Select Page

WitFoo Precinct Multi-Node Deployment Checklist

Welcome Forums Appliance and OS WitFoo Precinct Multi-Node Deployment Checklist

  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts
  • March 19, 2020 at 10:58 pm #2195
    Mike RiforgiateMike Riforgiate
    Keymaster

    Deploy Appliances (https://www.witfoo.com/tech-specs/) 
    It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

    • Data Node (Recommend 3)
    • Streamer Node (Recommend 1 for each transport type: syslog, NetFlow, Splunk, eStreamer, Beats)
    • IE/Management Node (Recommend 1)

    Verify that each appliance has required resources outlined in the table.

    • At least 8GB of RAM on Streamer nodes (12GB ideal)
    • At least 12GB of RAM on IE/Management nodes (16GB ideal)
    • At least 12GB of RAM on Data nodes (16GB ideal)
    • At least 4 CPU Cores (8 Cores ideal)
    • Verify by running htop in each appliance

     

    Access to the VM will be via the method assigned by the user during instance creation.

    Enable NTP sync by either 1) allowing NTP connections to ntp.ubuntu.com on 123/udp or 2) configuring an internal NTP service on each node: https://ubuntu.com/server/docs/network-ntp

    Configure the IP address of the appliance by clicking on the Network icon in the Console UI or in accordance with Ubuntu documentation (https://help.ubuntu.com/lts/serverguide/network-configuration.html). Alternatively, use a DHCP lease reservation for assigning the IP address. 

    Update Ubuntu packages as necessary.

    Run ./register script following directions (see: https://vimeo.com/422153063) 

    • Run on all Node types (Data, Streamer, Management)

    Wait 30 minutes for systems to initialize and pull code updates 

    Create the first account at https://IP_OF_MANAGEMENT_NODE/auth/register (replace IP_OF_MANAGEMENT_NODE  with the IP Address of the Management Node.) 

    In the interface go to Admin -> Settings -> General. Configure all settings. 

    Configure and test email integration at Admin -> Settings -> Email 

    Configure supported Integrations at Admin -> SOAR (see: https://community.witfoo.com/forums/forum/integrations/) 

    If configuring SAML with Office 365 see: https://community.witfoo.com/forums/topic/saml-with-azure-ad-office-365/ 

    Send syslog to the IP address of the Streamer node on 514/udp (most common), 514/tcp or 6514/tcp (for SSL or TLS). See https://community.witfoo.com/forums/forum/integrations/ for integration specific guidance. 

    If sending Winlogbeats or NetFlow, create an additional Streamer for each. Send NetFlow to 2055/udp. Use the following settings for Winlogbeatshttps://community.witfoo.com/forums/topic/winlogbeats/ 

    Create additional user accounts at Admin -> Users 

  • Author
    Posts
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.