Loggernaut-Configurations

SFTP Backup Server

The backup system automates the transfer of all raw logs previously stored exclusively on the management server to an SFTP server. The detailed configuration of this function is described in the Loggernaut config.json and offers you an efficient method for backing up your data.

Configuration of the SFTP backup server

  1. Add the code to your /opt/enginsight/loggernaut/config.json as follows.

{
    "api": {...},
    "siem": {...},
    ...,
    "backup": {
        "strategy": "sftp",
        "sftp": {
            "permissions": "0666",
            "remoteDirectory": "/logs",
            "keepLocalCopy": false,
            "ssh": {
                "username": "siem",
                "password": "****",
                "ip": "****",
                "port": 22,
                "privateKeyPath": "/opt/enginsight/loggernaut/ssh/id_ed25519",
                "privateKeyPassphrase": "*****",
                "knownHostsPath": "/root/.ssh/known_hosts"
            }
        }
    }
}
  1. Adjust the default settings as follows:

Individual customizations:

  • strategy

    • local: The logs are saved locally on the loggeraut.

    • remove: All logs outside the TTL are deleted.

    • sftp: Use of an SFTP server (the SFTP object must be configured accordingly in this case).

sftp.permissions: Enter the file permissions here in Unix style ("0666") and thus allow all users full read and write access.

sftp.remoteDirectory: Specify the directory path where the logs should be stored.

Be careful with SFTP chroot! If the target is '/user/siem/logs' and the chroot is set to '/user', the actual target should be '/siem/logs' to avoid potential problems

sftp.keepLocalCopy: If set to 'false', all logs outside the TTL on the logger are deleted as soon as they have been transferred to the SFTP server.

sftp.ssh.username: Specify the username for the SFTP SSH user.

sftp.ssh.password: Specify your SSH password for the SFTP user.

You can leave this field empty if a key is used.

sftp.ssh.ip: Enter the IP address of the SFTP/SSH server here.

sftp.ssh.port: Enter the port on which the SFTP/SSH server is running here.

If you leave this field empty, the default port 22 will be used.

sftp.ssh.privateKeyPath: Enter the path to the private SSH key here.

If you use a password, you do not need to make any adjustments here.

sftp.ssh.privateKeyPassphrase: Enter the password for the private key here (if available).

sftp.ssh.knownHostsPath: Enter the path to the known hosts here to check whether the SFTP server is the correct one.

If you leave this entry blank, no host check is performed and it is assumed that the correct server has been specified. It does not have to be the 'known_hosts' file created by SSH if only this host is to be permitted, but the format must correspond to that of the "original" file.

  1. Finally, restart the Loggernaut to apply the configurations.

Full-Text Search Datalake

The Full-Text Search allows you to search for any text in your logs to find relevant information even faster. You can now search logs specifically for content without having to specify the relevant fields. This now also makes it possible to output cross-field results.

Bedenken Sie bitte, dass die Aktivierung der Full-Text Search die Größe des Indexes stark vergrößern kann! Sein Sie sich im Vorhinein darüber bewusst und stellen Sie ausreichend Ressourcen zur Verfügung.

Activation for existing accounts

As an existing Enginsight user, you must navigate to the file /opt/enginsight/loggernaut/config.json and add the entry "fullTextSearch": true at the JSON root level.

Then restart the loggernaut to apply the changes.

Please note that only logs that are sent to the SIEM after activation can be found using the free text search. Old logs are not searchable!

Deactivation after reinstallation

If you want to deactivate the full-text search function please follow the instructions beneath:

  • set the entry "fullTextSearch": false in the config.json.

Backup-Log TTL

The backup log time-to-live (TTL) can be configured separately to control the lifetime of backup logs. Use the following JSON configuration to set the TTL for your organization:

{
    "backup": {
        "strategy": "remove",
        "ttl": {
            "<org>": <ttlInTagen>
        }
    }
}

Replace <org> with the name of your organization and <ttlInTagen> with the desired duration in days after which the backup logs should be automatically removed.

This configuration enables precise management of the backup log lifetime according to your requirements.

Sample configuration

This configuration enables precise management of the backup log lifetime according to your requirements.

Below you will find a corresponding sample configuration for the TTL log files:

Please make sure that you adjust the configuration accordingly!

{
    // Mandatory fields in the configuration (irrelevant for TTL)
    "api": {
        "url": "",
        "accessKeySecret": "",
        "accessKeyId": ""
    },
    "siem": {
        "indecees": [
            ""
        ],
        "basicAuth": {
            "username": "",
            "password": ""
        }
    },
    // TTL for raw backup logs on the management server
    "backup": {
        "strategy": "<remove|sftp>",
        "ttl": {
            "<orgid>": 90 // Specification in days
        }
    },
    // TTL of searchable logs in the Solr cluster
    "ttl": {
        "<orgid>": 30 // Specification in days
    }
}

Please note that the TTL (Time to Live) only affects the logs on the management server. The logs on the SFTP server are no longer processed by the logger and therefore remain unchanged. Furthermore, the adjustment only applies to the respective organization and must be carried out for each organization.

Geosplitting

Geosplitting in a SIEM allows you to use multiple SIEM clusters with on-premise, ensuring data sovereignty and performance by only using a single customer.

Geosplitting allows you to move several sub-organizations into a new cluster if required. You also have the option of creating multiple clusters.

  1. Configure the Loggernaut as usual.

  2. Add the item "alternatives" to your configuration and implement the following instructions:

"siem": {
    "management": {
      "organisation": "organisation"
    },
    "alternatives": [{
      "organisations": ["organisation1", "organisation2"],
      "basicAuth": {
        "username": "****",
        "password": "****"
      },
      "url": "url",
      "numShards": 2,
      "replicationFactor": 1,
      "management": {
        "organisation": "organissation"
      }
    }],
    "basicAuth": {
      "username": "*****",
      "password": "*****"
    },
    "url": "url"
  },
  1. Enter the relevant information under the points below:

  • "organizations" All organizations belonging to the cluster.

  • "management" The management organization within the new cluster can view the status of the other organizations. An organization must be selected that also exists under "alternatives". Otherwise, everything corresponds to the normal SIEM setup.

Beachten Sie zwingend, dass keine Organisation doppelt vorkommt, also nicht gleichzeitig in zwei Clustern existiert. Alle Organisationen, die nicht in die Alternative verschoben wurden, verbleiben im Management-Cluster.

Last updated