1. Introduction
1.1 Overview
This article serves as guidance for the installation of your Linux collector which will be used to ship logs to the Defense.com SIEM.
1.2 Deployment Pack
A Deployment Pack is provided and contains all necessary installation files, scripts, and certificates required to configure the SIEM solution.
2. Firewall Rules
Firewall rules are required between all logging agents and the collector, and between the collector and Defense.com infrastructure.
Source | Destination | Protocol | Port | Notes |
Windows Agents | Collector IP | TCP | 5044 | Allow Winlogbeat agents to send logs to the collector over TCP. |
Linux Agents | Collector IP | TCP | 5044 | Allow Filebeat agents to send logs to the collector over TCP. |
Syslog Devices | Collector IP | UDP | 5514 | In order for the logs to be encrypted, they will have to be sent to the collector before sending over to the Defense.com SIEM platform. |
Collector | 31.28.93.148/32 | TCP | 443 | Allow the collector to send logs to Defense.com SIEM platform. |
3. Collector installation
The collector is the central location which collates logs from all agents and forwards them to the Defense.com SIEM platform. At least one collector is required, however, multiple can be installed for resiliency or separate geographical sites. Defense.com will provide a script to install the collector. The script, collector-install.sh is found in the linux/collector folder and will install and configure the required software.
3.1 System requirements
Resources | Requirement |
Operating System | Ubuntu 22.04 |
CPU Cores | 2 |
Memory | 8 GB |
Disk Space | 50 GB |
3.2 Preparation
An Ubuntu 22.04 LTS machine should be prepared for the collector installation in-line with the system requirements above. During the installation, the collector will require outbound internet access to run package updates and install the required software. A new user with Sudo access should be created, as the hardening script will disable remote root login.
3.3 Installation
Copy all files from the collector folder in the install pack to the user’s home directory on the server
Become root:
sudo su
Make the script executable:
chmod +x collector-install.sh
Once logged back in, run the install script. Note this may take some time to complete:
./collector-install.sh
Contact Defense.com via a support ticket to verify collector installation and log flow. We will also need the public IP address of the collector(s) for our firewall.
4. FAQ
How do I configure multiple collectors?
Multiple collectors can be installed for resiliency or multi-environment systems. To configure agents to send logs to multiple hosts, edit the host definition in filebeat.yml/winlogbeat.yml:
hosts: ["192.168.0.1:5044", "192.168.0.2:5044"]
A host from the list will be selected during start-up. If there is a failure, the other host will be used. To load balance across multiple hosts at the same time, use the following configuration:
hosts: ["192.168.0.1:5044", "192.168.0.2:5044"]
loadbalance: true
Unfortunately, at this time it is not possible to select a preferred collector.
Will the beats agents affect the performance of my hosts?
Beats agents are lightweight applications which forward logs to the collector. No processing or sorting is done on the host or within your environment. This is all done in the Bulletproof SIEM platform. This keeps the footprint of the agents minimal and should not affect the performance of your hosts. If however any performance hits are noticed, contact Defense.com via a support ticket as steps can be taken to reduce the priority of the beats agents.
What are the next steps?
The next steps involve completing the customer profile questionnaire. This questionnaire was developed as a way of making sure that the SOC team have all the information they need to help reduce the number of false positives that are raised. Detailing information such as service accounts and maintenance windows can help the SOC team to identify potential false positives and tune the data they are working with accordingly. Once the customer profile is completed, the service is ready to go live. For the first month of the service we typically look to use the default runbooks and make sure these are tuned effectively. Once these have been in operation for a period of time, Defense.com will work with you to create any custom runbooks for your environment.