SIEMonster V2 VM

Installation Guide

Release 1.4 November 2016

Table of contents
1 Overview ...................................................................................................... 1
2 Getting Started ............................................................................................. 2
2.1 Installation ............................................................................................. 2
2.2 VMware Appliance Import ......................................................................... 2
2.3 Logging in to the appliance ....................................................................... 3
3 Configuration ................................................................................................ 4
3.1 Static IP and hosts file setup ..................................................................... 4
3.2 IP changes .............................................................................................. 4
3.3 Internal DNS for corporate environment changes ......................................... 5
3.4 Internal Proxy if Proxies are used .............................................................. 5
3.5 Proteus Dockbeat SHARD FLUSH ............................................................... 5
3.6 Web Interface Ip & Setup ......................................................................... 6
3.7 Profile button Password chnage ................................................................. 7
3.8 Dashboards............................................................................................. 8
4 Changing Passwords..................................................................................... 8
4.1 Default Passwords ................................................................................... 8
4.2 Trial License ........................................................................................... 10
4.3 Proteus TimeZone Updates ...................................................................... 11

1
1 OVERVIEW

Welcome to the SIEMonster V2.

SIEMonster is a collection of Open Source security event management tools in a single package. You
can be up and running in 10 minutes with live data on a dashboard without any of the associated
configuration headaches.

You can get the latest updates on www.siemonster.com and click on the support tab

Version 1 build was achieved by assignment scripts but due to the complexity of V2, we have decided
to release the build into separate Ova files to reduce build and configuration times. It was way too
complex to bring up the build for the average user.

The default usernames and passwords for accessing SIEMonster are shown in the Configuration
Section These passwords must be changed after installation.

SIEMonster has been built to run on VMware Workstation, ESX, Amazon AWS and Microsoft Azure,
this guide is for the VM installation.

SIEMonster minimum requirements for system memory is 4GB on each node as pre-set in the OVA,
recommended allocation is 16GB for both Proteus and Capricorn, & 32GB for Kraken & Tiamat.

SIEMonster overview

1
2 GETTING STARTED
2.1 INSTALLATION
SIEMonster OVA Appliances Release 2.0 can be downloaded from the SIEMonster website under
Downloads.

There are 6 Monsters. You will need Proteus, Capricorn, Kraken and Tiamat to make up SIEMonster.
Hydra (data logger) and Ikutruso (Bro/IDS) are optional.

The installation now makes the use of the Docker overlay; applications being pulled from the SIEMonster
repository. Ensure that the VM target has an active internet connection before proceeding and be aware
that data may be downloaded.

The process is

1. Download the 4-6 images

2. Open the virtual machines and rename them to their roles
3. Change the IP’s and reboot
4. Setup your local machine with DNS entries to map to the Web interface
5. Test all the interfaces
6. Enable SSL for internal/external access
7. Change all default passwords

2.2 VMWARE APPLIANCE IMPORT

 Using VMware Open a Virtual Machine, rename to the role and select import for all
machines one at a time in any order.

2
NOTE:
Once the image has been imported the appliance can be powered on. Adjustments to system memory
are required, see the FAQ. Minimum requirement is 4GB per appliance.
Crucial: If the system memory is changed, then please edit the following file: /etc/default/elasticsearch
Find the line: ES_HEAP_SIZE=2g This applies to Proteus, Kraken and Tiamat. It is not required to be
changes on Capricorn, Ikuturso and Hydra.
Change 2g to half of the system memory, e.g. if system memory is 8GB set to ES_HEAP_SIZE=4g

Check and activate the Network Connection in VMware on each instance

and enable network connection. Do this before you boot each appliance.
If you are worried about IP conflicts, keep the network connection
disabled, change the IP shutdown the appliance then re-enable it.

2.3 LOGGING IN TO THE APPLIANCE

Boot Order is Kraken, Tiamat, Proteus and Capricorn last.

Once the appliance has started up, login as user siemonster with password siemonster.

3
3 CONFIGURATION

3.1 STATIC IP AND HOSTS FILE SETUP

In order that each server can be resolved by name, a suitable hosts file must be configured and a
static IP address set.
Plan the IP range that will be used and adjust the values accordingly. The template files presume an
IP range from 192.168.0.101 to 192.168.0.106 and can be adjusted to suit your environment.

Server Name IP Address Role

Kraken 192.168.0.101 Database Cluster Node 1

Tiamat Database Cluster Node 2

192.168.0.102

Proteus Front End (Database in 2 node instance)

192.168.0.103

Capricorn Front End

192.168.0.104

Hydra Remote Collector

192.168.0.105

Ikuturso Bro/Tards IDS

192.168.0.105

3.2 IP CHANGES

You will need to change the IP’s to suit your environment. To change your IP for each server, change
the /etc/hosts entry and /etc/network/interfaces using sudo and reboot.

 sudo pico /etc/hosts

 sudo pico /etc/network/interfaces
 sudo reboot

Ensure if you have unchecked the Network Adapter Connect on startup to recheck it for VMware.
Once all the servers are up ping each of the servers by name and google.com to ensure internal and
external connections.

