Prerequisites
Below are the prerequisites to install ubuntu (Ubuntu Machine).
- Ubuntu should have static IP
- Outbound network access to: *.ubuntu.com, *.opensuse.org Port 80, *.netenrich.com and to *.threatlandscape.net on port 443 and 8443
- Firewall Configuration if required as per the below table.
If you have firewalls or authenticated proxies in between the Chronicle forwarder container and the Internet, they require rules to open access to the following hosts: | ||
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | gcr.io | 443 |
TCP | oauth2.googleapis.com | 443 |
TCP | *.ubuntu.com | 443 & 80 |
TCP | *.opensuse.org | 80 |
TCP | *.netenrich.com | 443 |
TCP | *.threatlandscape.net | 443 & 8443 |
TCP | storage.googleapis.com | 443 |
- Ubuntu should have inbound access on port 514 (syslog),2055 (net flow)
- Ubuntu VM creation: Create VM with minimum below configuration (Install Ubuntu with latest version).
Characteristic | Recommendation |
CPU | 2 Core |
Memory | 4 GB |
Storage | 100 GB (Single Disk) |
Network | 100 Mbps |
- Provide username as “ubuntu” when prompted for username during Ubuntu installation.
- Link to download ubuntu 20.04 server image
Ubuntu 20.04.5 LTS (Focal Fossa)
Ubuntu Installation
- Install Ubuntu ISO on the VM with the above prerequisites
- You will be prompted with below screen when the installation starts:
- Choose the preferred language
- Update to the New Installer
- Updates will be downloaded
- Configure the keyboard
- Configure the Static IP to the Ubuntu as mentioned in prerequisites
- Select “enpos3” and then from the drop down select “Edit IPv4”
- Select Manual from the inline table
- Enter all the required details in the inline fields and then select Save
Note – Search domains value is not mandatory.
- (Optional) Configure the proxy address if required
- Do not change the default mirror settings, Click Done.
- Next, Click Ok
- Configure the Storage to 100 GB as per the prerequisites
- Configure the file system and Click Done.
- Setup the profile as per the prerequisites.
- Provide username as “ubuntu” when prompted for username during Ubuntu installation.
- Install the OpenSSH server
- Keep the SSH identity as ‘NO’ and Click Done.
- Do not select any Snaps and Click Done.
- Installation will be started.
- Once the Security updates are installed, system will be rebooted. Generally, it will take around 15 to 20 minutes for installation to be complete.
- Select Reboot and then the machine will start rebooting
Install Docker Engine
Update the apt package index, and install the latest version of Docker Engine and container, or go to the next step to install a specific version:
- #apt-get update
- #apt-get install docker.io
Docker is successfully installed.
Forwarder Installation
Step1: Download, transfer the forwarder configuration file (Config) which NetEnrich provides.
- Connect to your Linux forwarder via terminal.
Change directory to the home directory of the new user that will run Docker Container.
- Create a new directory to store the Chronicle forwarder configuration files:
# mkdir ~/config - Navigate to config#
Move the respective file “Config” under the directory
~/config#
Note – The config file will be provided by NetEnrich.
Feature Release – We can download the config file from Resolution Intelligence Cloud as well.
- If you are unable to move to the particular folder, follow below steps.
Config# vi nfr1_fwdr.conf
- Save the file using command - “:wq!”
Step2: After saving the file, execute the below commands.
Obtain the latest Docker image from Google Cloud
- #docker pull gcr.io/chronicle-container/cf_production_stable
Start Chronicle forwarder from the Docker container:
- # docker run --detach --name <example cfps> --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v ~/config:/opt/chronicle/external gcr.io/chroniclecontainer/cf_production_stable\
The Docker container (and Chronicle forwarder) persist after system reboots
Step3: Monitor and manage the forwarder
The following Docker commands help you to monitor and manage Chronicle forwarder:
- Check if the Docker container is running:
#docker ps
- Display the logs from the container. Note that this can generate a substantial volume of output, but is useful for debugging:
#docker logs (Container name which provided in above step)
Comments
0 comments
Please sign in to leave a comment.