Skip to content

On-Premises Overview

LogSentinel SIEM can be used on-premise in multiple ways:

  • Virtual appliance - our team provides the necessary VM images and the required configuration parameters
  • Cloud instances - For AWS, GCP, Azure you can use the same virtual appliance
  • Docker (with docker-compose) - our team provides the necessary containers and scripts
  • Kubernetes - our team provides the required Kubernetes configuration
  • Manual installation of the required components - not recommended, but if chosen, our team will assist you with the appropriate scripts. For Windows installation, check this page. For Linux (CentOS), check this page

Regardless of the setup option, check the sizing tables to be able to plan the required infrastructure.

Supported platforms

LogSentinel SIEM runs on both Windows and Linux.

For Windows, both Windows Server 2008 R2 + and Windows 7+ are supported.

For Linux, all popular distributions are supported (Debian, Ubuntu, CentOS, RHEL, Amazon Linux, Fedora). The virtual appliance that we distribute is based on CentOS 8.

Configuration

Regardless of the chosen method of installation, the following properties may need to be configured on the LogSentinel SIEM node. They can be configured from the appliance configuration UI or directly in the /var/logsentinel/app.properties .

Properties requried for sending emails

  • spring.mail.* - configure an outgoing mail server
    • spring.mail.host=
    • spring.mail.port=587
    • spring.mail.username=
    • spring.mail.password=
    • spring.mail.properties.mail.smtp.auth=true
    • spring.mail.properties.mail.smtp.starttls.enable=false
    • spring.mail.properties.mail.smtp.starttls.required=false
    • spring.mail.properties.mail.transport.protocol=smtps
  • registration.email.from, generic.email.from – outgoing mails would be sent from these addresses

Credentials

  • default.username, default.password - username and password for the default console account. They are "default/default" if not changed (to login use default@logsentinel.com). After the initial login, change the password to a more secure one.
  • admin.username, admin.password – used to access the admin panel of the system, defaulting to "test/test" (note: the login name is @logsentinel.com, i.e. if you configure admin.username=test, you’d be able to login with test@logsentinel.com)
  • hmac.key - an alphanumeric key used for calculating HMACs, has a reasonable default value.
  • jwt.secret – a secret alphanumeric key used for JWT session tokens, has a reasonable default value.
  • spring.security.user.password – password used to gain access to monitoring and system management functionalities under https://<root>/manage. Userame is admin

Working behind a proxy

LogSentinel SIEM optionally needs to call the internet in order to access threat feeds, leaked credentials databases and the SMS sending service Twilio. If a proxy server is needed for succsesful outbound connections, it can be configured in /var/logsentinel/logsentinel.conf by appending the following to JAVA_OPTS (for Linux) or in logsentinel.xml in the beginning of the <arguments> element (for Windows):

-Dhttp.proxyHost=your.proxy.host -Dhttp.proxyPort=80 -Dhttps.proxyHost=your.proxy.host -Dhttps.proxyPort=443 -Dhttp.nonProxyHosts=<IPs of the LogSentinel machines>

Healthcheck monitoring

LogSentinel SIEM has a healtcheck monitoring endpoint at {rootAddress}/manage/healthcheck, authentication is performed using the configured credentials in application.properties - spring.security.user.name and spring.security.user.password.

This endpoint can be used in monitoring systems (like Zabbix and Nagios).

Zabbix setup

Zabbix web monitoring can be used to monitor LogSentinel SIEM. More details can be seen in the Zabbix documentation. Below is a list of the properties that have to be configured:

  • Name: LogSentinel SIEM
  • URL: https://{logsentinel-host}/manage/healthcheck
  • Authentication: use the values of spring.security.user.name and spring.security.user.password for Basic authentication

IP Geolocation

For IP geolocation, LogSentinel SIEM uses the IP2Location LITE data available from https://lite.ip2location.com. You can download updates from here if you choose not to allow outgoing connections from LogSentinel SIEM.