NDR: Linux Server Log Forwarding
Description
Notice
-
This guide is intended to serve as an example only. Users must modify applicable details, such as IP addresses, subnets, and device names, to align with their specific environment.
-
Exercise caution when making changes to your firewall or environment, as unplanned modifications can result in downtime, depending on the complexity of the configuration and infrastructure.
-
Your experience may vary if you are using a different software version or a product from another brand or manufacturer. Please note that you are solely responsible for the configuration and management of your devices.
Linux Sensor Deployment
CAUTION: The examples below are intended to be serve as general guidelines. Your platform or software version may differ, resulting in variations in images, screens, options, or other elements. Description
This article describes how to install a Linux server sensor in a supported operating system.
A Linux server sensor is a managed background daemon that works as a modular sensor without log forwarding that also monitors:
- Process info
- Command execution
- Files
- File events
The server sensor converts that information to metadata and forwards it to the DP as Interflow. The DP can then correlate traffic, processes, users, and commands for security, DDoS, and breach attempt detections.
The server sensor launches the following processes:
- aella_audit—collects audit logs and provides file integrity monitoring
- aella_conf—handles the configuration
- aella_ctrl—monitors other services, and can stop or start them based on the configuration
- aella_flow—collects metadata in traffic
- aella_mon—collects system resource usage, including CPU, RAM, and disk
Choosing an Installation Script
Stellar Cyber provides two different installation scripts for the Linux Server Sensor in the 5.1.1 release:
- ds_linux_install_all_in_one.sh is an entirely self-contained installation script that includes the images for all supported target environments. Because of this, it does not require access to the Internet and can be used in dark sites. However, it is quite large (on the order of ~700 MB).
- ds_linux_install.sh does not bundle images with the script and instead pulls the correct image from the Stellar Cyber production server at run time. Because of this, it is much smaller than the all-in-one script (on the order of 10 KB, plus the single 200 MB image pulled from Stellar Cyber production servers).
To support dark site installation, the ds_linux_install.sh script can also point to a local copy of the image with the -p/--package parameter. However, it is generally simpler to use ds_linux_install_all_in_one.sh for dark site installations because it contains everything you need in a single package.
The table below provides you with details on the two scripts:
| Name | Type/Size | Usage | Dark Site Support | Pros | Cons |
| ds_linux_install.sh | Small Installer does not include images and is roughly 10 KB. If used without the -p/--package parameter, the single image pulled from Stellar Cyber production servers is roughly 200 MB. |
| Yes, but only if the installation image is downloaded separately, copied to the target machine, and pointed to with the -p/--package parameter at run time. | Script is small and only downloads the one image required for installation. | Internet access required in most use cases. |
| ds_linux_install_all_in_one.sh | Large Installer includes images for all supported target environments and is roughly ~700 MB. | Mostly identical. Obtain credentials from Customer Support, download and execute script with optional arguments. | Yes, with no further download. | Supports dark site installation with no further downloads. | Script is large. |
Supported Operating Systems
The Installation Matrix summarizes the operating systems supported for Linux Server Sensor installation in the 5.1.1 release.
| Target OS | 5.1.1 Installers |
| Alma Linux 9 | For all operating systems, you can choose either the small (ds_linux_install.sh) or large (ds_linux_install_all_in_one.sh) script.
|
| Amazon Linux 2 | |
| CentOS 7, 8 | |
| Debian 8, 9, 10, 11 | |
| Linux Mint 18, 19, 20, 21 | |
| Red Hat 7, 8, 9 | |
| Rocky Linux 8 | |
| SUSE 12 SP3 or SP4 | |
| Ubuntu 16.04, 18.04, 20.04, 21.04, and 22.04 | |
| Oracle Linux 7 | |
| Oracle Linux 8.5 |
About the ds_linux_install.sh Script in Previous Releases
The 4.3.7 release included a self-contained installation script called ds_linux_install.sh. The 5.1.1 release replaces that installer with the new ds_linux_install_all_in_one.sh script and reverts the ds_linux_install.sh script back to its pre-4.3.7 behavior, downloading images from Stellar Cyber instead of bundling them with the installer.
Supported Operating Systems
The Installation Matrix summarizes the operating systems supported for Linux Server Sensor installation in the 5.1.1 release.
