1. Blumira Support
  2. Deploying Blumira
  3. Blumira Sensors

Quick Links

Building a Blumira sensor on Ubuntu

Overview

Blumira sensors collect logs that allow Blumira to detect threats in your environment. You can configure as many sensors as you need, but we recommend having one in each location.

After you build a sensor, you can install multiple modules on it. These modules allow you to integrate with third-party products, such as identity services, endpoint detection tools, and cloud infrastructure services. Additionally, you can enable features on a sensor by adding other modules, such as a honeypot module, which allows you to detect lateral movement attempts within a network.

This article describes how to install Ubuntu and then build and maintain a Blumira sensor on it.

Caution: Do not upgrade your existing Ubuntu server version if you are running Blumira sensors on it. Upgrading in place can cause failures. You must install a new server to use as a new host when old Ubuntu versions are no longer supported and deprecate the old Ubuntu host to avoid log duplication. See Rebuilding and reinstalling a Blumira sensor for migration steps.

Before you begin

XDR Trials

Note: Sensor integrations are not automatically included in trials of the XDR edition, so this option will not appear if you started the trial in-app. To trial our sensor integrations, please connect with us using this form.

To install a Blumira sensor on Ubuntu, you need a server that meets these minimum requirements:

  • Ubuntu Server 22.04 LTS that is fully virtual and does not require metal disks
    Note: Virtualizing your server ensures the best performance due to the amount of data being collected and transmitted.
  • at least 4 GB RAM
  • at least 4 CPUs (or a dual-core physical CPU, if physical)
    Note: If you do not have the resources for 4 GB RAM and 4 CPUs, you can use 2 GB RAM and 2 CPUs, but your log delivery may become slow and your disk usage may increase.
  • at least 100GB of disk space
    Note: The exact amount of disk space depends on your log volume, but we recommend 100 GB plus the space needed for 7 days of logs (uncompressed Syslog). 200 GB is a good target.

Preparing an Ubuntu host

Build your new Blumira sensors on Ubuntu Server 22.04 LTS. We do not recommend using older versions of Ubuntu. 

To install Ubuntu Server 22.04 LTS:

  1. Download Ubuntu Server 22.04 ISO.
    Tip: Chrome does not always successfully open this link to download Ubuntu Server. If you have trouble, you can either use a different browser or you can copy the link, open a new Chrome tab, and then paste the link into the new tab.
  2. Boot your sensor server from the ISO.

    Note: If you are installing the sensor on a Hyper-V VM, you must first modify the Secure Boot settings. Before installing Ubuntu on Hyper-V, do the following:

    1. In the Hyper-V VM, navigate to File > Settings > Security.

    2. Under Secure Boot, select Microsoft UEFI Certificate Authority.

    3. Click Apply then OK to return to your VM.

    4. Boot the VM from the downloaded ISO and continue the installation steps below.

  3. After the installer finishes loading and the Welcome page appears, use the UP and DOWN keys to select your language, and then press Enter.
  4. If you are prompted to update the installer, it is best to do so as it likely contains bug fixes and/or performance improvements.
  5. Continue to follow the prompts on the screen to install Ubuntu with the default settings, except as noted here:
    1. On the Choose type of install page, select Ubuntu Server (default settings).
    2. On the Network connections page, the server must be configured with a fixed IP. You can use either a DHCP reservation or a static IP.
      Note: When configuring a static IP instead of using a DHCP reservation, the subnet must be configured in CIDR format (example: 192.168.1.0/24).
    3. On the Storage configuration page, edit the ubuntu-lv configuration to use the entire disk. Set to the maximum usable size, which is shown to the left of the field.
      Note: By default, Ubuntu will only configure the use of a small fraction of the available volume size.
    4. On the SSH Setup page, select the Install Open SSH server checkbox, press DOWN to select Done, and then press Enter.
    5. Do not install any additional packages, such as Docker, during the initial install. The sensor installation script (see the procedure below) will configure all of the necessary packages to run a Blumira sensor.
  6. After Ubuntu installs, press Enter to reboot the Ubuntu machine.

