Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Start Free Trial Request Demo
Back to All Docs

How to install Coralogix STA How to install Coralogix STA

Last Updated: Jan. 11, 2023

The Coralogix STA (Security Traffic Analyzer) is a tool by Coralogix for deep packet inspection, packet capturing, cloud configuration vulnerability scanning, and more.

The STA can be installed using the following methods:

  1. CloudFormation Template
  2. Terraform Template
  3. OVA image

Pre-requisites

Before you install the STA please make sure the following requests are met:

  1. You have an empty S3 bucket for holding the configuration
  2. You have permissions to deploy EC2 instances, spotfleets, load-balancers and security groups in the AWS account you plan to deploy the STA in
  3. Instances that you plan to mirror their traffic by using the VPC traffic mirroring feature belong to one of the following types: C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1, X1e, A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d.
  4. If you are looking to monitor instances by using our Virtual Tap, make sure you can run privileged containers in that environment (for example in AWS FarGate you cannot do that)

CloudFormation Template

  1. Connect to your AWS account and on another tab, login to your Coralogix account
  2. From Coralogix UI, go to the Settings page and then to the Cloud Security tab
  3. Click “Deploy Security Service”
  4. From the top drop-down list named “Deployment method”, choose the option “CloudFormation” (should already be selected)
  5. Fill in the various fields on the form and click “Launch AWS CloudFormation”
    1. Set the CloudFormation’s stack name (The default is “CoralogixSecurity”)
    2. Optionally, fill in the name of an S3 bucket that will be used for storing the STA’s configuration
    3. Optionally, configure the STA to use an encrypted disk
    4. Select the SSH key pair that will be used to connect to the STA
    5. Select the security group that will be assigned to the management network interface.
    6. Optionally, fill in the name of an S3 bucket that will be used for storing the packets captured by the STA as compressed PCAP files
    7. If you chose to run the STA as a spot, you can set the maximum spot price here
    8. Select the subnet you’d like to run the STA in. Make sure that the security group you chose for the management interface belongs to this subnet. Otherwise the installation will fail.
    9. Select the VPC you’d like to run the STA in. Make sure that the subnet you selected belongs to this VPC.
    10. Tick the box below that says “I acknowledge that AWS CloudFormation might create IAM resources.” and click “Create stack”

Terraform Template

  1. Connect to your AWS account and on another tab, login to your Coralogix account
  2. From Coralogix UI, go to the Settings page and to the Cloud Security tab
  3. Click “Deploy Security Service”
  4. From the top drop-down list named “Deployment method”, choose the option “Terraform Template”
  5. Click “Launch tutorial”
  6. Create an empty folder somewhere on your computer
  7. Create the following file and save it as sta-ng.tf:
variable "CompanyID" {
  type        = string
}
variable "Subnet" {
  type        = string
}
variable "VpcId" {
  type        = string
}
variable "PrivateKey" {
  type        = string
}
variable "KeyName" {
  type        = string
}
variable "MgmtNicSecurityGroupID" {
  type        = string
}
variable "AppName" {
  type        = string
}
variable "ConfigS3Bucket" {
  type        = string
  default     = ""
}
variable "PacketsS3Bucket" {
  type        = string
  default     = ""
}
variable "WazuhRequired" {
  type        = number
  default     = 1
}
variable "ElasticIpRequired" {
  type        = number
  default     = 1
}
variable "STALifecycle" {
  type        = string
  default     = "ondemand"
}
variable "STASize" {
  type        = string
  default     = "medium"
}
variable "CoralogixApiEndpointHostname" {
  type        = string
  default     = "api.coralogix.com"
}
variable "CoralogixSyslogEndpointHostname" {
  type        = string
  default     = "syslogserver.coralogix.com"
}
variable "EncryptDisk" {
  type        = bool
  default     = false
}
variable "DiskSize" {
  type        = number
  default     = 250
}
variable "DiskType" {
  type        = string
  default     = "gp2"
}
variable "STAInstanceType" {
  type        = string
  default     = ""
}
variable "SpotPrice" {
  type        = number
  default     = 0.5
}
variable "tags" {

}
module sta_ng {
  source = "s3::https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/terraform/<strong>&lt;target-aws-region&gt;</strong>/sta_ng.template.tgz"

