In-house Relay installation using the software package

Installing and configuring the relay

The following procedure describes how to install and configure the software package with the In-house Relay.

  1. Add the Devo repository to the system repository list. This only needs to be done once.
    • First, import the Devo repository public key:

      wget http://repository.logtrust.net/PublicKey
      sudo apt-key add PublicKey
      sudo gpg --import PublicKey
    • Create the logtrust.list file:

      /etc/apt/sources.list.d/logtrust.list
    • Next, add the following line to the newly created logtrust.list file:

      deb http://repository.logtrust.net/ precise main
    • Finally, run the install command that is specific to your Devo region:
      • If you are an USA user:

        apt-get update
        # apt-get install logtrust-relay-aws-usa
      • If you are an EU user:

        apt-get update
        apt-get install logtrust-relay
      • If you are a VDC (Spain) user:

        apt-get update
        # apt-get install logtrust-relay-vdc

        .

  1. Enter the API key provided for your Devo account. Open Devo and go to Administration → Credentials, then click Show to display and copy the API key to your clipboard. To paste the API key into the configuration script window, use SHIFT+INS.



  2. Now you can start the relay. In Devo, go to Administration → Relaysselect the newly created relay, and change its status to Active. Within just a few minutes, the relay will begin to forward logs to Devo. 

Once the relay is running, the next step is to set up the In-house Relay rules.

Specific scenarios

Suppose you are using a virtual machine with a previously installed EU relay, but you need to install a USA relay.

  1. First, you must uninstall the EU relay:

    # apt-get purge logtrust-relay
  2. Now you can install the USA relay:

    # apt-get update
    # apt-get install logtrust-relay-aws-usa

Suppose you are using a virtual machine with an EU relay, but you need to install a VDC relay.

  1. First, you must uninstall the EU relay:

    # apt-get purge logtrust-relay
  2. Now you can install the VDC relay:

    # apt-get update
    # apt-get install logtrust-relay-vdc

Starting and stopping the relay

To start or stop the relay, run the relay starter script with the command start, stop, or restart:

sudo /etc/init.d/logtrust-relay start|stop|restart

Troubleshooting the relay

If the relay or its event forwarding process are not working properly, here are some steps you can take to help identify and fix the problem.

Check that the relay processes are running

# ps a|grep scoja
 2940 pts/1    S      0:00 sh /opt/logtrust/scoja/scoja.sh -r 5s -G /etc/logtrust/scoja/current/all-me.conf -j /etc/logtrust/scoja/current/all-var.conf
 2942 pts/1    Sl     0:32 /opt/java/bin/java -server -XX:+UseConcMarkSweepGC -classpath :/opt/logtrust/scoja/scoja.jar:/opt/logtrust/scoja/scoja-cc.jar:/opt/logtrust/scoja/scoja-compression.jar:/opt/logtrust/scoja/scoja-rpc.jar:/opt/logtrust/scoja/scoja-beep.jar:/opt/logtrust/scoja/jython.jar -Djava.library.path=/opt/logtrust/scoja -Dscoja.home=/opt/logtrust/scoja -Xms500M -Xmx500M org.scoja.server.Scoja -r 5s -G /etc/logtrust/scoja/current/all-me.conf -j /etc/logtrust/scoja/current/all-var.conf
  • If the Java process is not running, restart it using the relay starter script:

    sudo /etc/init.d/logtrust-relay start
  • If the Java process is still not appearing after restarting the relay, consult the log /var/log/scoja.logIt will show you why it is not possible to start the relay. If the system is unable to find the Java interpreter, the log /var/log/scoja.log will show an error like this:

    /opt/logtrust/scoja/scoja.sh: 60: java: not found
  • On an Ubuntu system, Java is usually installed in /usr/lib/jvm/. You can use one of the following solutions:

    Symbolic link: ln -s /usr/lib/jvm/java-6-openjdk/bin/java /usr/bin/java
    Environment variable: Define export JAVA_HOME="/usr/lib/jvm/java-6-openjdk" in /etc/profile.d/java.sh 
  • Replace the version of Java installed with java-6-penjdk. 

Ensure that the default rules are active 

 # netstat -atun --program|grep `pgrep -f org.scoja.server.Scoja`
tcp6       0      0 :::13000                :::*                    LISTEN      2942/java      
tcp6       0      0 :::13001                :::*                    LISTEN      2942/java      
tcp6       0      0 :::13002                :::*                    LISTEN      2942/java      
udp6       0      0 :::12999                :::*                                2942/java      
udp6       0      0 :::13000                :::*                                2942/java      
udp6       0      0 :::13001                :::*                                2942/java      
udp6       0      0 :::13002                :::*                                2942/java
  • If the ports above are not listening, you should check if the relay process is running in the system (above) or if the system configuration has not been properly deployed (next section).

Ensure that the relay has downloaded the configuration from Devo's server 

  • Check the log file /var/log/lt-relay.log. If the configuration has been downloaded and deployed correctly the log will look like this: 

    2013-01-11 18:39:19.428100 [SUCCESS] Relay is active, deploying new configuration set
    2013-01-11 18:40:01.909000 [SUCCESS] No changes in the Relay Configuration
  • If there was a problem with the download and deployment process, there will be an error message in the log such as:

    2013-01-11 16:49:01.574114 [ERROR] Property 'api.key' not found in conf file
    2013-01-11 16:49:32.698116 [ERROR] calling relayServices
  • In the case of an error, check the following:
    • Make sure the API key and API secret are correct. Do this by re-running the configuration script or directly editing the file /etc/logtrust/relay/logtrust.conf
    • Make sure that the system has an internet connection. 
    • Make sure that the relay has downloaded the user certificate that allows for the secure forwarding of events to Devo (see below).

Make sure the relay has a user certificate

  • The relay requires a user certificate to forward events securely to Devo's server. Make sure that the following file exists: 

    ls -al /etc/logtrust/scoja/current/keys/client.jks
  • If the file does not exist, there was an error in the deployment of the initial configuration and you will need to deploy it again. To do so, open Devo and: 
    1. Go to Administration → Relays, find the problematic relay, and select the tool icon found in the Actions column.
    2. Select the Force Generate New Certificate check box.
    3. Click Apply Configuration. 
  • After applying the configuration, the new policy application should appear in /var/log/lt-relay.log

    2013-01-11 19:06:02.403493 [SUCCESS] No changes in the Relay Configuration
    2013-01-11 19:07:02.215951 [SUCCESS] Relay is active, deploying new configuration set
  • The certificate should now exist in /etc/logtrust/scoja/current/keys/. 

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US