# SIEM {% hint style="warning" %} Secure your data with our powerful SIEM: contact our experts at **** to get started as quickly as possible and get support with your installation! {% endhint %} ## Structure

## Preparation {% hint style="info" %} Please use the provided ISO for installation and select the Component Server option. This ensures that all components required for SIEM operation are included. {% endhint %} 1. You will need the following components to install the SIEM

Component	Requirement
1x SIEM Management Server	4CPU, 8GB RAM, 200GB Disk (SSD recommended)
1X SIEM Index Server	4CPU, 8GB RAM, 200GB Disk (SSD recommended)

{% hint style="danger" %} This setup is designed exclusively for a workload of 10 GB per day! If you have higher requirements, please contact us for individual advice. {% endhint %} 2. The following firewall rules must also be enabled: 1. NGS APP Server -> SIEM Management Server - TCP/Port 443 2. SIEM Management Server - TCP/Port 8983 ->SIEM Index Server 3. INDEX-Server -> SIEM-Management TCP/2181 3. Create a swap on all VMs if you do not already have one. ``` sudo fallocate -l 2G /swapfile sudo chmod 600 /swapfile sudo mkswap /swapfile sudo swapon /swapfile sudo cp /etc/fstab /etc/fstab.bak echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab echo 'vm.swappiness=10' | sudo tee -a /etc/sysctl.conf echo 'vm.vfs_cache_pressure=10' | sudo tee -a /etc/sysctl.conf ``` 4. Create a URL for your SIEM server, e.g. `ngs-siem.your-domain.com`. \ A certificate in PEM format must be available for this. If you use a self-signed certificate, please follow these [instructions](#self-signed-certificates). {% hint style="warning" %} Please do **not** change the Docker configurations provided below, as they are coordinated with each other. {% endhint %} ## Installation SIEM Management Server The SIEM Management Server receives the logs via the API and sends them to the SIEM Index Server, where they are processed. The following components are installed for this purpose: * nginx * docker-ce * docker-ce-cli * containerd.io * docker-buildx-plugin * docker-compose-plugin * Enginsight Loggernaut ### Install Docker ``` sudo apt-get update sudo apt-get install ca-certificates curl gnupg sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` 1. Regulate the memory requirements of the Docker logs by limiting them to 100 Mb as follows: ``` sudo nano /etc/docker/daemon.json ``` Insert the following: ``` { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "30" } } ``` Restart Docker service: ``` sudo systemctl restart docker ``` 2. Create a folder for Docker and navigate to it ``` sudo mkdir /opt/enginsight/enterprise -p cd /opt/enginsight/enterprise ``` 3. Customize the docker-compose.yml ``` sudo nano docker-compose.yml ``` 4. Add and complete the following configuration ``` version: '3' services: zoo: image: zookeeper: container_name: zookeeper restart: always volumes: - /var/zookeeper_data:/data - /var/zookeeper_logs:/logs - /var/zookeeper_datalog:/datalog ports: - :2181:2181 environment: ZOO_AUTOPURGE_PURGEINTERVAL: 24 ZOO_SERVERS: server.1=:2888:3888;2181 ZOO_4LW_COMMANDS_WHITELIST: mntr,conf,ruok ``` {% hint style="info" %} The \corresponds to the internal IP adress of the SIEM management server. This mus be accsesible from both the management server and the other SIEM index server(s). {% endhint %} 5. Create the directories that are defined in the docker-compose: ``` sudo mkdir /var/zookeeper_data sudo mkdir /var/zookeeper_datalog sudo mkdir /var/zookeeper_logs ``` 6. Start the Docker container ``` sudo docker compose up -d ``` 7. Check whether your Docker container is running ``` sudo docker ps ``` ### Install nginx 1. Install nginx ``` sudo apt install nginx -y ``` 2. Create a user name and password for authentication on the SIEM Management Server. ``` curl -sSL https://get.enginsight.com/siem/scripts/basicauth.sh | sudo -E bash -s ``` {% hint style="info" %} The user name and password are generated automatically (BasicAuth). {% endhint %} You will receive the following output: ``` { "siem": { "basicAuth": { "username":"", "password":"" }, ... } } ``` {% hint style="info" %} Save the code as you will need it later to [customize the App Server](#customization-app-server). {% endhint %} 3. Customize the nginx configuration: To do this, open the configuration:

sudo nano /etc/nginx/sites-available/default

