This article serves as guidance for the installation of your Linux collector which will be used to ship logs to the Defense.com SIEM.

A Deployment Pack is provided and contains all necessary installation files, scripts, and certificates required to configure the SIEM solution.

Firewall rules are required between all logging agents and the collector, and between the collector and Defense.com infrastructure.

The collector is the central location which collates logs from all agents and forwards them to the Defense.com SIEM platform. At least one collector is required, however, multiple can be installed for resiliency or separate geographical sites. Defense.com will provide a script to install the collector. The script, collector-install.sh is found in the linux/collector folder and will install and configure the required software.

An Ubuntu 22.04 LTS machine should be prepared for the collector installation in-line with the system requirements above. During the installation, the collector will require outbound internet access to run package updates and install the required software. A new user with Sudo access should be created, as the hardening script will disable remote root login.

Multiple collectors can be installed for resiliency or multi-environment systems. To configure agents to send logs to multiple hosts, edit the host definition in filebeat.yml/winlogbeat.yml:

hosts: ["192.168.0.1:9550", "192.168.0.2:9550"]

A host from the list will be selected during start-up. If there is a failure, the other host will be used. To load balance across multiple hosts at the same time, use the following configuration:

hosts: ["192.168.0.1:9550", "192.168.0.2:9550"]

loadbalance: true

Unfortunately, at this time it is not possible to select a preferred collector.

Beats agents are lightweight applications which forward logs to the collector. No processing or sorting is done on the host or within your environment. This is all done in the Bulletproof SIEM platform. This keeps the footprint of the agents minimal and should not affect the performance of your hosts. If however any performance hits are noticed, contact Defense.com via a support ticket as steps can be taken to reduce the priority of the beats agents.

What are the next steps?

The next steps involve completing the customer profile questionnaire. This questionnaire was developed as a way of making sure that the SOC team have all the information they need to help reduce the number of false positives that are raised. Detailing information such as service accounts and maintenance windows can help the SOC team to identify potential false positives and tune the data they are working with accordingly. Once the customer profile is completed, the service is ready to go live. For the first month of the service we typically look to use the default runbooks and make sure these are tuned effectively. Once these have been in operation for a period of time, Defense.com will work with you to create any custom runbooks for your environment.