Skip to content

On-Premises Overivew

LogSentinel SIEM can be used on-premise in multiple ways:

  • Virtual appliance - our team provides the necessary VM images and the required configuration parameters
  • Cloud instances - For AWS, GCP, Azure you can use the same virtual appliance
  • Docker (with docker-compose) - our team provides the necessary containers and scripts
  • Kubernetes - our team provides the required kubernetes configuration
  • Manual installation of the required components - not recommended, but if chosen, our team will assist you with the appropriate scripts. For Windows installation, check this page. For Linux (CentOS), check this page

Regardless of the setup option, check the sizing tables to be able to plan the required infrastructure.

Supported platforms

LogSentinel SIEM runs on both Windows and Linux.

For Windows, both Windows Server 2008 R2 + and Windows 7+ are supported.

For Linux, all popular distributions are supported (Debian, Ubuntu, CentOS, RHEL, Amazon Linux, Fedora). The virtual appliance that we distribute is based on CentOS 8.


Regardless of the chosen method of installation, the following properties may need to be configured on the LogSentinel SIEM node. They can be configured from the appliance configuration UI or directly in the /var/logsentinel/

Properties requried for sending emails from the SIEM

  • spring.mail.* - configure an outgoing mail server
  •, – outgoing mails would be sent from these addresses


  • default.username, default.password - username and password for the default account. They are "default/default" if not changed. After the initial login, change the password to a more secure one. Note that the login name is, which you can also change from the User profile menu.
  • admin.username, admin.password – used to access the admin panel of the system (note: the login name is, i.e. if you configure admin.username=test, you’d be able to login with
  • – password used to access an application management dashboard
  • hmac.key - an alphanumeric key used for calculating HMACs
  • jwt.secret – a secret alphanumeric key used for JWT session tokens

Working behind a proxy

LogSentinel SIEM optionally needs to call the internet in order to access threat feeds, leaked credentials databases and the SMS sending service Twilio. If a proxy server is needed for succsesful outbound connections, it can be configured in /var/logsentinel/logsentinel.conf by appending the following to JAVA_OPTS: -Dhttp.proxyPort=8080

Healthcheck monitoring

LogSentinel SIEM has a healtcheck monitoring endpoint at {rootAddress}/manage/healthcheck, authentication is performed using the configured credentials in - and

This endpoint can be used in monitoring systems (like Zabbix and Nagios).

Zabbix setup

Zabbix web monitoring can be used to monitor LogSentinel SIEM. More details can be seen in the Zabbix documentation

IP Geolocation

For IP geolocation, LogSentinel SIEM uses the IP2Location LITE data available from You can download updates from here if you choose not to allow outgoing connections from LogSentinel SIEM.