Note that support for CentOS 7/8, Debian 8-11, Linux Mint 18-21, and Rocky Linux 8 is new in the 5.1.1 release.
| Target OS | 5.1.1 Installers |
| Alma Linux 9 | For all operating systems, you can choose either the small (ds_linux_install.sh) or large (ds_linux_install_all_in_one.sh) script.
|
| Amazon Linux 2 | |
| CentOS 7, 8 | |
| Debian 8, 9, 10, 11 | |
| Linux Mint 18, 19, 20, 21 | |
| Red Hat 7, 8, 9 | |
| Rocky Linux 8 | |
| SUSE 12 SP3 or SP4 | |
| Ubuntu 16.04, 18.04, 20.04, 21.04, and 22.04 | |
| Oracle Linux 7 | |
| Oracle Linux 8.5 |
About the ds_linux_install.sh Script in Previous Releases
The 4.3.7 release included a self-contained installation script called ds_linux_install.sh. The 5.1.1 release replaces that installer with the new ds_linux_install_all_in_one.sh script and reverts the ds_linux_install.sh script back to its pre-4.3.7 behavior, downloading images from Stellar Cyber instead of bundling them with the installer.
Installation Prerequisites
Linux Server Sensor Specifications
The Linux Server Sensor uses 5% of the host server's resources, including each CPU core, so the VM must have at least:
| Component | Specification |
| Host CPU | Xeon Core 2 virtual cores (2.0 GHz or more) |
| Host RAM (GB) | 12 |
| Host SSD (GB) | 128 |
All the procedures that follow require that you are logged in to an account with sufficient system storage and sudo access.
Both installation scripts require the curl, ntp, and zip packages on the target machine. The installer checks for the presence of curl before installing and returns an error if it is not found.
Python Requirements
In contrast to previous releases, 5.1.1 does not require or use Python 2 in any of the supported environments listed in the table above. Python 3 is used in all supported Linux server sensor environments.
CentOS 8 Prerequisite – Update the Base URL
You must update the source link for some CentOS 8 environments to vault.centos.org instead of mirror.centos.org to ensure that dependent packages can be installed.
This issue is present in CentOS 8.5.2111 but may also exist in other CentOS 8 versions. The symptom for this issue is typically a series of No URLs in mirrorlist errors when installing in CentOS 8.
The following commands make the necessary changes for most environments to ensure that dependent packages can be downloaded from vault.centos.org.:
cd /etc/yum.repos.d/
sudo sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g'
/etc/yum.repos.d/CentOS-*
sudo yum update -y
CentOS 7.9.2009 Prerequisite – Enable the EPEL Repository for pip Installation
CentOS 7.9.2009 does not install pip by default because it is not available in the core CentOS 7 repositories. To ensure that pip is installed, you must enable the Extra Packages for Enterprise Linux (EPEL) repository. This repository provides additional packages (including pip) that aren't included in the standard CentOS and Red Hat repositories.
Perform the following the steps to enable the EPEL repository and install pip:
Add the EPEL repository with the following command:
sudo yum install epel-release
Install pip with the following command:
sudo yum install python-pip
Verify pip installation with the following command:
pip --version
Red Hat 7.x AWS Prerequisites
When running Red Hat 7.x in the AWS environment, you must perform the following steps before downloading and installing the Server Sensor:
Use the following commands to enable the required repository access:
sudo yum install –y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y yum-utils
sudo yum-config-manager --enable epel
The current libssh library must be manually downloaded from the following URL. A Red Hat login is required.
https://access.redhat.com/downloads/content/libssh/0.7.1-3.el7/x86_64/fd431d51/package
The downloaded RPM file can then be installed with the following command:
sudo rpm -i <downloaded rpm>
NUMA Requirements
To prevent configuration errors, Stellar Cyber recommends that you do not install the Linux Server Sensor on target hosts with two NUMA nodes. You can use the following command to check the number of NUMA nodes in your target host:
$ lscpu | grep -i numa
For example, the following example shows the output returned by this command for a system with two NUMA nodes:
$ lscpu | grep -i numa
NUMA node(s): 2
NUMA node0 CPU(s): 0-19,40-59
NUMA node1 CPU(s): 20-39,60-79
Installation Summary
Regardless of the Linux version the main steps to perform an installation are as follows:
Open ports on your firewall for the sensor.
Use the information in Choosing an Installation Script to select which installation script you want to use. Then, download the script from the Stellar Cyber production server.
Use the instructions in the sections below to run the installation script and verify the installation.
Use the aella_cli command to start the agent CLI. Then, use the set cm command to set the IP address to reach the management interface of the DL master in a DP cluster (or DP in a single DP deployment).
If you are using the small installation script without the -p/--package parameter, the target system must have network access to the Stellar Cyber production servers to download the correct image.
