SIEM
Use our SIEM to collect and analyze information about the security posture of your IT network.
Last updated
Use our SIEM to collect and analyze information about the security posture of your IT network.
Last updated
Secure your data with our powerful SIEM: contact our experts at sales@enginsight.com to get started as quickly as possible and get support with your installation!
You will need the following components to install the SIEM
1x SIEM Management Server
4CPU, 8GB RAM, 200GB Disk
1X SIEM Index Server
4CPU, 8GB RAM, 200GB Disk
This setup is designed exclusively for a workload of 10 GB per day! If you have higher requirements, please contact us for individual advice.
The following firewall rules must also be enabled:
NGS APP Server -> SIEM Management Server - Port 443
SIEM Index Server <- SIEM Management Server - Port 8983
Create a swap on all VMs if you do not already have one.
Create a URL for your SIEM server, e.g. ngs-siem.your-domain.com. A certificate in PEM format must be available for this. If you use a self-signed certificate, please follow these instructions.
Please do not change the Docker configurations provided below, as they are coordinated with each other.
The SIEM Management Server receives the logs via the API and sends them to the SIEM Index Server, where they are processed.
The following components are installed for this purpose:
nginx
docker-ce
docker-ce-cli
containerd.io
docker-buildx-plugin
docker-compose-plugin
Enginsight Loggernaut
Create a folder for Docker and navigate to it
Customize the docker-compose.yml
Add and complete the following configuration
The corresponds to the internal IP address of the SIEM management server. This must be accessible both from the management server and from the other SIEM index server(s).
Create the directories that are defined in the docker-compose:
Start the Docker container
Check whether your Docker container is running
Install nginx
Create a user name and password for authentication on the SIEM Management Server.
The user name and password are generated automatically (BasicAuth).
You will receive the following output:
Save the code as you will need it later to customize the App Server.
Customize the nginx configuration:
To do this, open the configuration:
and adjust them as follows:
Check the nginx configuration:
Restart the nginx to apply the configuration:
Create a folder for Docker and navigate to it:
Customize the docker-compose.yml:
Add and complete the following configuration:
<IPfromSIEMIndexServer> corresponds to the IP of the SIEM Index Server
<IPfromSIEMManagementServer> corresponds to the IP of the SIEM Management Server
The RAM for the container must be set for SOLR_JAVA_MEM. The recommendation is to always allocate at least 1/4 of the total RAM.
Create directories and assign rights to access them:
Start the Docker container:
Check whether the port is only open for the internal address. Here you can install dienet-tools (sudo apt install net-tools
).
The result should look like this:
Make sure that the correct IP address appears under Host.
If you want to install an additional index server, please adjust the configuration as explained in step 3 under Install nginx.
To be able to use the functionalities in the SIEM AI, some configurations are required.
This is a beta functionality. Please note that errors may occasionally occur when predicting the metrics and the resulting anomaly detection.
Update affected components.
The current versions of the individual components can always be found here: https://github.com/enginsight/enterprise/blob/master/docker-compose.yml
Activate experimental ML mode in Loggernaut.
To do this, customize the configuration file under:
by adding the following line at root level:
Then restart the Loggernaut to apply the configuration.
Install Docker.
Create Docker Compose.
The following must be included in docker-compose.yml
:
If the machine learning runs on the same machine as the Loggernaut and generates too much CPU load so that the Loggernaut can no longer handle the log throughput, we recommend reducing the CPU shares of the container so that other processes have a higher priority. This adjustment to docker-compose.yml is necessary for this:
Adjustments to Nginx Config from the Management Server for Websocket Support.
Modify the following file: /etc/nginx/sites-available/default
Check the config for errors:
Restart nginx to apply the config:
Make sure that you have root rights. If this is not the case, log in as superuser.
Make sure that the latest version of Docker and Docker Compose is installed. You can find the current version numbers here: Docker Engine, Docker Compose.
Do not install Docker via Snap or when installing the operating system, but only install Docker from the package sources in the official instructions.
Log in to Docker.
You will receive the access data from us.
If there are problems with authentication, check whether a current gpg2 key is available and generate it automatically if necessary:
apt install gnupg2
gpg2 --gen-key
Start the container with the adjustments you have just made.
Customize the Enginsight APP Server configuration and access to communicate with your SIEM Management Server.
Switch to the configuration file:
add the following section to the configuration
Fill in "basicAuth" with the credentials you have stored in the proxy. For the URL, enter the URL of the SIEMs server or its IP address.
numShards are responsible for the parallel processing of requests. At least 2 should be entered here. For larger instances, half of the cores should be entered. For a server with 8 cores, correspondingly 4.
The replicationFactor is responsible for replication. The data is distributed to several servers. The advantage is that the other index servers can intervene in the event of a failure. However, the consumption of memory increases. If desired, you can enter the number of your index servers for replication. Alternatively, leave this at 1. The organization corresponds to the organization ID that manages the SIEM clusters. Select an organization for this (we recommend your "main org").
In the configuration under "api", add:
So that your configuration looks like this:
Change to the Enginsight directory and start setup.sh
Regulate the memory requirements of the Docker logs by limiting them to 100 Mb as follows:
Insert the following:
Restart the Docker service:
Create an access key for the SIEM Mangagement Server from
The Loggernaut is used to receive and process the logs.
Log in to your SIEM management server
Install the Loggernaut as follows:
Login with username and password via Basic Authentica
Switch to the Enginsight instance and click on the "SIEM" tab. The interface establishes a connection to the servers, which may take a few seconds.
If the platform indicates that it was unable to establish a connection, please check the following points:
Can the APP server reach the SIEM management server? Test this using curl. Status code 200 must be returned.
Can the SIEM server reach the APP server?
Have all firewall permissions from the Preparation section been set?
If you use a self-signed certificate or a Windows PKI for your SIEM URL, you must first trust the root certificate on the SIEM management and on the app server. It also requires an adjustment in the docker-compose.yml of the App Server.
Trust certificate:
Copy your root certificate on the SIEM Managemt to /usr/local/share/ca-certificates/
and update the CA Store
sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt
sudo update-ca-certificates
Repeat this for the App Server
customize docker-compose.yml on the App Server:
Navigate to the /opt/enginsight/enterprise
folder on the app server and open the file using :
Add the following under enviroment:
Please replace ca.crt with the name of your root certificate.
You will notice at the beginning that the SIEM is already filled with logs. These come from the IDS, IPS, FIM, etc. as standard. You can view the sources under SIEM -> Data Lake -> ngs.source.
To receive the logs, such as Syslog (Linux), EventLog (Windows) and Unified Logs (MacOs), you must first allow this in the Policy Manager. To do this, navigate to Hosts -> Policy Manager and create a new policy called SIEM.
Use tags to determine which host is allowed to send logs and activate "Allow evaluation of system logs" under Advanced settings.
Now navigate back to the SIEM tab. You will find the individual operating systems under Integrated collectors. Here you can add a new collector in the top right-hand corner.
Assign a name for the respective operating system that is to be logged. Activate logging and assign it to a tag. You can then select the channels via which the logs are to be collected.
You can also connect devices to the SIEM that do not have an agent installed. To do this, define an agent to collect the logs. To do this, navigate to SIEM -> Event relay.
Select a name with which you can clearly identify your collector. Activate logging again and define a client or server under Host which is to receive the logs from the device (e.g. firewall). Also select the format and decide via which port and which protocol the data should be sent.
It is possible to configure multiple collectors. This is particularly useful for multiple networks so that no new firewall rules need to be configured, as one collector can be used per network.