and adjust them as follows: ``` upstream backend { server :8983; server :8983; } # only relevant with LetsEncrypt server { listen 80; location ~ /.well-known { allow all; } location / { return 302 https:///solr/; } root /var/www/; server_name ; } server { listen 443 ssl http2; server_name ; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; #$ mkdir /etc/nginx/ssl -p #$ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_certificate /etc/letsencrypt/live//fullchain.pem; ssl_certificate_key /etc/letsencrypt/live//privkey.pem; client_max_body_size 1024m; auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd; location ~* "^/v1/" { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Ssl "on"; } location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Ssl "on"; } } ``` 4. Check the nginx configuration: ``` sudo nginx -t ``` 5. Restart the nginx to apply the configuration: ``` sudo systemctl restart nginx ``` ## Installation SIEM Index Server ### Install Docker ``` sudo apt-get update sudo apt-get install ca-certificates curl gnupg sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` 1. Regulate the memory requirements of the Docker logs by limiting them to 100 Mb as follows: ``` sudo nano /etc/docker/daemon.json ``` Insert the following: ``` { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "30" } } ``` Restart Docker service: ``` sudo systemctl restart docker ``` 2. Create a folder for Docker and navigate to it: ``` sudo mkdir /opt/enginsight/enterprise -p cd /opt/enginsight/enterprise ``` 3. Create the Docker configuration file `docker-compose.yml` as follows: ``` SOLR_VERSION="$(curl -s https://get.enginsight.com/siem/services/solr)" cat < docker-compose.yml version: '3' services: solr: restart: always image: solr:${SOLR_VERSION} ports: - ":8983:8983" volumes: - /var/solr:/var/solr/data environment: - ZK_HOST=:2181 - SOLR_HOST= - SOLR_OPTS=-XX:G1HeapRegionSize=32M -Dpkiauth.ttl=5000 -Dsolr.log.level=WARN - SOLR_JAVA_MEM=-Xms<40%_RAM_IN_GB>g -Xmx<50%_RAM_IN_GB>g command: solr -f -cloud EOF ``` {% hint style="info" %} * **\** \ corresponds to the IP of the SIEM Index Server * **\**\ corresponds to the IP of the SIEM Management Server * **<40%\_RAM\_IN\_GB>** (Initial heap size (-Xms)**)**\ enter 40% of your total RAM rounded to the nearest gigabyte as the initial memory value. * **<50%\_RAM\_IN\_GB>** (Maximum heap size (-Xmx))\ enter 40% of your total RAM rounded to the nearest gigabyte as the maximum memory value. {% endhint %} 4. Create directories and assign rights to access them: ``` sudo mkdir /var/solr sudo chown 8983:8983 -R /var/solr ``` {% hint style="info" %} The use of user 8983 from the Docker container is correct and important. You must perform this step in order to complete the installation successfully. {% endhint %} 5. Start the Docker container: ``` sudo docker compose up -d ``` 6. Check whether the port is only open for the internal address. Here you can install the `net-tools` (`sudo apt install net-tools`). ``` netstat -tulpen ``` The result should look like this: ``` Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 :8983 0.0.0.0:* LISTEN 0 ``` {% hint style="info" %} Make sure that the correct IP address appears under Host. {% endhint %} {% hint style="info" %} If you want to install an additional index server, please adjust the configuration as explained in step 3 under [Install nginx](#install-nginx). {% endhint %} ## Customization APP Server Customize the Enginsight APP Server configuration and access to communicate with your SIEM Management Server. 1. Switch to the configuration file: ``` sudo nano /opt/enginsight/enterprise/conf/services/config.json ``` 2. add the following section to the configuration ``` "siem": { "basicAuth": { "username": "", "password": "" }, "url": "", "numShards": 2, "replicationFactor": 1, "management": { "organisation": "YOUR_ORGANIZATIONAL_ID" } }, ``` {% hint style="info" %} Fill in "basicAuth" with the credentials you have stored in the proxy. For the URL, enter the URL of the SIEMs server or its IP address. **numShards** specifies the *absolute number of shards* and is responsible for parallel processing of requests. At least 2 should be specified here. For larger instances, it is recommended to select a value that is approximately half of the available CPU cores.\ For a server with 8 cores, this would be 4. The **replicationFactor** is responsible for replication. The data is distributed to several servers. The advantage is that the other index servers can intervene in the event of a failure. However, the consumption of memory increases. If desired, you can enter the number of your index servers for replication. Alternatively, leave this at 1. The organization corresponds to the organization ID that manages the SIEM clusters. Select an organization for this (we recommend your "main org"). {% endhint %} 3. In the configuration under “api,” add ‘url’: “YOUR\_API\_URL.” Your configuration should now look like this:\ So that your configuration looks like this: ``` "siem": { "basicAuth": { "username": "", "password": "" }, "url": "", "numShards": 2, "replicationFactor": 1, "management": { "organisation": "YOUR_ORGANIZATION" } }, "api": { "url": "", ... ``` 4. Change to the Enginsight directory and start setup.sh ``` cd /opt/enginsight/enterprise sudo ./setup.sh ``` 5. Regulate the memory requirements of the Docker logs by limiting them to 100 Mb as follows: ``` sudo nano /etc/docker/daemon.json ``` Insert the following: ``` { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "30" } } ``` Restart the Docker service: ``` sudo systemctl restart docker ``` 6. Create an access key for the SIEM Mangagement Server from

