Overview
Blumira integrates with Linux operating systems to provide automated threat detection and actionable response. Blumira supports nearly any Linux server operating system, such as Redhat, Ubuntu, and SUSE.
Note: The procedure provided in this article is for integrating with Linux using a Blumira sensor and Rsyslog. Alternatively, Blumira Agent can be used for faster integration and higher visibility into your Linux machines. See additional information and instructions in Installing Blumira Agent on a remote device.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
Gather the IP address of your Blumira sensor to use when configuring the external service.
To find and copy the IP address of the sensor, do the following:
- In Blumira, navigate to Settings > Sensors.
- Click the sensor row to open the details page.
- Under Overview, in the Host Details box, copy the IP value.
Configuring Linux System Logs
Check Rsyslog
Determine the version of Rsyslog you’re currently using:
rsyslogd -v
If the command is not found, install Rsyslog on your server. This is fairly rare and you may want to verify the date or method of installation used to setup the server.
If you’re using apt repo release, such as Debian or Ubuntu, run the following:
sudo apt-get install rsyslog
If you’re using yum repo release, such as RHEL or CentOS, run the following:
sudo yum install rsyslog
In either case, so long as your Rsyslog version is above 2.x the below setup process should work for your server.
Set up Rsyslog
- Open or create the new Blumira configuration file for Rsyslog:
sudo vim /etc/rsyslog.d/23-blumira.conf
- You can also use nano, emacs, of your preferred text editor. The file must be located at /etc/rsyslog.d/23-blumira.conf.
- Copy and paste the following content into the file:
# Setup Disk Queues $WorkDirectory /var/spool/rsyslog # where to place spool files
#$WorkDirectory /var/lib/rsyslog # if using RHEL/CentOS, uncomment this line, and comment out the above line $ActionQueueFileName blumiraRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down # Define BluFormat for parsing $template BluFormat,"<%pri%> BLUNIX %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" # Send messages to Blumira Sensor # Be sure to change <sensor_ip> to your Sensor's IP *.* @@A.B.C.D:514;BluFormat # Run the following if wanting to use local output: # sudo touch /var/log/blumira.log && sudo chmod 640 /var/log/blumira.log && sudo chown syslog:adm /var/log/blumira.log # *.* /var/log/blumira.log;BluFormat # Local Debugging - Change the "A.B.C.D" to your local Blumira sensor’s IP address, which you gathered in previous steps.
- (Optional) If you want to test locally, you can un-comment the last line and run the command above it to view logs passing to the Blumira sensor.
Restart the Service
Restart the rsyslog service to start processing incoming data via the new configuration.
sudo /etc/init.d/rsyslog restart
or
sudo service rsyslog restart
Blumira will ingest all logs within the host, such as system and local authentication via the *.* specification in the above configuration.
Additional Tweaks
Fail2Ban
Blumira recommends installing fail2ban if SSH is being utilized, even internally, on the host. This further enhances failed auth logs and provides for quick response against brute force.
sudo apt-get install fail2ban
or
sudo yum install fail2ban
Copy and paste the following content into a new file /etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 3600 findtime = 600 maxretry = 5 [sshd] enabled = true
Then restart the service for your version of *nix.
sudo /etc/init.d/fail2ban restart
or
sudo service fail2ban restart