AlienVault: Adding a logger to a distributed deployment

There has been some confusion about how exactly to add a dedicated logger appliance to an AlienVault distributed deployment, that is, a setup where server roles (SIEM server, database, loggers, sensors, etc) are hosted on separate servers. It’s not very well documented so here goes (with many thanks to AlienVault Support for providing the information):

The configuration of alarm/event forwarding was changed in v4.8 (June 2014). Users now need to add the child server in the parent server and then configure the event forwarding on the child server.

Since the USM Server forwards events to the remote USM Logger, the remote USM Logger is considered the “parent server”. Therefore, you’ll need to add the USM Server as a “child server” on the remote USM Logger, then configure event forwarding on the USM Server. All configurations are done via the web UI.

> Login to the remote USM Logger (Parent Server). Go to Configuration -> Deployment -> Servers.
> Select ‘New’ and add the USM Server
> Choose ‘No’ for all the options except Log. Choose ‘Yes’ next to Log and save it.
> Login to the USM Server (Child Server). Go to Configuration -> Deployment -> Servers. You should see both servers (USM Server and the remote USM Logger) listed.
> Choose the remote USM Logger and click ‘Modify’.
> Enter the credentials for Remote Admin User, Remote Password, and Remote URL. (This is the admin user login to the remote logger’s web UI).

> Click the ‘Set Remote Key’ button to save it.
> Choose the USM Server and click ‘Modify’.
> Set the option for Log to ‘No’.
> Under the Forward Servers section, choose ‘Add Server’ and add the remote USM Logger. Click ‘Save’ to save it.

Notes:
1. If you go to Configuration -> Deployment -> Alienvault Center on the USM Server, you should NOT see the remote USM Logger listed. However, if you go to Configuration -> Deployment -> Alienvault Center on the remote USM Logger, you should see the USM Server listed.
2. You can check if the configuration was successful in the Server UI by going to Analysis -> Raw Logs. If you see a new column named ‘Server’ on the table layout with ‘Remote Logger’ listed in that column, then the configuration was successful.