# Requirements {% hint style="info" %} Please note that we orchestrate our services using Docker. For this reason, it is important that only the Enginsight Docker instances run on the servers. Changes to the setup configuration in the docker-compose.yml file can lead to unpredictable side effects. {% endhint %} {% hint style="info" %} We strongly recommend that you use the Linux image versions we have identified, as we are unfortunately unable to support special custom builds! Furthermore, only Debian-based systems are supported. Any deviations from our documentation, such as unauthorized changes to the configuration, changes to the setup or the addition of further services on the server, cannot be supported by us. {% endhint %} {% hint style="danger" %} Please note that AVX is required for the installation of MongoDB! {% endhint %} 1. Virtual machines (VM) 1. as an [Application Server](#application-server) 2. as an [Database Server](#database-server) 3. for the [Observer/Watchdog/Hacktor](#observer-watchdog-hacktor) 2. [Firewall rules](#firewall-rules) 3. [Docker Credentials](#docker-credentials) 4. [Licence File](#licence-file) 5. [Remote support](#remote-support) (in case of installation by Enginsight Support) 6. [SSL/TLS Certificate](#certificate) ## Capabilities ### Application Server The application server is used to operate the central API, the user interface and other services of the platform. #### Monitoring of up to 500 servers and clients with Pulsar Agent | Operation System | Debian 12, 64bit | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | CPU | 4 Cores | | RAM | 8 GB | | Mass storage |

200 GB (SSD recommended)

Best Practice: Create a common partition for the entire system

| | Connectivity |

Inbound: Port 80 (Redirect to 443 + Let’s Encrypt) and Port 443

Outbound: Port 27017 to Database Server and Port 80 & 443 to the servers which are listed in the firewall rules

| {% hint style="info" %} In addition, we recommend setting up **at least 4 GB of swap-memory** to mitigate potential out-of-memory (OOM) problems. Especially during the generation of the user interface (UI) by Ember, the RAM consumption can increase significantly, which in combination with the processing of incoming data can lead to increased resource requirements. {% endhint %} #### Monitoring of more than 500 servers and clients with Pulsar Agent If your on-premises instance monitors more than 300 servers and clients with the Pulsar agent, you should consider the possibilities of load balancing on multiple application servers. **If you have more than 500 Pulsar agents installed, load balancing across multiple application servers is necessary.** | Maximale Anzahl an Pulsar-Agents | Number of application servers | | -------------------------------- | ----------------------------- | | 500 | 1 virtual machine | | 1000 | 3 virtual machines | | 2500 | 8 virtual machines | | 5000 | 16 virtual machines | | 10000 | 32 virtual machines | {% hint style="warning" %} If you want to use the [Shield](https://docs.enginsight.com/docs/master/operation/platform/shield) module to block network attacks, you should have more performance reserves. The required performance depends on how many events occur. Therefore, you should introduce Shield in several steps and observe the performance in monitoring to be able to scale up in time if necessary. {% endhint %} {% hint style="info" %} Please make sure that access via SSH is possible or VMware Tools are installed. {% endhint %} ### Database Server The database server stores all monitoring data and communicates exclusively with the application server. | | | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | Operation System | Debian 12 64bit | | Software | Current Version MongoDB | | CPU | 4 Cores | | RAM | 4 GB | | Mass storage |

100 GB (SSD recommended)

Best practice: Create a shared partition for the entire system

| | Connectivity |

Inbound: Port 27017 for Enginsight Application-Server
Outbound: Port 80 & 443 to the servers which are listed in the firewall rules

