab key to select Configure AlienVault Server IP; press Enter (OK). 4. In the Enter Server IP Address field, type the IP address of the USM Enterprise Server; press Enter (OK). The Configure Database menu appears again. 5. Use the Tab key to select Configure AlienVault Framework IP; press Enter (OK). 6. In the Enter Framework IP Address field, type the same IP address you did for the server in step 4; press Enter (OK). The application returns you to the Configure Database menu. 7. Select Back and press Enter until you progress back to the AlienVault Setup menu. 8. On the AlienVault Setup menu, use the Tab key to select Apply all Changes; select OK. The application prompts you to confirm your choice. 9. Confirm by selecting Yes. USM v4.8-5.x Initial Setup Guide Page 38 of 42

Configuring a USM Enterprise Server and Enterprise Database A progress screen appears showing you that the services are restarting and the percentage of job completion. 10. On the Apply all Changes screen, press Enter (OK). 11. On the AlienVault Setup menu, use the Tab key to select Jailbreak System; press Enter (OK). The application prompts you to confirm your choice. 12. Type the following command: grep ^pass /etc/ossim/ossim_setup.conf 13. Write down the password to be entered on the Enterprise Server. 14. Type exit to return to the AlienVault Setup menu. To continue the USM Enterprise Server configuration 1. On the AlienVault MySQL Setup menu, in the Enter MySQL Server IP address field, type the IP address of the USM Enterprise Database; press Enter (OK). 2. In the Enter MySQL Server password field, enter the password recorded from step 13 above. Note: You will not see any character when typing the password. 3. Press Enter (OK) to finish the configuration. 4. On the AlienVault Setup menu, use the Tab key to select Jailbreak System; press Enter (OK). The application prompts you to confirm your choice. 5. Type the following command: alienvault-api add_system -system-ip=<ip-of-enterprise-database> --password=<root-password-of-enterprise-database> 6. Type exit to return to the AlienVault Setup menu. Next Complete all of the applicable foregoing tasks for the USM Sensor. Proceed to Configuring a USM Sensor. USM v4.8-5.x Initial Setup Guide Page 39 of 42

Configuring a USM Enterprise Server and Enterprise Database Configuring a Logger This configuration procedure is for customers who are deploying one of the following USM Standard or Enterprise solution and must configure each appliance separately. USM All-in-One Appliance, but who are deploying a remote Logger, as an addition to the All-in- One. Note: Unlike the Standard/Enterprise USM Server and Sensors, the USM Logger can only be configured for operation with the USM web UI. Prerequisites You must have completed all of the tasks associated with appliance initialization for the USM Server and USM Sensors. (See Table 2.) You must have completed all of the tasks associated with appliance initialization for the USM Logger before completing this procedure. (See Table 2.) Recommended! Because you will be working with two USM instances, it is helpful for this configuration procedure (although not a prerequisite) if you have first given the USM Logger a hostname with the word Logger in its hostname on the AlienVault Setup menu. (See Configuring the Appliance Hostname.) About Logger Configuration Because the USM Server forwards events to the USM Logger, the USM Logger is considered the parent server. For this reason, you must add the USM Server as a child server on the USM Logger, and then configure event forwarding on the USM Server. To configure a USM Logger 1. Open a browser, enter the IP address for the USM Logger, and log in. 2. Navigate to Configuration > Deployment > Servers and click Add Server (Figure 10). USM v4.8-5.x Initial Setup Guide Page 40 of 42