## Install Loggernaut The Loggernaut is used to receive and process the logs. 1. Log in to your SIEM management server 2. Install the Loggernaut as follows: ``` curl -sSL https://get.enginsight.com/loggernaut/latest/setup.sh | sudo -E bash -s \ api=https:// \ accessKeyId= \ accessKeySecret= \ indices=http://:8983 \ username= \ password= ``` {% hint style="info" %} Login with username and password via Basic Authentica {% endhint %} 3. Switch to the Enginsight instance and click on the "SIEM" tab. The interface establishes a connection to the servers, which may take a few seconds. ## BETA-Installation SIEM KI To be able to use the functionalities in the SIEM AI, some configurations are required. {% hint style="warning" %} This is a beta functionality. Please note that errors may occasionally occur when predicting the metrics and the resulting anomaly detection. {% endhint %} 1. **Update affected components.**
``` - ui-m1 - server-m2 - loggernaut-m47 ``` {% hint style="info" %} The current versions of the individual components can always be found here:\ [ \ https://github.com/enginsight/enterprise/blob/master/docker-compose.yml ](https://github.com/enginsight/enterprise/blob/master/docker-compose.yml) {% endhint %} 2. **Activate experimental ML mode in Loggernaut.**
To do this, customize the configuration file under: ``` /opt/enginsight/loggernaut/config.json ``` \ by adding the following line at root level: ``` "experimental": ["traicer"] ``` \ Then restart the Loggernaut to apply the configuration. ``` sudo systemctl restart ngs-loggernaut.service ``` 3. **Install Docker** ``` sudo apt-get update sudo apt-get install ca-certificates curl gnupg sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin ``` 4. **Regulate the memory requirements of the Docker logs**\ Limiting them to 100 Mb as follows: ``` sudo nano /etc/docker/daemon.json ``` Insert the following: ``` { "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "30" } } ``` Restart Docker service: ``` sudo systemctl restart docker ``` 5. **Create Docker Compose.** The following must be included in `docker-compose.yml`: ``` version: '3' services: traicer: image: registry.enginsight.com/enginsight/traicer-m50:0.0.3 restart: always volumes: - /var/traicer/data:/traicer/data environment: ADDRESS: 'wss:///v1/traicer' BASIC_AUTH_USER: '' BASIC_AUTH_PASSWORD: '' ``` {% hint style="info" %} If the machine learning runs on the same machine as the Loggernaut and generates too much CPU load so that the Loggernaut can no longer handle the log throughput, we recommend reducing the CPU shares of the container so that other processes have a higher priority. \ This adjustment to docker-compose.yml is necessary for this: ``` version: '3' services: traicer: cpu_shares: 512 ``` {% endhint %} 6. **Adjustments to Nginx Config from the Management Server for Websocket Support.**\ Modify the following file: `/etc/nginx/sites-available/default` ``` map $http_upgrade $connection_upgrade { default upgrade; '' close; } ... server { ... proxy_http_version 1.1; ... location ~* "^/v1/" { ... proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; ... } } ``` \ Check the config for errors: ``` sudo nginx -t ``` \ Restart nginx to apply the config: ``` sudo systemctl restart nginx ``` 7. **Make sure that you have root rights.** \ If this is not the case, log in as superuser. ``` su - root ``` 8. **Make sure that the latest version of Docker and Docker Compose is installed.** \ You can find the current version numbers here: [Docker Engine](https://docs.docker.com/engine/install/debian/), [Docker Compose](https://docs.docker.com/compose/release-notes/).\ Depending on the installation used, the command for Docker Compose may vary: ``` docker version ``` or ``` docker-compose -v ``` {% hint style="warning" %} Do not install Docker via Snap or when installing the operating system, but only install Docker from the package sources in the official instructions. {% endhint %} 9. **Log in to Docker.** ``` docker login registry.enginsight.com ``` {% hint style="warning" %} You will receive the access data from us. {% endhint %} {% hint style="info" %} If there are problems with authentication, check whether a current gpg2 key is available and generate it automatically if necessary: `apt install gnupg2` `gpg2 --gen-key` {% endhint %} 10. **Start the container with the adjustments you have just made.** ``` sudo docker compose up -d ``` 11. **Finally, run `update.sh` to rule out configuration errors.