| {% hint style="info" %} Please make sure that access via SSH is possible or VMware Tools are installed. {% endhint %} ### Benchmarktest for servers Perform the following tests to evaluate the performance of your servers: These measurements enable a precise assessment of hard disk performance and CPU efficiency to ensure that your IT infrastructure is functioning optimally and meeting the requirements of your applications. #### Measuring hard drive performance: To check hard disk performance, run the following script: ``` apt install fio fio --name=random-readwrite --ioengine=libaio --iodepth=1 --rw=randrw --bs=4k --direct=1 --size=1G --numjobs=1 --runtime=60 --filename=/tmp/testfile ``` **Expected performance: At least 10 MB/s for read and write operations.** #### CPU measurement To check CPU performance, run the following script: ``` apt install sysbench 
sysbench --test=cpu --cpu-max-prime=20000 run ``` **Expected performance: result of 1500.** ### Observer/Watchdog/Hacktor For the software components Observer, Hacktor and Watchdog you may need additional VMs. The individual software components can be operated together on one system, but **separate operation is recommended**. In case of shared operation, the resources have to be doubled. These are minimum requirements. Upgrade the instances with more power so that the software components have more performance reserves. One observer with the specified resources can take over the monitoring of up to 50 endpoints. For endpoints, note the option to define [parallel processing](https://docs.enginsight.com/docs/master/operation/platform/endpunkte/observer#configure-observer) of endpoints. The default setting is "2". Depending on the performance reserves, you can adjust the setting down or up. You also have the option to [assign multiple observers to the same region](https://docs.enginsight.com/docs/master/operation/platform/endpunkte/observer#configure-observer), so that the observers share the monitoring of the endpoints among themselves. Consider also the options for the [Configuration of the Hacktor software component](https://docs.enginsight.com/docs/master/operation/platform/penetration-testing/hacktor#configuring-the-hacktor), especially the possibility to increase the [Number of parallel scans](https://docs.enginsight.com/docs/master/operation/platform/penetration-testing/hacktor#number-of-targets-scanned-in-parallel). | Operating System |

Linux: Debian 12, no Windows
AMD64, ARM64, ARMv7/ARMv8

| | --------------------------------------- | ---------------------------------------------------------------- | | CPU | 2 Core / 4 Cores (for shared operation) | | RAM | 2 GB / 4 GB (for shared operation) | | Mass Storage | 20 GB / 50 GB (for shared operation) | | Connectivity | Outgoing: Port 80 resp. 443 | | Number of maximum processes (`numproc`) |

Minimum: 20,000

Best practice: unlimited

| {% hint style="info" %} Please make sure that access via SSH is possible or [VMware Tools](https://www.vmware.com/support/ws5/doc/new_guest_tools_ws.html) are installed. {% endhint %} ## Firewall rules ### OnPrem **App Server** | **Direction** | **Target** | **Target-Port** | **Protocol** | **Usage** | | ------------- | ------------- | --------------- | ------------ | ----------------------------------------------------- | | Outgoing | Update Server | 443 | TCP | Updates for operating system and platform | | Outgoing | DB | 6379 | TCP | If Redis is installed on the DB (e.g., load balancer) | | Incoming | App Server | 443 | TCP | | | Incoming | App Server | 80 | TCP | If LetsEncrypt is used | | Incoming | App Server | 8080 | TCP | For unencrypted instances (not recommended!) | **Database Server** | **Direction** | **Target/Source** | **Target-Port** | **Protocol** | **Usage** | | ------------- | ------------------------------------- | --------------- | ------------ | ----------------------------------------------------- | | Ausgehend | Update Server | 80/443 | TCP | Updates for operating system and platform | | Incoming | App Server | 27017 | | | | Incoming |

