Red Hat Enterprise Linux (RHEL) is an enterprise Linux operating system (OS) developed by Red Hat for the business market. RHEL, formerly known as Red Hat Linux Advanced Server, is certified with thousands of vendors and across hundreds of clouds.
RHEL provides users with a reliable, consistent foundation across environments. It is equipped with all the necessary tools to rapidly deliver application services and workloads. RHEL is based on a free, open-source model like any Linux distribution.
This documentation will help you install RHEL and Chronicle Forwarder with the required configurations to forward the events to Chronicle.
The following are the prerequisites for installing RHEL Machine:
- RHEL should have static IP
- Personal/Corporate/Developer account on redhat.com
The link to register the free developer account is below:
- Installation Disk for RHEL 9.1
The link to download RHEL 9.1 server image is below:
The following are the prerequisites for installing Chronicle Forwarder:
- Outbound network access to *.redhat.com, *.opensuse.org Port 80, *.netenrich.com, and to *.threatlandscape.net on ports 443 and 8443
|Firewall Configuration if required|
|If you have firewalls or authenticated proxies in between the Chronicle forwarder container and the Internet, they require rules to open access to the following hosts:|
|TCP||*.redhat.com||443 & 80|
|TCP||*.docker.com||80 & 443|
This configuration can sustain an environment with up to 15000 endpoints. The CPU and network usage will increase proportionally with the number of endpoints.
Installation of RHEL 9.1
The following steps are required to install RHEL 9.1:
- Create an RHEL VM with a minimum below configuration:
|Storage||200 GB (Single Disk)|
|Network||100 Mbps or 1 Gbps|
2. Attach the downloaded RHEL 9.1 ISO to the RHEL VM and start the VM.
3. You will be prompted with below screen when the installation starts.
Select “Install Red Hat Enterprise Linux 9.1” and press Enter to start the installation.
4. Choose your preferred language and keyboard layout and press Continue.
5. Click on Installation Destination to select the storage.
6. Select the Local Standard Disk and press Done.
7. Click on Software Selection” to select RHEL environment.
8. By default, Server with GUI is selected. Please change it to Server and also select Container Management under Additional software for selected environment.
9. Click on Network & Host Name to configure static IP details.
10. Click on Configure button at the bottom, go to IPv4 Settings, and add the Static IP details along with DNS server details and Click on Save button.
11. Review the network configuration and Click on Done.
12. Click on Time & Date to configure time zone.
13. Select the Region and City for configuring time zone and click on Done.
14. Click on Connect to Red Hat for updates and upgrades.
15. You need to register your RHEL 9.1 for free updates.
On the below subscription page, specify your redhat.com credentials (username and password) and click on Register to subscribe for free RHEL updates and upgrades.
16. Once registered, the below screen will be shown. Click Done.
17. Under User Settings, Click on Root Password to set the root credentials.
18. Specify and confirm the password for Root user and click on Done
Note: If you are setting-up a weak password, click Done twice.
19. Once you configure the required options, Click Begin Installation to start installing RHEL 9.1
20. Once your installation is complete, the below screen will be shown. Click Reboot System to complete the installation.
21. Finally, your RHEL 9.1 installation is completed and ready to use.
The following steps are required to configure Chronicle Forwarder:
- Install the yum-utils package (which provides the yum-config-manager utility).
yum-utils is a collection of tools and programs for managing yum repositories, installing debug packages, source packages, extended information from repositories, and administration.
$ yum install -y yum-utils
2. Setup the docker repository using yum-config-manager.
$ yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
3. Install the latest version of Docker Engine, containerd, and Docker Compose.
$ yum install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
4. Start docker service and verify that the service is started
$ systemctl start docker
$ systemctl status docker
Configure Chronicle Forwarder
The following steps are required to configure Chronicle Forwarder:
- Create the user on RHEL which will be used for managing the docker container.
$ adduser USERNAME
$ passwd USERNAME
$ usermod -aG wheel USERNAME
2. Switch to the newly created user and Create a directory to store the Chronicle forwarder configuration files.
$ su USERNAME
$ mkdir ~/config
$ cd ~/config
3. Transfer the chronicle config files to RHEL and Move the respective files under the directory
Note – The config file will be provided by NetEnrich.
Feature Release – We can download the config file from RI as well.
4. To clean up any previous Docker runs
sudo docker stop cfps
sudo docker start cfps
5. Obtain the latest Docker image from Google Cloud
$ sudo docker pull gcr.io/chronicle-container/cf_production_stable
6. Start Chronicle forwarder from the Docker container
$ sudo docker run --detach --name <example cfps> --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v ~/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable
Monitor and manage the forwarder
The following Docker commands help you to monitor and manage Chronicle forwarder:
6.1) Check if the Docker container is running:
$ sudo docker ps
6.2) Display the logs from the container.
Note that this can generate a substantial volume of output, but is useful for debugging:
$ sudo docker logs (Container name provided in the above step)
6.3) Restart docker container in order to refresh the Chronicle Forwarder configuration:
docker stop <container name>
docker start <container name>
docker logs <container name>
- List open, listening ports on the forwarder, make sure they're relevant to Ubuntu cli syntax:
- sudo netstat -an | more
- sudo netstat -an | grep "port number"
- If netstat is unavailable, please use sudo apt install net-tools
- List last 100 lines in the docker logs
- sudo docker logs -n 100 cfps
- tcpdump to validate log source traffic is making it to the forwarder in case a firewall is filtering
- Find the proper interface for tcpdump = ip a, or ifconfig. Do not choose the docker interface, choose the ethernet interface
- execute tcpdump filtering on the source IP of the log source (interface and source IP are examples) = sudo tcpdump -i ens33 src 10.10.10.3
- execute tcpdump filtering on the source IP of the log source and the port (interface, source IP and port are examples) = sudo tcpdump -i ens33 src 10.10.10.3 and port 11156
- tcpdump to validate forwarder is sending TLS/SSL traffic to google chronicle IP's in case a firewall is blocking outbound traffic
- sudo tcpdump -i ens33 src "ip of forwarder" and port 443