Skip to main content
All CollectionsSIEMCollectorsLinux
How to configure your Linux log collector for Defense.com SIEM
How to configure your Linux log collector for Defense.com SIEM
Alan Butcher avatar
Written by Alan Butcher
Updated over 2 months ago

1. Introduction

1.1 Overview

This article serves as guidance for the installation of your Linux collector which will be used to ship logs to the Defense.com SIEM.


1.2 Deployment Pack

A Deployment Pack is provided and contains all necessary installation files, scripts, and certificates required to configure the SIEM solution.


2. Firewall Rules

Firewall rules are required between all logging agents and the collector, and between the collector and Defense.com infrastructure.

Source

Destination

Protocol

Port

Notes

Windows Agents

Collector IP

TCP

5044

Allow Winlogbeat agents to send logs to the collector over TCP.

Linux Agents

Collector IP

TCP

5044

Allow Filebeat agents to send logs to the collector over TCP.

Syslog Devices

Collector IP

UDP

5514

In order for the logs to be encrypted, they will have to be sent to the collector before sending over to the Defense.com SIEM platform.

Collector

31.28.93.148/32

TCP

443

Allow the collector to send logs to Defense.com SIEM platform.


3. Collector installation

The collector is the central location which collates logs from all agents and forwards them to the Defense.com SIEM platform. At least one collector is required, however, multiple can be installed for resiliency or separate geographical sites. Defense.com will provide a script to install the collector. The script, collector-install.sh is found in the linux/collector folder and will install and configure the required software.

3.1 System requirements

Resources

Requirement

Operating System

Ubuntu 22.04

CPU Cores

2

Memory

8 GB

Disk Space

50 GB

3.2 Preparation

An Ubuntu 22.04 LTS machine should be prepared for the collector installation in-line with the system requirements above. During the installation, the collector will require outbound internet access to run package updates and install the required software. A new user with Sudo access should be created, as the hardening script will disable remote root login.

3.3 Installation

  • Copy all files from the collector folder in the install pack to the user’s home directory on the server

  • Become root:

    sudo su

  • Make the script executable:

    chmod +x collector-install.sh

  • Once logged back in, run the install script. Note this may take some time to complete:

    ./collector-install.sh

  • Contact Defense.com via a support ticket to verify collector installation and log flow. We will also need the public IP address of the collector(s) for our firewall.


4. FAQ

How do I configure multiple collectors?

Multiple collectors can be installed for resiliency or multi-environment systems. To configure agents to send logs to multiple hosts, edit the host definition in filebeat.yml/winlogbeat.yml:

hosts: ["192.168.0.1:5044", "192.168.0.2:5044"]

A host from the list will be selected during start-up. If there is a failure, the other host will be used. To load balance across multiple hosts at the same time, use the following configuration:

hosts: ["192.168.0.1:5044", "192.168.0.2:5044"]

loadbalance: true

Unfortunately, at this time it is not possible to select a preferred collector.

Will the beats agents affect the performance of my hosts?

Beats agents are lightweight applications which forward logs to the collector. No processing or sorting is done on the host or within your environment. This is all done in the Bulletproof SIEM platform. This keeps the footprint of the agents minimal and should not affect the performance of your hosts. If however any performance hits are noticed, contact Defense.com via a support ticket as steps can be taken to reduce the priority of the beats agents.

What are the next steps?

The next steps involve completing the customer profile questionnaire. This questionnaire was developed as a way of making sure that the SOC team have all the information they need to help reduce the number of false positives that are raised. Detailing information such as service accounts and maintenance windows can help the SOC team to identify potential false positives and tune the data they are working with accordingly. Once the customer profile is completed, the service is ready to go live. For the first month of the service we typically look to use the default runbooks and make sure these are tuned effectively. Once these have been in operation for a period of time, Defense.com will work with you to create any custom runbooks for your environment.

Did this answer your question?