Install AutoDiscovery sensors

By default, each AutoDiscovery server installation comes pre-installed with a single sensor, used to capture data from across your network.

You may need additional sensors if you want to use direct traffic collection, full traffic capture, or if you want to separate your AutoDiscovery server and sensor machines. For more details, see Traffic collection options.

This topic describes how to install additional sensors as needed, either directly on a Windows or Linux machine, or as a VMWare OVF.

Sensor installation options

The following table describes the supported configurations for installing additional sensors, and the high-level steps required for each configuration:

ESX with port mirroring

Do the following:

Deploy an AutoDiscovery sensor to each ESX server.
Configure each sensor to view traffic in promiscuous mode.

Physical server with port mirroring

Do the following:

Prepare a separate server for the AutoDiscovery sensor. The server can be physical or virtual, and Windows or Linux.
Direct mirrored traffic to the sensor.

Local mode with direct capture

Install a sensor on any server from which you want to capture traffic.

For more details, see Install additional AutoDiscovery sensors.

Note: To configure statistical traffic collection with NetFlow/SFlow, we recommend using the sensor installed together with the AutoDiscovery server.

For more details, see Install AutoDiscovery.

AutoDiscovery sensor system requirements

Additional AutoDiscovery sensors must be installed on a Linux or Windows server with the following minimum specifications:

CPU	4-core CPU, if expected traffic load has a maximum of 2 Gbps 8-core CPU if expected traffic load is more than 2 Gbps
Memory	8 GB
Disk space	1 GB free disk space
Network adapters	At least 2 network adapters: 1 adapter connected to each source mirror port or LAN 1 adapter connected to the LAN, for communication with the AutoDiscovery server
Software (Windows only)	When installing a Windows sensor, make sure you have the following software installed on the AutoDiscovery sensor machine: OpenSSL, version 1.0.2. Download and install this from slproweb.com. Visual C++ Redistributable Packages for Visual Studio 2013. Download and install these from https://www.microsoft.com/.

When deploying on a virtual machine, network cards must be physically connected to the switch / router.

Install additional AutoDiscovery sensors

This procedure describes how to install additional AutoDiscovery sensors.

Do the following:

Verify that your AutoDiscovery sensor machine complies with the system requirements. For details, see AutoDiscovery sensor system requirements.

Note: If you are installing additional sensors, you must do so using different machines than the ones you are using for the AutoDiscovery server and the ASMS installation. Each additional sensor must be installed on its own machine.
On the AlgoSec portal, navigate to Downloads > Software > AlgoSec AutoDiscovery.

Do one of the following:

Upgrade

Deploy the downloaded file on your sensor machine, depending on your OS type. For example:

Run an AutoDiscovery sensor installation on VMWare

Deploy your downloaded OVF file to a virtual machine with the required specifications.
Close ⌃
Run an AutoDiscovery sensor installation on Linux
This procedure describes how to run an AutoDiscovery sensor installation on Linux.

Do the following:
1. Extract the contents of the AutoDiscoverySensor-3000.10.0-40-Linux.zip file.
2. Run in installation:
  
  ./AutoDiscovery-Linux-x64.run
3. Create a directory for the AAD sensor service files. Run:
  
  mkdir /opt/autodiscovery
  
  Note: If the /opt/autodiscovery directory already exists, delete the networksensor sub-directory. Run:
  
  rm -rf /opt/autodiscovery /networksensor
4. If the networksensor directory does not yet exist, create it for the network sensor logs. Run:
  
  mkdir /var/log/autodiscovery
5. Place the AAD sensor files in the correct directory. Run:
  
  mv AutoDiscovery-Linux-x64/networksensor /opt/autodiscovery
6. Enable the AAD sensor service. Run:
  
  systemctl enable /opt/autodiscovery/networksensor/networksensor.service
  
  If an error occurs, run:
  
  systemctl link /opt/autodiscovery/networksensor/networksensor.service
7. Stop the firewalld service to open the sensor up to Netflow, SFlow and AAD server communication. Run:
  
  systemctl stop firewalld
8. Start the networksensor service. Run:
  
  systemctl start networksensor
9. Verify that the networksensor is alive by tailing its log and seeing that new lines are added. Run:
  
  tail -f /var/log/autodiscovery/networksensor.log
10. Exit by pressing CTRL+C.
Your sensor is installed and ready to use with AutoDiscovery.
Close ⌃
Run an AutoDiscovery sensor installation on Windows
Do the following:
1. Extract the contents of the downloaded AutoDiscoverySensor-3000.10.0-40-Windows-x64.zip file.
2. Run the extracted AutoDiscoverySensor-Windows-x64.msi file.
3. Click Next to start the wizard.
  
  Accept the EULA, and continue through the wizard as instructed.
4. The installation notifies you that a reboot will be required after the installation is complete.
  
  Verify that all other files are saved and that your system can be rebooted safely when ready, and click OK.
  
  The wizard confirms when the installation is complete.
Your sensor is installed and ready to use with AutoDiscovery.
Close ⌃

AutoDiscovery sensor system requirements

This section describes system requirements for AutoDiscovery sensors installed in addition to the one provided by the AutoDiscovery installation. Additional sensors are most often configured for full traffic capture.

Note: The number of sensors to install and where to install them depends on your network's load and topology.

For example, if you have packet brokers or standalone sniffers already collecting traffic on your network, you can send the traffic they collect to a single sensor. This avoids the need to thoroughly cover your network with sensors.

Configure one of the following:

Full capture with port mirroring or TAP specifications

AutoDiscovery Upgrade for Sensor for Windows x64	Upgrades your separate Windows sensor installation
AutoDiscovery Upgrade for Linux Sensor	Upgrades your separate Linux sensor installation. Note: This option does not upgrade the local sensor installed on your AutoDiscovery server.

Collection rates	Supported collection rates are 250,000 packets(s) for an AlgoSec 2062 appliance-based collector and 1,000,000 packet(s) for an AlgoSec 2322 appliance. These are recommended collection rates, since AlgoSec AutoDiscovery is statistical in nature and a loss of a few packets has no adverse effect.
ESX infrastructure	In order to enable port mirroring for a Sensor is installed on an ESX server, the server must be configured in promiscuous mode and the traffic must be mirrored to a port group. Adding a Sensor to that port group will enable the Sensor to capture all of the traffic.
Log formats	From version 2.4.3, the Sensor can optionally receive traffic in the following log formats: ERSPAN (type 2 and 3) GRE (IP 800 and Transparent Ethernet Bridging 6558) Encapsulated Remote Mirroring in VMware environments (on VDS from VSphere 3.5.1 and up)
Port mirroring hardware requirements	When installed in port mirroring mode, memory and CPU requirements depend on the amount of traffic monitored. Estimated minimum requirements include: Dual CPU/dual core 2GB RAM 10MB free disk space 2 Network Adapters - one connected to the mirror port, the other connected to the LAN.

Install AutoDiscovery sensors

Sensor installation options

AutoDiscovery sensor system requirements

Install additional AutoDiscovery sensors

AutoDiscovery sensor system requirements

Sorry about that

Want to tell us more?

Great!