Amazon Web Services (AWS) Setup

From MetaFlows User Manual
Jump to: navigation, search

Using the MetaFlows AMI

A pre-built AMI image for Amazon EC2 is available in the marketplace and can be downloaded from

The default username for the Amazon Marketplace AMI is 'metaflows' and you can access the AMI once it is launched by using the ssh command:

ssh -i <your_private_key>.pem metaflows@<your instance address>

Once you have logged in as the MetaFlows user, you can start the sensor by running the command:

sudo /nsm/etc/ start

Note that while there is a separate command to start the collector, it should be started automatically with the sensor.

If this is the first time you have run the sensor, you will be presented with two options:

  1. Register my account with MetaFlows and add my first instance - Use this option if you do not already have an account on
  2. Add this ec2 instance to my existing account - Use this option if you have already registered an account on

Adding a Larger Disk for Log Storage

If your AMI has a small default disk, or you just want additional log storage capacity, follow these steps to add an EBS volume and re-map the log directories to it.

Adding the EBS Volume

  1. From the AWS console add a new EBS volume to the region in which you are running the sensor. If you are not sure how big of a disk you need, 500GB is probably a good minimum.
  2. Attach the EBS volume to the MetaFlows sensor instance.
  3. Verify the name of the drive on your MetaFlows sensor by checking dmesg .

Dmesg disk.png

Preparing the Disk

1. Manually create one partition on the disk using fdisk, or run the command:

'echo -e "o\nn\np\n1\n\n\nw" | fdisk /dev/xvdk'

2. Add a file system to the disk with the command:

'mkfs.ext4 /dev/xvdk1'

Mounting the New Disk as Your Log Storage

1. Run the command:

'/nsm/etc/ stop'

2. Create a new directory for the logs:

'mkdir /var/log/metaflows'

3. Mount the new disk:

'mount /dev/xvdk1 /var/log/metaflows'

4. Move the old logs to the new disk:

'mv /mnt/hgfs/logs /var/log/metaflows/; ln -s /var/log/metaflows/logs /mnt/hgfs/logs'

5. Start the sensor:

'/nsm/etc/ start'

Making the New Disk Persistent on Boot

  1. Add a new line to /etc/fstab like the one below to make sure the disk is re-mounted automatically:
/dev/xvdk1 /var/log/metaflows ext4 defaults 0 0

MetaFlows Security Gateway on Amazon EC2

This deployment model requires considerable network administration expertise and it is not recommended in most cases.


Setting up a MetaFlows EC2 instance as a VPC security gateway can monitor and protect your cloud assets. The MetaFlows EC2 security gateway routes IP traffic between the VPC and the internet, therefore it has complete visibility of the full-duplex traffic to and from your protected instances. The MetaFlows Security System (MSS) running on the MetaFlows EC2 instance will then allow you to identify and shut down threats through a standard web browser.

Setup Instructions

1. Launch a VPC

- Create a VPC and give it a network range (ex.

2. Create Subnets

- Create a private subnet (ex. and a public subnet (ex.

3. Set Up the NAT Gateway

- Set up the NAT Gateway. - Launch an EC2 MetaFlows instance on the public subnet. - Configure the MetaFlows Security Software:

- Execute the command /nsm/etc/ start.
- Register the instance with an existing MetaFlows account or create a new account.
- Read and agree the license agreement.
- Specify the name of the gateway instance, and its domain.
- Assign an EIP address to the instance. This will be your externally routable address.

- Make sure to modify the network adapter to DISABLE src/dst checking. - Configure this instance as a normal NAT device for the private subnet:

- Echo 1 > /proc/sys/net/ipv4/ip_forward
- Iptables -t nat -A POSTROUTING -s -j MASQUERADE
4. Add Additional IP Addresses

Add additional IP addresses on the public subnet (if needed). - The EC2 will automatically assign a public subnet address to your instance once it is launched. Each instance can have additional IP addresses on the public subnet assigned to it in Step 2. - For each of these IP addresses, you can assign an EIP. Limits may apply depending on the type of instance you choose.

5. Set Up the Routing Tables

- The public subnet should have a default route for to an Amazon IGW device. - The private subnet should have a default route for to the instance id of the MetaFlows EC2 instance.

6. Launch the EC2 Instances

- Launch the EC2 instances to be monitored in the private subnet.

7. Add Port Forwarding Rules

Add fort forwarding rules to iptables for publicly accessible services.

- You can follow these instructions to do that at

Previous Chapter Next Chapter