A USM Anywhere Sensor deployed in Amazon Web Services (AWS) to a virtual private cloud (VPC) automatically listens for syslog packets on UDP port 514, but you must enable access to it. This allows the other hosts in your network to send data to the sensor. You enable this access by opening this port using the AWS security groups that were created by the AWS CloudFormationCloudFormation templates define specific AWS resources (for example, Amazon EC2 instances and IAM permissions) that enable AWS to automate the provisioning and configuration of the service ("stack"). template that you used to deploy the sensor.
The AWS Security Groups
There are five AWS security groups that help control network connectivity between the instances:
USMConnectionSG: Accepts incoming HTTP, HTTPS, and SSHProgram to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). connections from the Classless Inter-Domain Routing (CIDRClassless Inter-Domain Routing, which provides a method for allocating IP addresses, routing Internet protocol packets, and subdividing networks. CIDR notation provides a syntax for specifying a range of IP addresses.) block you specified when you completed the AWS CloudFormation template parameters.
These connections are only required to enable remote sensor management, and to connect to the web user interface (UI) during deployment and setup.
- USMLogServicesSG: Accepts incoming UDP connections on port 514 from any virtual machine (VM) instance in the USMEnableLogServicesSG. It also enables syslog TCP on port 601, syslog Transport Layer Security (TLS) on port 6514, and Graylog UDP on port 12201.
USMEnableLogServicesSG: Does not have inbound or outbound rules, nor is it assigned to the sensor.
It exists solely as a convenience, so that you can assign it to VMs for connection to UDP over port 514 on the sensor as specified in the USMLogServicesSG. This also enables syslog TCP on port 601 and 602, syslog TLS on port 6514 and 6515, and Graylog UDP on port 12201 on that sensor.
- USMTrafficInterfacesSG: Enables USM traffic mirroring connectivity on your USM Sensor traffic network interface.
- USMEnableTrafficMirroringSG: Does not have inbound nor outbound rules, nor is it assigned to the sensor, but allows virtual extensible local area network (VXLAN) traffic over UDP port 4789.
It exists solely as a convenience, so that you can assign it to VMs for connection to UDP over port 514 on the sensor as specified in the USMEnableTrafficMirroringSG. This enables traffic mirroring traffic.
UDP Port 514
You can open UDP port 514 to receive syslog packet transmissions from the AWS console using any one of the following methods:
- Assign the USMBaseSG security group to the selected VMs by navigating to Networking > Change Security Groups action. (You can also do this through the AWS command-line interface [CLI].)
- Add the default security group from your VPC to the USMLogServicesSG. This allows all the VMs in that security group to send to port 514 UDP.
- Put the AWS Sensor in the default security group from your VPC. This gives all of the VMs in the local VPC full access to all ports on the sensor.