4
3.3 INTERNAL DNS FOR CORPORATE ENVIRONMENT CHANGES

Note: Only relevant for outbound blocking of DNS in corporate environments.

If your company is blocking outbound DNS
requests except when sourced from internal resolvers, you will need to make a file change so docker
can get to the outside world for container updates.

Create a file /etc/docker/daemon.json

Edit this file and include your internal DNS servers:

{
"dns": ["192.168.10.1", "192.168.20.1"]
}

Restart Docker:
sudo service docker restart

Wait for containers to come back up or simply reboot Capricorn.

Check result:

docker exec -it nginx cat /etc/resolv.conf

docker exec -it nginx wget get.docker.com

3.4 INTERNAL PROXY IF PROXIES ARE USED

When deployed in an environment requiring a proxy for outgoing traffic, you will need to
add the proxy by editing the file /etc/default/docker. Un-comment the line "#export
http_proxy=".." and add the proxy details.

3.5 PROTEUS DOCKBEAT SHARD FLUSH

Run the following command from a Proteus Shell to flush Dockbeat Shard Data

 curl -XDELETE 'localhost:9200/dockb*/'

Failure to do so will show a blank dashboard in SIEMonster but this can be run any time.

5
3.6 WEB INTERFACE IP & SETUP

The web interface installation utilizes a DNSMasq service on Capricorn to allow resolution of local
subdomains via a Nginx container.
For successful deployment, this requires a few additions to the local hosts file on the client accessing
the web server.
On Windows this requires editing C:\Windows\System32\Drivers\Etc\Hosts (Windows 7, 10 – Copy
the hosts file to your desktop make the changes and copy it back to avoid permission issues)
On Linux, these additions can be made to the /etc/hosts file
Add the following entries, assuming Capricorn is set to 192.168.0.104:
192.168.0.104 v2.siemonster.local
192.168.0.104 admin.v2.siemonster.local
192.168.0.104 app.v2.siemonster.local
192.168.0.104 ir.v2.siemonster.local
192.168.0.104 411.v2.siemonster.local
192.168.0.104 reporting.v2.siemonster.local
192.168.0.104 minemeld.v2.siemonster.local
192.168.0.104 health.v2.siemonster.local
192.168.0.104 sm-kibana.v2.siemonster.local
192.168.0.104 splogtash.v2.siemonster.local
192.168.0.104 python_simplehttpserver.v2.siemonster.local
192.168.0.104 alerta-web.v2.siemonster.local

The correct address to use is http://v2.siemonster.local

Wait up to 5 minutes after Capricorn has booted to ensure all the services have
started, especially the web server. Ping V2.siemonster.local to ensure IP/name is
right.
The default username is admin@siemonster.com
The default password is siemonster.

6
3.7 PROFILE BUTTON PASSWORD CHNAGE

DO NOT use the Profile button to change the Admin password, this button is not yet ready for
Production. Use the http://admin.v2.siemonster.local section below for user maintenance.

Administration of the Web Interface is managed from the following URL:

http://admin.v2.siemonster.local using the same credentials.

Users can be added and modified by clicking on the Users tab:

Click on the ‘Create Users’ link to create a new user and enter email/password details:

7
User profiles are in json format. Use the admin profile as a template when creating new users, copy
& paste appropriate items.

If the json format is incorrect there will be an alert, and save function will be disabled.
Review the admin template and decide what dashboards/areas to be applied to which user.

3.8 DASHBOARDS

The only two Dashboards that will have data is Health and Dockbeat. The other Dashboards will fill
with data as you add agents to endpoints and point devices to SIEMonster. .

4 CHANGING PASSWORDS

4.1 DEFAULT PASSWORDS

Host User Password Access

192.168.0.101-104 siemonster siemonster SSH/Local Access

8
 Capricorn 411 admin admin http://192.168.0.104:8080
Capricorn Incident Response Admin admin admin http://192.168.0.104:8000/admin
Capricorn Minemeld admin minemeld https://192.168.0.104:4443
Capricorn Health admin admin http://192.168.0.104:3000

Default Passwords to be changes after build

Once you are happy with your SIEM and its in production it’s time to lockdown the system. This
includes changing all the default passwords. Below is a simple guide on changing the passwords on
all the systems. Place these passwords in a safe place.

Linux passwords for root & siemonster on all servers:

 sudo passwd root – sudo passwd siemonster

Web Interface Portal

Administration of the Web Interface is managed from the following URL:
http://admin.v2.siemonster.local Password can be changed there, do not use the Profiles button.

FIR password: Login as admin to the FIR web interface and change within the user section
411: Once logged in go to the Users section:

9
Click on edit next to the user

Enter the new password twice.

4.2 TRIAL LICENSE

Trial License for activation:

Go to Reports on the top menu.
Click on the flashing icon:

Click ‘Activate License’

10
Tick box – ‘I agree to the terms and conditions’
Click Online Activation

Also, supports importing your own license, see upcoming Quick guide.

4.3 PROTEUS TIMEZONE UPDATES

OSSEC by default uses the timezone of the local machine. To change the time zone first change
locally:

sudo dpkg-reconfigure tzdata

Follow the instructions that follow.

Commit to OSSEC:
/home/siemonster/proteus/ossec-timezone.sh

11