Prerequisites
Below are the prerequisites to install ubuntu (Ubuntu Machine).
- Ubuntu should have static IP
- Outbound network access to: *.ubuntu.com, *.opensuse.org on port 80, and *.netenrich.com on port 443
- Firewall configuration, if required, as per the below table.
If you have firewalls or authenticated proxies in between the Chronicle forwarder container and the Internet, they require rules to open access to the following hosts: | ||
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | gcr.io | 443 |
TCP | oauth2.googleapis.com | 443 |
TCP | storage.googleapis.com | 443 |
- Ubuntu should have inbound access on port 514 (syslog),2055 (net flow)
- Ubuntu VM creation: Create a VM with the minimum configuration below (install Ubuntu with the latest version).
Characteristic | Recommendation |
CPU | 2 Core |
Memory | 4 GB |
Storage | 100 GB (Single Disk) |
Network | 100 Mbps |
- Provide the username as “ubuntu” when prompted for a username during Ubuntu installation.
- Link to download ubuntu 20.04 server image
Ubuntu 20.04.5 LTS (Focal Fossa)
Ubuntu Installation
- Install Ubuntu ISO on the VM with the above prerequisites
- You will be prompted with the below screen when the installation starts
- Choose the preferred language
- Update to the New Installer
- Updates will be downloaded
- Configure the keyboard
- Configure the Static IP to the Ubuntu as mentioned in prerequisites
- Select “enpos3” and then from the drop down select “Edit IPv4”
- Select Manual from the inline table
- Enter all the required details in the inline fields and then select Save
Note – Search domains value is not mandatory.
- (Optional) Configure the proxy address if required
- Do not change the default mirror settings, Click Done.
- Next, Click Ok
- Configure the Storage to 100 GB as per the prerequisites
- Configure the file system and Click Done.
- Setup the profile as per the prerequisites.
- Provide username as “ubuntu” when prompted for username during Ubuntu installation.
- Install the OpenSSH server
- Keep the SSH identity as ‘NO’ and Click Done.
- Do not select any Snaps and Click Done.
- Installation will be started.
- Once the Security updates are installed, system will be rebooted. Generally, it will take around 15 to 20 minutes for installation to be complete.
- Select Reboot and then the machine will start rebooting
Install Docker Engine
- First login into the Ubuntu and go to ‘root’ directory,
- Update the apt package index, and install the Docker Engine,
root@ricfwds:/home/ricfwdsc# apt-get update
root@ricfwds:/home/ricfwdsc# apt install docker.io
Forwarder Installation
1. Change directory to Config to store the Chronicle Forwarder configuration files:
root@ricfwds:/home/ricfwdsc# mkdir /opt/chronicle
root@ricfwds:/home/ricfwdsc# cd /opt/chronicle
root@ricfwds:/opt/chronicle# mkdir config
root@ricfwds:/opt/chronicle# cd config
root@ricfwds:/opt/chronicle/config#
- Now need to create .conf file under config directory:
root@ricfwds:/opt/chronicle/config# vi fwd.conf
- Paste the Chronicle Forwarder Configuration file in fwd.conf.
- Now Save the file using the command “:wq!”
Obtain the latest Docker image from Google Cloud
- Change directory to home user directory from Config,
- Using below command to install latest Docker image from Google,
root@ricfwds:/home/ricfwdsc# docker pull gcr.io/chronicle-container/cf_production_stable:latest
Once Docker image is installed, now Create Name for the Docker Container using below command,
root@ricfwds:/home/ricfwdsc# docker run --detach --name fwd --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v /opt/chronicle/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable
fwd is the Docker Container name. You can specify any Unique name.
- Using below command we can check the Docker Container, Name & Status,
root@ricfwds:/home/ricfwdsc# docker ps
Troubleshooting
- List open, listening ports on the forwarder, make sure they're relevant to Ubuntu cli syntax:
- sudo netstat -an | more
- sudo netstat -an | grep "port number"
- If netstat is unavailable, please use sudo apt install net-tools
- List last 100 lines in the docker logs
- sudo docker logs -n 100 cfps
- To validate batches of log data has been successfully uploaded to Chronicle, use the following command
- sudo docker logs cfps --since 5m 2>&1 | grep upload
- tcpdump to validate log source traffic is making it to the forwarder in case a firewall is filtering
- Find the proper interface for tcpdump = ip a, or ifconfig. Do not choose the docker interface, choose the ethernet interface
- execute tcpdump filtering on the source IP of the log source (interface and source IP are examples) = sudo tcpdump -i ens33 src 10.10.10.3
- execute tcpdump filtering on the source IP of the log source and the port (interface, source IP and port are examples) = sudo tcpdump -i ens33 src 10.10.10.3 and port 11156
- tcpdump to validate forwarder is sending TLS/SSL traffic to google chronicle IP's in case a firewall is blocking outbound traffic
- sudo tcpdump -i ens33 src "ip of forwarder" and port 443
Comments
0 comments
Please sign in to leave a comment.