Select Page

WitFoo Precinct Multi-Node Deployment Checklist

Welcome Forums Appliance and OS WitFoo Precinct Multi-Node Deployment Checklist

  • This topic is empty.
Viewing 1 post (of 1 total)
  • Author
    Posts
  • March 19, 2020 at 10:58 pm #2195
    Mike RiforgiateMike Riforgiate
    Keymaster

    Deploy Appliances (https://www.witfoo.com/tech-specs/) 
    It is highly recommended that appliances be thick provisioned to prevent performance and stability issues.

    • Data Node (Recommend 3)
    • Streamer Node (Recommend 1 for each transport type: syslog, NetFlow, Splunk, eStreamer, Beats)
    • IE/Management Node (Recommend 1)

    Verify that each appliance has required resources outlined in the table.

    • At least 8GB of RAM on Streamer nodes (12GB ideal)
    • At least 12GB of RAM on IE/Management nodes (16GB ideal)
    • At least 12GB of RAM on Data nodes (16GB ideal)
    • At least 4 CPU Cores (8 Cores ideal)
    • Verify by running htop in each appliance

     

     

    Default log in on each appliance is witfooadmin : F00theN0ise! 

    • Can be reached via SSH or via Console Interface 

    Enable NTP sync by either 1) allowing NTP connections to ntp.ubuntu.com on 123/udp or 2) configuring an internal NTP service on each node: https://ubuntu.com/server/docs/network-ntp

    Configure the IP address of the appliance by clicking on the Network icon in the Console UI or in accordance with Ubuntu documentation (https://help.ubuntu.com/lts/serverguide/network-configuration.html). Alternatively, use a DHCP lease reservation for assigning the IP address. 

    Update Ubuntu packages as necessary.

    Run ./register script following directions (see: https://vimeo.com/422153063) 

    • Run on all Node types (Data, Streamer, Management)

    Wait 30 minutes for systems to initialize and pull code updates 

    Create the first account at https://IP_OF_MANAGEMENT_NODE/auth/register (replace IP_OF_MANAGEMENT_NODE  with the IP Address of the Management Node.) 

    In the interface go to Admin -> Settings -> General. Configure all settings. 

    Configure and test email integration at Admin -> Settings -> Email 

    Configure supported Integrations at Admin -> SOAR (see: https://community.witfoo.com/forums/forum/integrations/) 

    If configuring SAML with Office 365 see: https://community.witfoo.com/forums/topic/saml-with-azure-ad-office-365/ 

    Send syslog to the IP address of the Streamer node on 514/udp (most common), 514/tcp or 6514/tcp (for SSL or TLS). See https://community.witfoo.com/forums/forum/integrations/ for integration specific guidance. 

    If sending Winlogbeats or NetFlow, create an additional Streamer for each. Send NetFlow to 2055/udp. Use the following settings for Winlogbeatshttps://community.witfoo.com/forums/topic/winlogbeats/ 

    Create additional user accounts at Admin -> Users 

  • Author
    Posts
Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.