Ubuntu22Setup.gif

Building and installing a new Blumira sensor on the host

To configure a new Blumira sensor:

  1. If your organization restricts outbound traffic, ensure that you allowlist the URLs provided in Allowlisting outbound traffic for Blumira sensors on your firewall.
  2. Use an SSH client such as PuTTY to log into the Ubuntu machine using the IP address, username, and password that you created during the installation.
  3. Ensure that Docker and Snap are both up-to-date by running the following command: 
    sudo apt update && sudo apt upgrade -y
  4. Configure the NTP servers by entering the commands below into PuTTY.  
    NTP="0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
    sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
    sudo systemctl restart systemd-timesyncd
    Tip: If you want to paste these commands into PuTTY, paste them one line at a time, using Shift-Insert to paste.
    Note: You can change the first command to contain your company’s internal IP(s) if necessary, such as NTP=”10.1.123.1 10.1.123.2”.
  5. Build and install the sensor by completing these steps:
    1. In Blumira, navigate to Settings.
    2. In the Location box, select the sensor's location. If it does not exist yet, click Add New Location, and then add its information.
    3. In the Settings menu, click Sensors.
    4. Click Add New Sensor.
    5. In the Name box, type a unique name for the sensor (excluding spaces).
    6. In the Description box, type any notes or descriptors that are helpful to know about this sensor.
    7. If you do not want all administrators in your Blumira account to receive a sensor installation email then select the check box next to Email sensor installation link only to me.
      Note: Some email security settings can cause the emailed link to break. Step 12 provides details about where to find the installation instructions in the app.
    8. From the Location menu, select the location that you verified or added above.
    9. Click Install.
    10. After the page refreshes on its own (do not refresh it manually), the new sensor record appears in the table.
    11. Click the name of the sensor then click View details.
    12. Under Installation Instructions, copy the provided script and paste it into a Linux terminal to run the script.
      Note: The script expires after 7 days and will not appear in the app after it has expired.
    13. When the install script successfully completes, a docker container appears on your host, which contains the sensor stack.
    14. Set iptables to legacy by running the following command: 
      sudo update-alternatives --config iptables
      and then select iptables-legacy.

    15. Important: You must reboot the Blumira sensor. Until then, the sensor will show as "online," but the modules will remain in an unknown state.

    16. Wait five to 10 minutes, then refresh the Sensors page in the app. The details of the host appear, and the sensor's status should appear green.
      Screenshot 2025-04-07 at 3.22.52 PM.png
      Tip: It is normal not to see logging devices in the sensor's detail page until you have completed integrations with your log sources.

Sending the sensor's system logs to Blumira

Any of the sensor's OS logs generated on the Ubuntu server are not automatically sent to Blumira. You can send those logs from the sensor server to Blumira's logger module by completing the procedure in Integrating with Linux OS.

Within about 10 minutes, the logging device appears on the sensor's detail page in Blumira. The device may have an address you do not recognize since this will be an internally routable address used only within the sensor. The data type should be Unix.

Monitoring the sensor's connection status

Your Blumira sensor's connection status is monitored with telemetry checks that occur every five to ten minutes. The sensor's health is determined by how long it has successfully checked in and the rate of logs sent over time.

If your sensor does not check in for at least 4 hours, it will enter an offline status and show as not connected and red under the Connected column in the Sensors table. If the logging rate suddenly decreases, this is often an early sign that the sensor is unhealthy and will go offline soon.

In some cases, though, there are other normal system activities like upgrades or temporary changes that do not take the sensor offline for longer than a few minutes or an hour. The offline status change for failed check-ins beyond 4 hours accounts for these regular maintenance scenarios.

Reference: See About user notifications to learn how to turn on sensor health notifications to receive emails when your sensors enter an offline state or suddenly stop receiving logs at the normal rate.

Maintaining the Ubuntu server

Keeping the Ubuntu server secure and operating properly is critical to your success with Blumira. You should monitor and treat it as any other asset in your organization’s infrastructure.

The Ubuntu system automatically installs security patches daily, but if updates require the machine to reboot, it will not do this automatically. We recommend that you periodically check to ensure that security updates are successfully installed and reboot the machine if the login banner informs you that a reboot is required.

Related Articles