** ``` sudo /opt/enginsight/traicer/update.sh ``` ## Potential problems If the platform indicates that it was unable to establish a connection, please check the following points: 1. Can the APP server reach the SIEM management server? Test this using curl. Status code 200 must be returned. ``` curl -v -u ":" /v1/collections ``` 2. Can the SIEM server reach the APP server? 3. Have all firewall permissions from the Preparation section been set? ## Self-signed certificates If you use a self-signed certificate or a Windows PKI for your SIEM URL, you must first trust the root certificate on the SIEM management and on the app server. It also requires an adjustment in the docker-compose.yml of the App Server. 1. **Trust certificate**\ Copy your root certificate on the SIEM Managemt to `/usr/local/share/ca-certificates/` and update the CA Store `sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt` `sudo update-ca-certificates` {% hint style="info" %} Please replace ca.crt with the name of your root certificate. {% endhint %} 2. **Repeat this for the App Server** 3. **Customize docker-compose.yml on the App Server** Navigate to the `/opt/enginsight/enterprise` folder on the app server and open the file using : ``` sudo nano docker-compose.yml ``` Add the following under `enviroment:` and `volumes:`. ``` environment: - NODE_EXTRA_CA_CERTS=/etc/ssl/cert.pem volumes: - "./conf/services/config.json.production:/etc/enginsight/server-m2/config.json" - "/usr/local/share/ca-certificates/foo.crt:/etc/ssl/cert.pem" ``` {% hint style="info" %} The path /etc/nginx/cert.pem:/etc/ssl/cert.pem is divided as follows: Left: Path of the chain on the server\ Right: Path in the Docker container {% endhint %} ### Tracer Troubleshooting If you use self-signed certificates or an error such as the following occurs in the Tracer log: ``` manager.py:468: failed connecting to wss:///v1/traicer due to [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000). Retrying in 0:00:12 ``` To do this, follow these steps: 1. **Customization of the docker-compose.yml** Add the `docker-compose.yml` to mount the certificate in the container and set the necessary environment variable. An example of the configuration of the Tracer service: ``` traicer: image: registry.enginsight.com/enginsight/traicer-m50:0.0.3 restart: always volumes: - /var/traicer/data:/traicer/data - :/etc/ssl/cert.pem environment: ADDRESS: 'wss:///v1/traicer' BASIC_AUTH_USER: '' BASIC_AUTH_PASSWORD: '' EXTRA_CA_CERTS: /etc/ssl/cert.pem ``` Explanation: * ``: Replace this with the path to your certificate. * **EXTRA\_CA\_CERTS**: \ This environment variable specifies where the additional certificates are located in the container. * **ADDRESS without double `https://`**: \ Make sure that the value is correct. \ A common error is: \ **False**: `wss://https:///v1/traicer` \ **Right**: `wss:///v1/traicer` 2. **Restart container** After customization, execute the following command to apply the changes: ``` sudo docker-compose up -d ``` ## Add the first logs You will notice at the beginning that the SIEM is already filled with logs. These come from the IDS, IPS, FIM, etc. as standard. You can view the sources under **SIEM -> Data Lake -> ngs.source.**

### Agent logs To receive the logs, such as Syslog (Linux), EventLog (Windows) and Unified Logs (MacOs), you must first allow this in the Policy Manager. To do this, navigate to **Hosts -> Policy Manager** and create a new policy called SIEM.

Use **tags** to determine which host is allowed to send logs and activate "**Allow evaluation of system logs**" under **Advanced settings**.

Now navigate back to the SIEM tab. You will find the individual operating systems under **Integrated collectors**. Here you can add a new collector in the top right-hand corner.

Assign a name for the respective operating system that is to be logged. Activate logging and assign it to a tag. You can then select the channels via which the logs are to be collected. ### Connection of devices without agent (e.g. firewall) You can also connect devices to the SIEM that do not have an agent installed. To do this, define an agent to collect the logs. \ To do this, navigate to **SIEM -> Event relay**.

Select a name with which you can clearly identify your collector. Activate logging again and define a client or server under Host which is to receive the logs from the device (e.g. firewall). Also select the format and decide via which port and which protocol the data should be sent. {% hint style="info" %} It is possible to configure multiple collectors. This is particularly useful for multiple networks so that no new firewall rules need to be configured, as one collector can be used per network. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enginsight.com/docs/master/on-premises/installation/siem.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.