Prerequisites
Below are the prerequisites to install ubuntu (Ubuntu Machine).
- Ubuntu should have static IP
- Outbound network access to: *.ubuntu.com, *.opensuse.org on port 80, and *.netenrich.com on port 443
- Firewall configuration, if required, as per the below table.
| If you have firewalls or authenticated proxies in between the Chronicle forwarder container and the Internet, they require rules to open access to the following hosts: | ||
| Connection Type | Destination | Port |
| TCP | malachiteingestion-pa.googleapis.com | 443 |
| TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
| TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
| TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
| TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
| TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
| TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
| TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
| TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
| TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
| TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
| TCP | accounts.google.com | 443 |
| TCP | gcr.io | 443 |
| TCP | oauth2.googleapis.com | 443 |
| TCP | storage.googleapis.com | 443 |
- Ubuntu should have inbound access on port 514 (syslog),2055 (net flow)
- Ubuntu VM creation: Create a VM with the minimum configuration below (install Ubuntu with the latest version).
| Characteristic | Recommendation |
| CPU | 2 Core |
| Memory | 4 GB |
| Storage | 100 GB (Single Disk) |
| Network | 100 Mbps |
- Provide the username as “ubuntu” when prompted for a username during Ubuntu installation.
- Link to download ubuntu 20.04 server image
Ubuntu 20.04.5 LTS (Focal Fossa)
Ubuntu Installation
- Install Ubuntu ISO on the VM with the above prerequisites
- You will be prompted with the below screen when the installation starts
- Choose the preferred language
- Update to the New Installer
- Updates will be downloaded
- Configure the keyboard
- Configure the Static IP to the Ubuntu as mentioned in prerequisites
- Select “enpos3” and then from the drop down select “Edit IPv4”
- Select Manual from the inline table
- Enter all the required details in the inline fields and then select Save
Note – Search domains value is not mandatory.
- (Optional) Configure the proxy address if required
- Do not change the default mirror settings, Click Done.
- Next, Click Ok
- Configure the Storage to 100 GB as per the prerequisites
- Configure the file system and Click Done.
- Setup the profile as per the prerequisites.
- Provide username as “ubuntu” when prompted for username during Ubuntu installation.
- Install the OpenSSH server
- Keep the SSH identity as ‘NO’ and Click Done.
- Do not select any Snaps and Click Done.
- Installation will be started.
- Once the Security updates are installed, system will be rebooted. Generally, it will take around 15 to 20 minutes for installation to be complete.
- Select Reboot and then the machine will start rebooting
Install Docker Engine
- First login into the Ubuntu and go to ‘root’ directory,
- Update the apt package index, and install the Docker Engine,
root@ricfwds:/home/ricfwdsc# apt-get update
root@ricfwds:/home/ricfwdsc# apt install docker.io
Forwarder Installation
1. Change directory to Config to store the Chronicle Forwarder configuration files:
root@ricfwds:/home/ricfwdsc# mkdir /opt/chronicle
root@ricfwds:/home/ricfwdsc# cd /opt/chronicle
root@ricfwds:/opt/chronicle# mkdir config
root@ricfwds:/opt/chronicle# cd config
root@ricfwds:/opt/chronicle/config#
- Now need to create .conf file under config directory:
root@ricfwds:/opt/chronicle/config# vi fwd.conf
- Paste the Chronicle Forwarder Configuration file in fwd.conf.
- Now Save the file using the command “:wq!”
Obtain the latest Docker image from Google Cloud
- Change directory to home user directory from Config,
- Using below command to install latest Docker image from Google,
root@ricfwds:/home/ricfwdsc# docker pull gcr.io/chronicle-container/cf_production_stable:latest
Once Docker image is installed, now Create Name for the Docker Container using below command,
root@ricfwds:/home/ricfwdsc# docker run --detach --name fwd --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v /opt/chronicle/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable
fwd is the Docker Container name. You can specify any Unique name.
- Using below command we can check the Docker Container, Name & Status,
root@ricfwds:/home/ricfwdsc# docker ps
Troubleshooting
- List open, listening ports on the forwarder, make sure they're relevant to Ubuntu cli syntax:
- sudo netstat -an | more
- sudo netstat -an | grep "port number"
- If netstat is unavailable, please use sudo apt install net-tools
- List last 100 lines in the docker logs
- sudo docker logs -n 100 cfps
- To validate batches of log data has been successfully uploaded to Chronicle, use the following command
- sudo docker logs cfps --since 5m 2>&1 | grep upload
- tcpdump to validate log source traffic is making it to the forwarder in case a firewall is filtering
- Find the proper interface for tcpdump = ip a, or ifconfig. Do not choose the docker interface, choose the ethernet interface
- execute tcpdump filtering on the source IP of the log source (interface and source IP are examples) = sudo tcpdump -i ens33 src 10.10.10.3
- execute tcpdump filtering on the source IP of the log source and the port (interface, source IP and port are examples) = sudo tcpdump -i ens33 src 10.10.10.3 and port 11156
- tcpdump to validate forwarder is sending TLS/SSL traffic to google chronicle IP's in case a firewall is blocking outbound traffic
- sudo tcpdump -i ens33 src "ip of forwarder" and port 443
Comments
0 comments
Please sign in to leave a comment.