  CompanyID               = var.CompanyID
  Subnet                  = var.Subnet
  VpcId                   = var.VpcId
  PrivateKey              = var.PrivateKey
  KeyName                 = var.KeyName
  MgmtNicSecurityGroupID  = var.MgmtNicSecurityGroupID
  AppName                 = var.AppName
  ConfigS3Bucket          = var.ConfigS3Bucket
  CoralogixApiEndpointHostname = var.CoralogixApiEndpointHostname
  CoralogixSyslogEndpointHostname = var.CoralogixSyslogEndpointHostname
  PacketsS3Bucket         = var.PacketsS3Bucket
  EncryptDisk             = var.EncryptDisk
  DiskSize                = var.DiskSize
  STALifecycle            = var.STALifecycle
  STASize                 = var.STASize
  WazuhRequired           = var.WazuhRequired
  ElasticIpRequired       = var.ElasticIpRequired
  STAInstanceType         = var.STAInstanceType
  tags                    = var.tags 
}
  1. Create the following file and save it as values.auto.tfvars.json:
{
	"PrivateKey": "<coralogix-private-key>",
	"KeyName": "<ssh-key-to-use-for-connecting-to-the-sta>",
	"MgmtNicSecurityGroupID": "<security-group-id-to-assign-to-management-interface>",
	"VpcId": "<vpc-id-to-install-the-sta-in>",
	"AppName": "<coralogix-application-name-for-sta-data>",
        "ConfigS3Bucket": "<an-EMPTY-S3-bucket-for-configuration>",
	"CompanyID": "<coralogix-company-id>",
	"Subnet": "<aws-subnet-id-to-install-the-sta-in>",
	"STALifecycle": "<[ondemand|spotfleet]>",
	"STASize": "<[small|medium|large>",
	"WazuhRequired": <[0|1]>,
	"ElasticIpRequired": <[0|1]>,
        "tags": {
           "<example-additional-tag-name>": "<example-additional-tag-value>"
        }
}
  1. Run the command terraform init from the same folder
  2. Run the command terraform plan and examine the changes that are going to be applied to your environment
  3. Run the command terraform apply from the same folder and approve the changes

OVA File

  1. You can download the OVA file from the following links based on the environment you would like to use them at:
    1. VirtualBox: https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/sta-ng.virtualbox.ova
    2. VMware ESXi: https://coralogix-integrations.s3-eu-west-1.amazonaws.com/cloud-security/sta-ng.vmware.ova
  2. Once the file is downloaded, import the VM into the relevant environment and start it
  3. After the VM has finished loading, login to the VM with the user ‘ubuntu’ and the password ‘Coralogix-STA!’
  4. Automatically, once the user is logged on, a series of questions will be presented. Please answer all of them with all the relevant information
  5. Run the command passwd and change the default password of the ubuntu user

STA Deployment In Limited Internet Access Environments

STA requires access to S3 for its config files. In some environments Internet outbound access is required to be limited to specific IPs, which means no access to public S3 will be available. In order to allow connectivity using amazon private network – Set a designated VPC gateway endpoint that connects your VPC directly to Amazon S3.

* Make sure your VPC’s route table contains Coralogix’s endpoints.

* In addition, in such environments the following enrichment services will not work: dns-rbls, unshorten-url, nist-cpe.

Next Steps

After installing the STA, you can move forward in one of the following ways (or all of them) to get the most out of your newly installed STA:

  1. Configure VPC traffic mirroring to allow the STA to analyze raw traffic. For this use the following tutorials: How to automate VPC Mirroring for Coralogix STA, Guide: Smarter AWS Traffic Mirroring for Stronger Cloud Security
  2. Deploy Wazuh agents in selected instances to get insights into the processes running inside them. For this use the following tutorial: How to connect a Wazuh agent to the STA
  3. Review alerts configured and modify them to be more accurate for your organization. You can find more about it in these tutorials: Security Traffic Analyzer (STA) Alerts, Alerts API
  4. Run the command sta-get-installation-id and copy the uuid that is displayed on the screen and save it in a safe place. This key is required to login to the STA with administrative privileges which might be needed as part of a troubleshooting session.
  5. Once the installation ID is safely stored and properly backed-up, run the command sta-acknowledge-installation-id and carefully follow the instructions on the screen to remove the installation ID from the STA

If you have any questions or need any additional help, please contact our support team via our 24/7 in-app chat!

On this page