SIEM Management Server

| 27017 | | | | Incoming | App Server | 6379 | TCP | If Redis is installed on the DB (e.g., load balancer) | **Component Server** | **Direction** | **Target/Source** | **Target-Port** | **Protocol** | **Usage** | | ------------- | ----------------- | --------------- | ------------ | ----------------------------------------- | | Outgoing | Update Server | 80/443 | | Updates for operating system and platform | **Agents und Sensoren** | **Component** | **Direction** | **Target** | **Target-Port** | **Protocol** | | -------------------------------------- | ------------- | ---------- | --------------- | ------------ | | Pulsar Agent | Outgoing | App Server | 443 | TCP | | Enginsight Agent (Client/Server Agent) | Outgoing | App Server | 443 | TCP | | Watchdog | Outgoing | App Server | 443 | TCP | | Hacktor | Outgoing | App Server | 443 | TCP | | Observer | Outgoing | App Server | 443 | TCP | | **Where** | **Rules** | | --------------------- | ------------------------------------------ | | customer network | Sensor → Enginsight App Server: 443/TCP | | customer network | Sensor → DNS: 53/UDP | | Enginsight App Server | No detailed rules required for each sensor | {% hint style="danger" %} If your instance is not encrypted, the APP server must also be accessible via 80 and 8080. \ **This is not recommended!**\ Please also ensure that all servers can reach your DNS. {% endhint %} Furthermore, the following domains must be accessible from the servers: **All servers:** * Debian mirror server selected during installation (default: deb.debian.org) * security.debian.org * debian.pool.ntp.org **APP server**: * registry.enginsight.com * get.enginsight.com * registry-auth.enginsight.com * github.com * download.docker.com * raw\.githubusercontent.com * dls.enginsight.com * registry-1.docker.io * debian.pool.ntp.org * auth.docker.io * codeload.github.com * production.cloudflare.docker.com * security.debian.org * packages.microsoft.com * docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com **Database server**: * repo.mongodb.org * [www.mongodb.org](http://www.mongodb.org) * debian.pool.ntp.org * pgp.mongodb.com **SIEM**: * download.docker.com * registry-1.docker.io * auth.docker.io * docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com * get.enginsight.com ### SIEM The SIEM consists of the following components: * Pulsar * Loggernaut * Apache Zookeeper * Apache Solr * (Tracer) **Loggernaut** | **Direction** | **Target/Source** | **Target-Port** | **Protocol** | | ------------- | ------------------ | ----------------------- | ------------ | | Outgoing | server-m2 | 443 or 80 without https | TCP | | Outgoing | solr | 8983 | TCP | | Outgoing | zookeeper | 2181 | TCP | | Outgoing | sftp backup server | SSH-Port (configured) | TCP | | Outgoing | s3 backup server | 443 / 80 | TCP | | Incoming | server-m2 | 443 or 80 without https | TCP | | Incoming | traicer | 443 or 80 without https | TCP | **Solr** | **Direction** | **Target/Source** | **Target-Port** | **Protocol** | | ------------- | ----------------- | --------------- | ------------ | | Outgoing | solr | 8983 | TCP | | Outgoing | zookeeper | 2181 | TCP | | Incoming | loggernaut | 8983 | TCP | | Incoming | solr | 8983 | TCP | **Zookeeper** | **Direction** | **Source** | **Target-Port** | **Protocol** | | ------------- | ---------- | --------------- | ------------ | | Incoming | loggernaut | 2181 | TCP | | Incoming | solr | 2181 | TCP | **Server-m2** | **Direction** | **Target/Source** | **Target-Port** | **Protocol** | | ------------- | ----------------- | ----------------------- | ------------ | | Outgoing | loggernaut | 443 or 80 without https | TCP | | Incoming | loggernaut | 443 or 80 without https | TCP | **Traicer** | **Direction** | **Target** | **Target-Port** | **Protocol** | | ------------- | ---------- | ----------------------- | ------------ | | Outgoing | loggernaut | 443 or 80 without https | TCP | **SFTP Backup Server**
DirectionSourceTargetTarget-PortProtocol
IncomingloggernautSSH-Port (configured)SSH Port (defined in config)TCP
**S3 Backup Server** | **Direction** | **Source** | **Target-Port** | **Protocol** | **Usage** | | ------------- | ---------- | --------------- | ------------ | ------------------ | | Incoming | loggernaut | 443 / 80 | TCP | Receipt of backups | ## Certificate To ensure that network traffic between the sensors (Pulsar Agent, Observer, Watchdog, Hacktor) and the Enginsight API is encrypted, you need an SSL/TLS certificate. As a best practice, we recommend a public certificate (e.g. from Let's encrypt) that you resolve internally. Use a reverse proxy (external or on the server itself) that forwards requests to port 80 (app) and port 8080 (API). {% hint style="danger" %} For a smooth operation of the Enginsight application, the call via HTTPS is mandatory. {% endhint %} For the operation of the standard installation we recommend two DNS names: * ngs-api.your-domain.com * ngs-app.your-domain.com {% hint style="info" %} Please make sure that the certificate is in PEM format. {% endhint %} ## Docker Credentials To run Enginsight on-premises, you need Docker credentials, which you can get from us. Just contact us via email: . ## Licence File You can purchase the necessary license file directly from us. Just contact us via email: . ## Remote support If you want to install Enginsight on-premises with assistance from our support, please make sure that a remote control option is available. In our experience, TeamViewer works the most reliably.