Install Cloud Link Service

The administrators can perform the following tasks to install the Cloud Link Service successfully:

Step 1. Install Cloud Link Service
Step 2. Download the Activation Package
Step 3. Register the Cloud Link Service
Step 4. Verify if the Cloud Link Service is working
Step 5. Transfer UEBA (Cloud) data to NetWitness Platform

You can install the Cloud Link Service on the following host types:

  • Log Decoder
  • Log Hybrid
  • Endpoint Log Hybrid
  • Log Hybrid Retention

Prerequisites

Ensure that the NetWitness Platform and the host (Decoder) are on version 11.5.2.0 or later.

Note

Data will be fetched from only the host (For Example: Log Decoder) on which the Cloud Link Service is installed.

To install the Cloud Link Service

  1. Log in to the NetWitness Platform as an administrator and go to admin icon Admin > Hosts.

    The Hosts view is displayed.

  2. Select a host (Example: Log Decoder) and click install button.

    A dialog listing all the services already installed on this host is displayed and seeks your confirmation if you want to install a new service.

  3. Click Yes.

    The Install Services dialog is displayed.

  4. Select the Cloud Link Service from the Category drop-down menu, and click Install.

    How to install cloud link service

  5. Go to admin icon Admin > Services to verify successful Cloud Link Service installation.

Step 2: Download the Activation Package

You need the activation package to register Cloud Link Service with the NetWitness UEBA. The activation package can be used on all hosts containing Cloud Link Service, which you want to register and you can download it from the NetWitness Cloud Portal.

To download the activation package

  1. Log in to the NetWitness Cloud Portal.

  2. Go to admin icon Admin > Sensors > Downloads.

  3. Click the Cloud Link tab.

    How to access the activation package

  4. Under Activation Package, click generate icon to generate the activation package.

  5. Click download icon to download the activation package.

Registration of Cloud Link Service requires copying the activation package to the Cloud Link Service directory, and setting up the required permissions. Once this is completed, the Cloud Link Service will be registered automatically.

Note

  • The same activation package can be used for multiple registrations.
  • Ensure you use the most recently downloaded activation package.

Prerequisites

Ensure that the system clock is accurate. To fix the system clock, configure the NTP server on Admin server. For more information on how to configure NTP Sever, see Configure NTP Servers.

To register the Cloud Link Service

  1. SSH to the host on which the Cloud Link Service is installed.

  2. Copy the device-activation-package.json file downloaded from the NetWitness Cloud Portal to the /root or /temp directory on the Cloud Link Service host.

  3. Change the user and group of the device-activation-package.json file to netwitness by executing the following command:

    chown netwitness:netwitness device-activation-package.json

Important

Avoid using cp command to add files under /var/lib/netwitness/cloud-link-server directory. The cp command changes the user and group to root, which can result in the Cloud Link Service registration failure.

  1. Move the device-activation-package.json file to the Cloud Link Service directory by executing the following command:

    mv device-activation-package.json /var/lib/netwitness/cloud-link-server/

  2. To verify if Cloud Link Service is registered successfully, log in to the NetWitness Cloud Portal, and check the status of the Cloud Link Service. For more information, see Verify if the Cloud Link Service is working.

Note

If you want to re-register a Cloud Link Service with a different activation package, first remove the Cloud Link Service from the NetWitness Cloud Portal, and then uninstall Cloud Link Service on the NetWitness Platform. For more information about uninstalling the Cloud Link Service, see Uninstall the Cloud Link Service.

You can check the status on NetWitness Cloud Portal Sensor List to verify the successful registration of Cloud Link Service. The status must reflect as Connected for the Cloud Link Service to start transferring data. You can use this status to monitor the Cloud Link Service and troubleshoot registration failures.

To verify the status of the Cloud Link Service

  1. Log in to the NetWitness Cloud Portal.
  2. Go to admin icon Admin > Sensors > Sensor List.
    The following information is displayed for every Cloud Link Service registered in your deployment:
Detail Description
Hostname The host on which the Cloud Link Service is installed. Example: Endpoint Log Hybrid.
Status Status of the Cloud Link Service:
- Registered: The Cloud Link Service is registered successfully.
- Connected: The Cloud Link Service is connected and operating normally.
- Disconnected: The Cloud Link Service is not connected.
- Disabled: The Cloud Link Service is stopped temporarily and data transfer is paused.
- Enabled: The Cloud Link Service reconnects and resumes data transfer.
Sensor Version The installed version of the sensor. Example: 12.5.0.0.
Sensor Type Type of sensor that is installed and registered. Example: Cloud Link.
Uptime and Downtime Displays the sensor’s uptime and downtime.

Step 5: Transfer UEBA (Cloud) data to NetWitness Platform

If you want to view the UEBA data on your NetWitness Platform user interface you must configure the data transfer from the cloud to the Admin server. Perform the following steps:

Important

This step should be performed only once after you register the Cloud Link Service for the first time.

  1. SSH to the Admin server.

  2. Execute the following command:

    nw-manage --enable-cba

See also