Before You Begin

To install a Blumira sensor on Ubuntu, you will need:

  • at least 4GB RAM
  • at least 4 CPUs (or a dual-core physical CPU, if physical)
    Note: If you do not have the resources for 4GB RAM and 4 CPUs, you can use 2GB RAM and 2 CPUs, but your log delivery may become slow and your disk usage may increase.
  • at least 100GB of disk space
    Note: The exact amount of disk space depends on your log volume, but we recommend 100GB, plus the space needed for 7 days’ worth of logs (uncompressed syslog). In general, 200GB is a good target.
  • Ubuntu 18 LTS
    Important: If you have a special reason to not use Ubuntu, please contact Blumira Security Operations below for help.

Installing Ubuntu

To install Ubuntu:

  1. Download the latest Ubuntu Server 18.04.x ISO.
    Tip: Chrome does not always successfully open this link to download Ubuntu Server. If you have trouble, you can either use a different browser or you can copy the link, open a new Chrome tab, and then paste the link in the new tab.
    Note: Blumira strongly recommends using Ubuntu Server 18 LTS, because it is much more stable than newer versions and will be supported until 2026. If the following steps or screenshots differ from what you see, verify that you are using ubuntu-18.04.6-live-server-amd64.iso.
  2. Boot your machine from the ISO.
  3. After the installer finishes loading and the Welcome page appears, use the UP and DOWN keys to select your language, and then press Enter.
  4. On the Keyboard Configuration page, press Enter to accept the default selections.
  5. On the Ubuntu 18.04 page, press Enter to select Install Ubuntu.
  6. On the Network Connections page, press UP to select eth0, and then press Enter.
  7. In the menu that appears, press DOWN to select Edit IPv4, and then press Enter to edit the settings.
  8. In the configuration window that appears, press Enter to access a list.
  9. Select Manual, and then press Enter again.
  10. In the Manual settings that appear, type the following:
      • the subnet where you want to install the sensor
        Note: Type the Subnet in CIDR format (xx.xx.xx.xx/yy, where yy is the number of bits in the net mask, and xx.xx.xx.xx is the first yy bits of your IP address).
      • the sensor’s IP address
      • the gateway
      • name servers
      • search domains
  11. Press DOWN to select Save, and then press Enter.
  12. On the Configure proxy page, enter an HTTP proxy if you have one. Otherwise, press Enter to accept the default.
  13. Do one of the following, based on whether you use Geo IP blocking on your firewall and/or restrict access to U.S. sites only:
      • If you use Geo IP blocking or restrict access to U.S. sites only, then type in the Mirror address box, and then press Enter.
      • If you do not use Geo IP blocking or restrict access to U.S. sites only, then press Enter to accept the default setting.
  14. On the Filesystem setup page, press DOWN to select Use An Entire Disk And Set Up LVM, and then press Enter.
  15. Select the disk that you want to install to, and then press Enter.
  16. Under Available Devices, press UP to select ubuntu-lv, and then press Enter.
    The default configuration creates a 4GB ubuntu-lv and leaves the rest as free (i.e., inaccessible) space. Instead of accepting the default, you want to maximize the size of ubuntu- lv to leave no free space.
  17. In the menu that appears, press DOWN to select Edit, and then press Enter.
  18. In the Edit window, change the size to be exactly equal to the maximum, press DOWN to select Save, and then press Enter.
  19. Under Available Devices on the Filesystem setup page, the free space is now gone. Press DOWN to select Done, and then press Enter.
  20. In the confirmation window that appears, press DOWN to select Continue, and then press Enter.
  21. As Ubuntu installs, it continues to ask questions. On the Profile setup page, type the username and password you will use to login with, press DOWN to select Done, and then press Enter.
    Note: These login credentials are for a privileged user who has the ability to escalate to root.
  22. On the SSH Setup page, select the Install Open SSH server checkbox, press DOWN to select Done, and then press Enter.
  23. On the Featured Server Snaps page, press DOWN to navigate to docker, and then press SPACE to enable the docker feature.
  24. Press DOWN to select Done, and then press Enter.
  25. After Ubuntu installs, press Enter to reboot the Ubuntu machine.
  26. When the system prompts you to remove the installation media, press Enter.
    Note: In Hyper-V, the installation ISO disconnects automatically, so you can press Enter immediately. If you are using VMware, depending on the version, you might need to manually disconnect the ISO mount. If the system boots back into the installer, remove the mounted ISO and reboot.

Configuring the sensor

To configure the sensor:

  1. Use an SSH client such as PuTTY to log into the Ubuntu machine using the IP address, username, and password that you created during the installation.
  2. Update your dependencies to ensure that Docker and Snap are both up-to-date. The latest releases of 18.04.03 seem to not have the most updated dependencies by running the following:
    sudo apt update && sudo apt upgrade -y
  3. Configure the NTP servers by entering the commands below into PuTTY, changing the first line to contain your company’s NTP server(s). If you do not have any internal NTP servers for syncing time, you can use NTP=”” instead of internal IPs (as seen below):
    sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
    sudo systemctl restart systemd-timesyncd

    Tip: If you want to paste these commands into PuTTY, paste them one line at a time, using Shift-Insert to paste.

  4. Install the sensor using the information in Adding a Sensor in the Blumira App.
  5. Copy the command from the email that we sent when you created a sensor, and then paste it into PuTTY.

Maintaining the Ubuntu server

Keeping this Ubuntu server secure and operating properly is critical to your success with Blumira, and you should monitor and treat it as any other asset in your organization’s infrastructure.

The Ubuntu system automatically installs security patches on a daily basis, but if updates require the machine to reboot, it will not do this automatically. We recommend that you periodically check to ensure that security updates are successfully installed and reboot the machine if the login banner informs you that a reboot is required.