Forwarder Installation & Configuration in Ubuntu

  • Updated
In this article:

    Prerequisites

    Below are the prerequisites to install ubuntu (Ubuntu Machine). 

    • Ubuntu should have static IP  
    • Outbound network access to: *.ubuntu.com, *.opensuse.org Port 80, *.netenrich.com and to *.threatlandscape.net on port 443 and 8443  
    • Firewall Configuration if required as per the below table.
      If you have firewalls or authenticated proxies in between the Chronicle forwarder container and the Internet, they require rules to open access to the following hosts:   
    Connection Type  Destination  Port 
    TCP  malachiteingestion-pa.googleapis.com  443 
    TCP  accounts.google.com  443 
    TCP  gcr.io  443 
    TCP  oauth2.googleapis.com  443 
    TCP  *.ubuntu.com  443 & 80 
    TCP  *.opensuse.org  80 
    TCP  *.netenrich.com  443 
    TCP  *.threatlandscape.net  443 & 8443 
    TCP  storage.googleapis.com  443 
    • Ubuntu should have inbound access on port 514 (syslog),2055 (net flow)  
    • Ubuntu VM creation: Create VM with minimum below configuration (Install Ubuntu with latest version). 
    Characteristic   Recommendation  
    CPU   2 Core  
    Memory   4 GB  
    Storage   100 GB (Single Disk)  
    Network   100 Mbps  

    Ubuntu Installation  

    • Install Ubuntu ISO on the VM with the above prerequisites  
    • You will be prompted with below screen when the installation starts:  

    Picture1.jpg

    • Choose the preferred language  

    Picture3.jpg

    • Update to the New Installer  

    Picture4.jpg

    • Updates will be downloaded  

    Picture5.jpg

    • Configure the keyboard 

    Picture6.jpg

    • Configure the Static IP to the Ubuntu as mentioned in prerequisites

    Picture7.jpg

    • Select “enpos3” and then from the drop down select “Edit IPv4”  

    Picture8.jpg

    • Select Manual from the inline table  

    Picture9.jpg

    • Enter all the required details in the inline fields and then select Save 
      Note – Search domains value is not mandatory. 

    Picture10.jpg          

    • (Optional) Configure the proxy address if required

    Picture11.jpg

    • Do not change the default mirror settings, Click Done.  

    Picture12.png

    • Next, Click Ok 

    Picture13.jpg

    • Configure the Storage to 100 GB as per the prerequisites  

    Picture14.jpg

    • Configure the file system and Click Done.  

    Picture15.jpg

    • Setup the profile as per the prerequisites. 
    • Provide username as “ubuntu” when prompted for username during Ubuntu installation.  

    Picture16.jpg

    • Install the OpenSSH server  

    Picture17.jpg

    • Keep the SSH identity as ‘NO’ and Click Done.  

    Picture19.jpg

    • Do not select any Snaps and Click Done.  

    Picture19.jpg

    • Installation will be started.  

    Picture20.jpg

    • Once the Security updates are installed, system will be rebooted. Generally, it will take around  15 to 20 minutes for installation to be complete.  

    Picture21.jpg

    • Select Reboot and then the machine will start rebooting  

    Picture22.jpg

    Install Docker Engine 

    Update the apt package index, and install the latest version of Docker Engine and container, or go to the next step to install a specific version:

    • #apt-get update
    • #apt-get install docker.io

    Picture23.jpg

    Docker is successfully installed.

    Forwarder Installation

    Step1: Download, transfer the forwarder configuration file (Config) which NetEnrich provides.

    • Connect to your Linux forwarder via terminal.

    Change directory to the home directory of the new user that will run Docker Container.

    • Create a new directory to store the Chronicle forwarder configuration files: 
      # mkdir ~/config
    • Navigate to config#

    Move the respective file “Config” under the directory

    ~/config# 

     Note – The config file will be provided by NetEnrich.

    Feature Release – We can download the config file from Resolution Intelligence Cloud as well.

    • If you are unable to move to the particular folder, follow below steps.
      Config# vi nfr1_fwdr.conf
    • Save the file using command -  “:wq!”

    Step2: After saving the file, execute the below commands.

    Obtain the latest Docker image from Google Cloud

    • #docker pull gcr.io/chronicle-container/cf_production_stable

    Picture24.jpg

    Start Chronicle forwarder from the Docker container:

    • # docker run --detach --name <example cfps> --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v ~/config:/opt/chronicle/external gcr.io/chroniclecontainer/cf_production_stable\

    The Docker container (and Chronicle forwarder) persist after system reboots

    Step3: Monitor and manage the forwarder

    The following Docker commands help you to monitor and manage Chronicle forwarder:

    • Check if the Docker container is running:

    #docker ps

    • Display the logs from the container. Note that this can generate a substantial volume of output, but is useful for debugging:

    #docker logs (Container name which provided in above step)

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.