Setting Up CTERA Sentinel

  • 3 minute(s) read
Prev Next

The following requirements are needed for CTERA Sentinel:

  • CTERA Edge Filer 7.8.x or higher and CTERA Portal 8.2.x.
  • A Syslog server with Azure Arc and Azure Monitoring Agent installed.
  • A resource group in Microsoft Azure.
  • A log analytics workspace in Microsoft Sentinel.

Setting Up Microsoft Sentinel for CTERA Sentinel

To set up Microsoft Sentinel for CTERA Sentinel, you need a resource group and a Log Analytics Workspace in Microsoft Sentinel.

To create a resource group in Microsoft Azure:

  1. In Microsoft Azure, access the Resource groups service.
  2. Click Create and complete the fields as follows:
    Subscription – The Microsoft Azure subscription.
    Resource group – A unique name for the resource group.
    Region – Select a region to host the resource group.
  3. Click Review + create, and after the group is validated, click Create.
    The Resource group is created.

To create and add a Log Analytics Workspace in Microsoft Sentinel:

  1. In Microsoft Azure, access the Microsoft Sentinel service.
    The Microsoft Sentinel screen is displayed.
    MicrosoftSentinelpage.png
  2. Click Create.
    The Add Microsoft Sentinel to a workspace screen is displayed.
    AddMicrosoftSentineltoWorkspace.png
  3. Click Create a new workspace.
    The Create Log Analytics workspace screen is displayed.
    image.png
  4. Complete the fields as follows:
    Subscription – The Microsoft Azure subscription.
    Resource group – Select the resource group.
    Name – A unique name for the workspace.
    Region – The resource group to host the workspace.
  5. Click Review + create, and after the workspace is validated, click Create.
    image.png
  6. When the deployment is complete, re-access Microsoft Sentinel.
  7. Click Create.
  8. Select the newly created workspace and click Add.
    image.png

You’ve now set up the Microsoft Sentinel environment for CTERA Sentinel.

Installing CTERA Sentinel

Before installing CTERA Sentinel, you must connect the Syslog server to Azure Arc and install and connect the Azure Monitor Agent (AMA).

To connect the Syslog server to Azure Arc:

  1. In Microsoft Azure, access the Azure Arc service.
  2. Under Azure Arc resources, click Machines, then Add/Create.
  3. Select Add a Machine.
    Add Servers with Azure Arc is displayed.
    image.png
  4. Select Add a single server and then click Generate Script.
    image.png
  5. Complete the fields as follows:
    Subscription – The Microsoft Azure subscription.
    Resource group – Select the resource group.
    Region – Select the region.
  6. Click Download and run script.
    A script is generated.
    image.png
  7. Copy this script to the Syslog server.
  8. Run the script on the Syslog server, which will automatically connect the server to Azure Arc.
  9. Download and install Azure Monitor Agent (AMA) on the Syslog server.
    Note

    You can use the following URL to download AMA: https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/ForwarderAMAinstaller.py.

    Once installed, AMA is automatically connected to the Azure Arc-enabled Syslog server.

Create a Data Collection Rule to collect platform metrics before CTERA Sentinel can be used.

To create a Data collection rule:

  1. In Microsoft Azure, navigate to Data collection rules.
  2. Click Create.
    A Create Data Collection Rule screen is displayed.
    image.png
  3. Complete the fields as follows:
    Rule name – Create a unique rule name.
    Subscription – The Microsoft Azure subscription.
    Resource group – Select the resource group.
    Region – Select the region.
    Platform Type – Select Linux.
    Data Collection Endpoint – Keep the none default.
  4. Click Next: Resources.
    The screen displayed enables you to pick a set of resources to collect data from.
  5. Click Add resources.
    The Select a scope blade is displayed.
    image.png
  6. Complete the fields as follows:
    Resource group – Select the resource group from the Scope drop-down list and expand the arrow to the left of the resource group's name. The resource type is displayed.
    Resource type– Select Machine - Azure Arc.
    Location – Use the default region.
    image.png
  7. Click Apply.
    The Add data source blade is displayed.
  8. Click Add data source.
    image.png
  9. Check the Facility box to select all facilities.
  10. Click Next: destination.
    The Add destination blade is displayed.
    image.png
  11. Click Add destination and complete the fields as follows:
    Destination type – Select Azure Monitor Logs from the drop-down menu.
    Subscription – The Microsoft Azure subscription.
    Destination Details – Select the workspace.
  12. Click Add data source.
    Note

    Adding Tags is optional.

  13. Click Review + create.
    Once validated, the Data Collection Rule is ready to be created.
    image.png
  14. Click Create.
    Once deployment is complete, the Data Collection Rule is created.

CTERA Sentinel is ready to be installed.

To install CTERA Sentinel:

  1. In Microsoft Azure, access the Microsoft Sentinel service.
  2. Select the required Log Analytics Workspace.
  3. Select Content Hub under Content management in the menu.
    image.png
  4. Search for CTERA Sentinel and select it from the Content title list.
    image.png
  5. Click Install/Update.
    image.png

CTERA Sentinel is now installed in the Microsoft Sentinel Content hub.

Note

It takes time for the logs from the CTERA Edge Filer and CTERA Portal to be fed into the system. Once connected, the data connector symbol turns green.

image.png
The Syslog data connectors are added automatically.