Overview
Blumira sensors collect logs that allow Blumira to detect threats in your environment. You can configure as many sensors as you need, but we recommend having one in each location.
After you build a sensor, you can install multiple modules on it. These modules allow you to integrate with third-party products, such as identity services, endpoint detection tools, and cloud infrastructure services. Additionally, you can enable features on a sensor by adding other modules, such as a honeypot module, which allows you to detect lateral movement attempts within a network.
This article describes how to install Ubuntu and then build and maintain a Blumira sensor on it.
Caution: Do not upgrade your existing Ubuntu server version if you are running Blumira sensors on it. Upgrading in place can cause failures. You must install a new server to use as a new host when old Ubuntu versions are no longer supported and deprecate the old Ubuntu host to avoid log duplication. See Rebuilding and reinstalling a Blumira sensor for migration steps.
Host requirements
To install a Blumira sensor on Ubuntu, you need a server that meets these minimum requirements:
- Ubuntu Server 22.04 LTS that is fully virtual and does not require metal disks
Note: Virtualizing your server ensures the best performance due to the amount of data being collected and transmitted. - at least 4 GB RAM
- at least 4 CPUs (or a dual-core physical CPU, if physical)
Note: If you do not have the resources for 4 GB RAM and 4 CPUs, you can use 2 GB RAM and 2 CPUs, but your log delivery may become slow and your disk usage may increase. - at least 100GB of disk space
Note: The exact amount of disk space depends on your log volume, but we recommend 100 GB plus the space needed for 7 days of logs (uncompressed Syslog). 200 GB is a good target.
Preparing an Ubuntu host
Build your new Blumira sensors on Ubuntu Server 22.04 LTS. We do not recommend using older versions of Ubuntu.
To install Ubuntu Server 22.04 LTS:
- Download Ubuntu Server 22.04 ISO.
Tip: Chrome does not always successfully open this link to download Ubuntu Server. If you have trouble, you can either use a different browser or you can copy the link, open a new Chrome tab, and then paste the link into the new tab. - Boot your sensor server from the ISO.
Note: If you are installing the sensor on a Hyper-V VM, you must first modify the Secure Boot settings. Before installing Ubuntu on Hyper-V, do the following:
-
In the Hyper-V VM, navigate to File > Settings > Security.
-
Under Secure Boot, select Microsoft UEFI Certificate Authority.
-
Click Apply then OK to return to your VM.
-
Boot the VM from the downloaded ISO and continue the installation steps below.
-
- After the installer finishes loading and the Welcome page appears, use the UP and DOWN keys to select your language, and then press Enter.
- If you are prompted to update the installer, it is best to do so as it likely contains bug fixes and/or performance improvements.
- Continue to follow the prompts on the screen to install Ubuntu with the default settings, except as noted here:
- On the Choose type of install page, select Ubuntu Server (default settings).
- On the Network connections page, the server must be configured with a fixed IP. You can use either a DHCP reservation or a static IP.
Note: When configuring a static IP instead of using a DHCP reservation, the subnet must be configured in CIDR format (example: 192.168.1.0/24). - On the Storage configuration page, edit the ubuntu-lv configuration to use the entire disk. Set to the maximum usable size, which is shown to the left of the field.
Note: By default, Ubuntu will only configure the use of a small fraction of the available volume size. - On the SSH Setup page, select the Install Open SSH server checkbox, press DOWN to select Done, and then press Enter.
- Do not install any additional packages, such as Docker, during the initial install. The sensor installation script (see the procedure below) will configure all of the necessary packages to run a Blumira sensor.
- After Ubuntu installs, press Enter to reboot the Ubuntu machine.
Building and installing a new Blumira sensor on the host
To configure a new Blumira sensor:
- If your organization restricts outbound traffic, ensure that you allowlist the URLs provided in Allowlisting outbound traffic for Blumira sensors on your firewall.
- Use an SSH client such as PuTTY to log into the Ubuntu machine using the IP address, username, and password that you created during the installation.
- Ensure that Docker and Snap are both up-to-date by running the following command:
sudo apt update && sudo apt upgrade -y
- Configure the NTP servers by entering the commands below into PuTTY.
NTP="0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
Tip: If you want to paste these commands into PuTTY, paste them one line at a time, using Shift-Insert to paste.
sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd
Note: You can change the first command to contain your company’s internal IP(s) if necessary, such as NTP=”10.1.123.1 10.1.123.2”. - Build and install the sensor by completing these steps:
- In Blumira, navigate to Settings.
- In the Location box, select the sensor's location. If it does not exist yet, click Add New Location, and then add its information.
- In the Settings menu, click Sensors.
- Click Add New Sensor.
- In the Name box, type a unique name for the sensor (excluding spaces).
- In the Description box, type any notes or descriptors that are helpful to know about this sensor.
- If you do not want all administrators in your Blumira account to receive a sensor installation email then select the check box next to Email sensor installation link only to me.
Note: Some email security settings can cause the emailed link to break. Step 12 provides details about where to find the installation instructions in the app. - From the Location menu, select the location that you verified or added above.
- Click Install.
- After the page refreshes on its own (do not refresh it manually), the new sensor record appears in the table.
- Click the name of the sensor then click View details.
- Under Installation Instructions, copy the provided script and paste it into a Linux terminal to run the script.
Note: The script expires after 7 days and will not appear in the app after it has expired. - When the install script successfully completes, a docker container appears on your host, which contains the sensor stack.
- Set iptables to legacy by running the command
sudo update-alternatives --config iptables
and then select iptables-legacy. -
Important: You must reboot the Blumira Sensor. Until then, the sensor will show as "online," but the modules will remain in an unknown state.
- After five to 10 minutes, refresh the Sensor page in the app. The details of the host appear, and the sensor's status should appear green.
Tip: The circle next to the sensor's name indicates its status and transitions from red to green after it connects to Blumira. It is normal not see logging devices until you have completed integrations with your log sources.
Sending the sensor's logs to Blumira
The sensor's OS logs generated on the new Ubuntu server are not automatically sent to Blumira. You can send the logs from the sensor server to Blumira's logger module by completing the procedure in Integrating with Linux OS. Replace "A.B.C.D" with "127.0.0.1" in Step 4.
Within about 10 minutes, the logging device appears on the sensor's detail page in Blumira. The device may have a device address that you do not recognize, as this will be an internally-routable address used only within the sensor. The Type should be “Unix”.
Maintaining the Ubuntu server
Keeping the Ubuntu server secure and operating properly is critical to your success with Blumira, and you should monitor and treat it as any other asset in your organization’s infrastructure.
The Ubuntu system automatically installs security patches on a daily basis, but if updates require the machine to reboot, it will not do this automatically. We recommend that you periodically check to ensure that security updates are successfully installed and reboot the machine if the login banner informs you that a reboot is required.