Step 1: Firewall Configuration
The Linux Server Agent requires specific ports & URLs to be open on your firewall for outbound communication:
| Port | Protocol | Explanation |
| 53 | TCP & UDP | For DNS resolution |
| 123 | UDP | For NTP synchronization |
| 6640-6648 | TCP | For communicating with the DP |
| 8443 | TCP | For software and file downloads from the DP |
| 8888-8889 | TCP | Receiver ports for communicating with the data analyzer |
| 4789 & 8472 | UDP | VXLAN packet forwarding |
| URL | Explanation |
| Software updates |
| For installation and update of required packages |
| For centos/redhat servers:
| Customer configured port for accessing the OS provider's server (repository) for application updates |
| For SUSE servers:
| |
| For Ubuntu servers:
|
Step 2: Server Configuration
Installing the Linux Server Sensor with the Small Script
The following procedure explains how to use the small installation script (ds_linux_install.sh) to install the Linux Server Sensor.
See the Supported Operating Systems for supported versions.
Reply to your NDR implementation ticket for login credentials.
The following command retrieves the installation script:
curl -k -u login:password -o ds_linux_install.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install.sh --fail
Substitute the exact release number for version (for example, 5.1.1).
Run the script with the following command:
sudo bash ds_linux_install.sh -v version
Substitute the exact release number for version (for example, 5.1.1).
Installing the Linux Server Sensor with the All-In-One Script
The following procedure explains how to use the all-in-one installation script (ds_linux_install_all_in_one.sh) to install the Linux Server Sensor.
See the Supported Operating Systems for supported versions.
Reply to your NDR implementation ticket for login credentials.
The following command retrieves the installation script:
curl -k -u login:password -o ds_linux_install_all_in_one.sh https://acps.stellarcyber.ai/release/version/datasensor/ds_linux_install_all_in_one.sh --fail
Substitute the exact release number for version (for example, 5.1.1).
Run the script with the following command:
sudo bash ds_linux_install_all_in_one.sh <arguments>
Supported Arguments for Installation Scripts
The table below lists and describes the supported arguments for the ds_linux_install.sh and ds_linux_install_all_in_one scripts. With the exception of the -v | --version argument, which is used only for the ds_linux_install.sh script in 5.1.1, the arguments are exactly the same:
| Argument (Short) | Description |
| -v | --version | Use this argument to specify the target software version to be installed. This argument is only used with the ds_linux_install.sh script in 5.1.1. The ds_linux_install_all_in_one.sh script is new in 5.1.1 and implicitly uses 5.1.1 as the only version supported. |
| --cm | Optional. You can use this argument to specify the IP address of the managing Stellar Cyber DP for this server sensor. Note that this option is mutually exclusive with the --token and --token_file options. You connect server sensors to their managing Stellar Cyber servers differently depending on whether they have an "s" in their version number:
|
| -t | --token | Use these options to connect a server sensor to a managing Stellar Cyber server that has an "s" in its version number. You typically use these options with an installer you downloaded directly from a Stellar Cyber server rather than the production build servers. The token or token_file are also obtained from the same Stellar Cyber server. These options are mutually exclusive with the --cm option and with one another. As described above, you use either an IP address or a token to connect a server sensor to its managing Stellar Cyber server, but not both. Similarly, if you are using a token, you apply it either as a string (the -t option) or a file (the --F option), but not both. |
| -F | --token_file | |
| -c | --check | Shows system information, helping you decide whether system resources are sufficient to support server sensor installation. |
Step 3: Linux Server Sensor Configuration
Once the services are installed and operating, use the following procedure to configure the Linux Server Sensor:
Use the aella_cli command to start the CLI.
If the sensor is to be assigned to a tenant, enter the command set tenant_id <tenant-id> where the <tenant-id> is replaced by the tenant ID.
If you did not use the --cm argument as part of the sensor installation, use the set cm command as shown in the following examples.
set cm <Appliacble CM URL from below>
NOAM Console: cm-solutionsgrantedinc.stellarcyber.cloud
EMEA Console: cm-emea-snwl.stellarcyber.cloud
This command specifies the IP address to reach the management interface of the Data Processor. For a DP cluster, this is the IP address of the DL-master's management interface. For a single DP deployment, this is simply the DP's management IP address. You can supply either an IP address or a hostname.
If you have a data aggregator installed, use that IP address instead of the DP's management interface. For example:
set aggregator <primary IP address> <secondary IP address>
Once this is done, the server sensor connects to the data processor and registers its presence.
Exit the CLI with the quit command.
Uninstalling the Server Sensor
Debian and Ubuntu Uninstall
To uninstall a sensor on Debian or Ubuntu:
apt-get remove aellads
CentOS, Red Hat 6.7, AWS Linux 2 Uninstall
To uninstall a sensor on CentOS or Red Hat:
yum remove aellads
