Why this guide exists
Police CyberAlarm helps you see who is probing your network and how. A free service available to all business' provided by UK Police, and the Home Office. This guide shows any UK organisation how to deploy the collector on your own estate, configure your firewall logs, and enable external vulnerability scans - without fuss. Follow the steps, then sleep easier knowing what is hitting you. If you prefer us to host, monitor and tune it for you, see our hosted Police CyberAlarm service.
What you will get by the end
• A working Police CyberAlarm collector running on your network.
• Firewall logs flowing to the collector and out to the police securely.
• External vulnerability scans set for your IPs and websites.
• Clear next steps to read your reports and act on them.
• An option to hand ongoing care to a calm UK team if you want it.
Deployment choices
All-in-one
Deploy the official virtual appliance in VMware. Fastest route for most. Light resources, minimal decisions, low risk.
Distributed
Install the collector on your own Linux VM (for Hyper-V, KVM, or bare metal). More flexible, same outcome. Keep it dedicated to PCA only.
Prerequisites
• A perimeter firewall capable of sending syslog.
• Outbound internet from the collector on HTTPS (443). No inbound ports required.
• Modest resources: 2 vCPU, 2 GB RAM, 25 GB disk.
• Your ICO registration number to complete signup.
• Your public IPs and website URLs for scanning.
• 30–60 minutes of quiet time to do it right.
Install / Core setup
1) Register: Go to the Police CyberAlarm website and register your organisation for free. You will receive a Unique Access Code by email.
2) Activate: Use your code on the site to unlock the member area. Confirm organisation details, reporting contact, ICO number, public IPs, and websites.
3) Choose your path: Decide VMware OVA (quickest) or Linux install (for Hyper-V or physical).
4) Download details: From the member area, copy the OVA URL or the Linux install instructions.
[Screenshot: Member area showing Unique Access Code redeemed and appliance download link — save as police-cyberalarm-member-download-area.png]
Immutable mindset
Why it matters
PCA does not sit inline. It listens, filters, and sends encrypted metadata only. Keep it simple and dedicated so it stays trustworthy and low maintenance.
Deploy the collector: VMware OVA
Steps
1) In vSphere or ESXi, select “Deploy OVF/OVA Template”. Paste the OVA URL from your member area.
2) Name the VM, choose datastore and network. Allocate 2 vCPU, 2 GB RAM, 25 GB disk if not pre-set.
3) Place it on a network that can receive syslog from your firewall and reach the internet outbound.
4) Power on. Let it initialise. Note its IP (DHCP by default) from the console or DHCP leases.
5) If prompted, open the collector’s local web page and enter your Unique Access Code to register it to your organisation.
Deploy the collector: Linux VM (Hyper-V or physical)
Steps
1) Create a new VM with 2 vCPU, 2 GB RAM, 25 GB disk. Connect to a DMZ or trusted monitoring VLAN.
2) Install AlmaLinux Minimal 9.x. Set hostname (for example pca-collector) and IP (DHCP or static).
3) Follow the Police CyberAlarm installation instructions from your member area to install the collector software.
4) When prompted, enter your Unique Access Code to register the collector.
5) Ensure the VM can reach outbound HTTPS and is reachable from your firewall on syslog ports.
Point your firewall logs at the collector
What to send
• Firewall deny/drop events and intrusion alerts.
• IDS/IPS alerts, web filter and malware gateway alerts where available.
• Optional: repeated VPN or auth failures.
Firewall setup
1) Find the PCA IP (COLLECTOR_IP).
2) In your firewall, enable remote syslog and set destination = COLLECTOR_IP on UDP 514 (or your chosen syslog port).
3) Select security-related facilities. Include blocked inbound, scans, known exploits, and IPS events.
4) Save. Generate a quick test (for example a harmless external port scan against your public IP) to confirm logs flow.
[Screenshot: Firewall syslog screen with COLLECTOR_IP and UDP 514 configured — save as police-cyberalarm-firewall-syslog-config.png]
Tip: If you run Linux firewalld on the collector, allow UDP 514 from your firewall, or disable the local firewall if this is a dedicated DMZ monitor.
Enable external vulnerability scans
Set once, benefit monthly
1) Confirm your public IPs and website URLs in the member area or collector interface.
2) Opt in to scanning. Monthly is common and sensible for most SMEs.
3) Scans are performed from the Police CyberAlarm service, not from your local collector.
4) You will receive a vulnerabilities report with clear, fix-first guidance.
Prove it works
Quick validation
• Check your firewall shows syslog events sent to COLLECTOR_IP.
• Confirm the collector shows connected status or recent activity.
• Expect your first monthly report after the first full cycle. If nothing arrives, review syslog settings or ask support to confirm receipt.
Recovery mindset
PCA turns noise into decisions: block these IPs, patch those services, close that port. Put a short monthly slot in the diary to review reports and implement the top three actions. If you want a managed pathway from alert to action, we can host and run PCA for you.
Frequently solved problems
• No data visible: confirm firewall syslog points to COLLECTOR_IP on UDP 514 and the collector can reach the internet on 443.
• Proxy breaks outbound: exempt the collector from SSL inspection and outbound proxies.
• Too much log volume: start with deny/IPS events only, then add modules once stable.
• Multiple sites: point each site’s firewall at the same collector if bandwidth allows, or deploy an additional collector per site.
• Website scans flag issues: treat as a punch list. Patch, reconfigure, or disable weak services, then re-scan next cycle.
Quick reference checklists
Sizing
• Collector: 2 vCPU, 2 GB RAM, 25 GB disk. One VM handles most SMEs.
• Network: modest outbound bandwidth; logs are filtered and encrypted.
Job design
• Send only security-relevant logs first. Add extras later.
• Review monthly. Action the top three items. Track improvements.
Security
• Outbound HTTPS only. No inbound rules. Dedicated VM. Least access.
• Keep the collector patched via its automatic updates.