How to Build a Sensor Environment on Ubuntu

To install a Blumira sensor on Ubuntu, you will need:

• At least 4GB RAM
• At least 4 CPUs (or a dual-core physical CPU, if physical)
• At least 100GB of disk. The exact amount of disk space depends on log volume. A general rule of thumb would be 100GB + space needed for 7 days of logs (uncompressed syslog). If you have the room to spare, 200GB is likely a good target to hit.
• If you do not have the resources for 4GB RAM and 4 CPUs, you can use 2GB RAM and 2 CPUs, but it may result in a slowing of log delivery and increased disk usage.
• You should use Ubuntu 18 LTS, this will work with almost no additional effort on your part. If you choose not to use Ubuntu but instead use CentOS/RHEL or another *nix flavor you will run into issues that will take time to troubleshoot. If you have a special use case, Blumira is happy to work through the issues with you but we strongly recommend only using Ubuntu 18 LTS at this point.

Installing Ubuntu

1. Download the latest Ubuntu Server 18.04.x ISO from this link: Ubuntu 18.04.05 LTS Downloads. Download the Server and LTS version.

Note: Blumira does not recommend using Ubuntu 20 LTS at this point as it’s kernel has a tendency to be unstable. We recommend using Ubuntu 18 LTS which is supported until 2026 and has been shown to be much more stable.  When Ubuntu 20 LTS is stable we will provide upgrade directions for organizations that would like to move to 20 LTS.

2. Boot your machine from the ISO.

3. Wait until the installer finishes loading and displays the language selection page. Use the up and down arrow keys to select your language, then press Enter.

4. On the keyboard selection page, in most cases, you can simply press Enter to accept the default.

5. On the Install selection page, press Enter to accept the default (Install Ubuntu).

6. On the network configuration page, we’ll have to make some edits. Use the up arrow key to select eth0. Press Enter to get a submenu. Use the down arrow key to select “Edit IPv4”. Press Enter to edit the settings.

7. In the settings dialog, press Enter again to show a pull-down menu. Select Manual and press Enter.

8. In the manual settings dialog, the Subnet field should be in CIDR format (xx.xx.xx.xx/yy where yy is the number of bits in the net mask, and xx.xx.xx.xx is the first yy bits of your IP address). The other fields should be self-explanatory. Move down to [Save] and press Enter.

9. You should now be back at the main network configuration page. Use the down arrow key to move down to [Done] and press Enter.

10. Next is the proxy configuration page. HTTP Proxies are pretty rare these days, so you can most likely just press Enter to accept the default (no proxy).

11. On the Ubuntu archive mirror configuration page, press Enter to accept the default mirror.

12. On the filesystem configuration page, we’ll have to make some edits. Use the down arrow key to select “Use An Entire Disk And Set Up LVM” and press Enter.

13. Choose the disk to install onto. Usually, you can just press Enter to select the default.

14. On the partition configuration page, we need to make some edits. The default configuration gives us a 4GB ubuntu-lv and leaves the rest as free (inaccessible) space. We want to maximize the size of ubuntu- lv to leave no free space. Use the up arrow to move to ubuntu-lv. Press Enter to open a submenu. Move down to “Edit”. Press Enter.

15. In the Partition edit dialog, change the size to be exactly equal to the maximum. Move down to [Save] and press Enter.

16. Now you should be back at the partition configuration page. The free space should have disappeared now. Use the down arrow to move down to [Done] and press Enter.

17. A confirmation box should appear. Move down to [Continue] and press Enter.

18. While it is installing, it will continue to ask a few more questions. The next page mostly concerns the username and password you will use to login with. This is a privileged user who has the ability to escalate to root. Enter the information, move down to [Done], and press Enter.

19. Lastly, there is a list of featured snaps (additional features that you may want to install). The only one we need is “docker”. Move down to “docker” and press SPACE. Move all the way down to [Done] and press Enter.

20. Wait until the installation of Ubuntu is complete. Press Enter to reboot the Ubuntu machine.

21. It will ask you to remove the installation media and press Enter. In Hyper-V, the installation ISO is disconnected automatically so you can just press Enter immediately. If you’re using VMWare, you may need to manually disconnect the ISO mount depending on the version. If it boots back into the installer, remove the mounted ISO and reboot.

Post-Installation Configuration

1. Use an SSH client such as PuTTY to log into the Ubuntu machine using the IP address, username, and password set up during the installation.
2. Update your dependencies to ensure Docker and Snap are both up to date, the latest releases of 18.04.03 seem to not have the most up-to-date dependencies by running sudo apt update && sudo apt upgrade -y.
3. Configure the NTP servers by entering the following 3 commands into PuTTY, changing the first line to contain your company’s NTP server(s). If you do not have any internal NTP servers for syncing time, you can use NTP=”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org” instead of internal IPs as seen below. NTP="10.1.123.1 10.1.123.2"
sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd
   If you want to paste these into PuTTY, do so one line at a time, using Shift-Insert to paste.
4. Install the sensor by following the guide – “How to Create a Blumira Sensor.” Copy the command from the email you received when you created a sensor, and paste it into PuTTY.

Ongoing Maintenance

It is the customer’s responsibility to keep this Ubuntu server secure and running properly. You should treat it as any other asset in your organization’s infrastructure.

The Ubuntu system will automatically install security patches on a daily basis, but if updates require the machine to be rebooted, it will not do this automatically. You should periodically check that security updates are being successfully installed, and reboot it if the login banner informs you that a reboot is required.

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.