LogSentinel SIEM can be used on-premise in multiple ways:
- Virtual appliance - our team provides the necessary VM images and the required configuration parameters
- Cloud instances - For AWS, GCP, Azure you can use the same virtual appliance
- Docker (with docker-compose) - our team provides the necessary containers and scripts
- Kubernetes - our team provides the required kubernetes configuration
- Manual installation of the required components - not recommended, but if chosen, our team will assist you with the appropriate scripts. For Windows installation, check this page
Regardless of the setup option, check the sizing tables to be able to plan the required infrastructure.
LogSentinel SIEM runs on both Windows and Linux.
For Windows, both Windows Server 2008 R2 + and Windows 7+ are supported.
For Linux, all popular distributions are supported (Debian, Ubuntu, CentOS, RHEL, Amazon Linux, Fedora). The virtual appliance that we distribute is based on CentOS 8.
Regardless of the chosen method of installation, the following properties may need to be configured on the LogSentinel SIEM node. They can be configured from the appliance configuration UI or directly in the
Properties requried for sending emails from the SIEM¶
- spring.mail.* - configure an outgoing mail server
- registration.email.from, generic.email.from – outgoing mails would be sent from these addresses
default.password- username and password for the default account. They are "default/default" if not changed. After the initial login, change the password to a more secure one. Note that the login name is email@example.com, which you can also change from the User profile menu.
admin.password– used to access the admin panel of the system (note: the login name is
@logsentinel.com, i.e. if you configure admin.username=test, you’d be able to login with firstname.lastname@example.org)
spring.security.user.password– password used to access an application management dashboard
hmac.key- an alphanumeric key used for calculating HMACs
jwt.secret– a secret alphanumeric key used for JWT session tokens
Working behind a proxy¶
LogSentinel SIEM optionally needs to call the internet in order to access threat feeds, leaked credentials databases and the SMS sending service Twilio.
If a proxy server is needed for succsesful outbound connections, it can be configured in
/var/logsentinel/logsentinel.conf by appending the following to
For IP geolocation, LogSentinel SIEM uses the IP2Location LITE data available from https://lite.ip2location.com. You can download updates from here if you choose not to allow outgoing connections from LogSentinel SIEM.