Blumira sensors collect logs that allow Blumira to detect threats in your environment. You can configure as many sensors as you need, but we recommend having one in each location.
After you build a sensor, you can install multiple modules on it. These modules allow you to integrate with third-party products, such as identity services, endpoint detection tools, and cloud infrastructure services. Additionally, you can enable features on a sensor by adding other modules, such as a honeypot module, which allows you to detect lateral movement attempts within a network.
This article describes how to install Ubuntu and then build and maintain a Blumira sensor.
Warning: Do not upgrade your Ubuntu server if you previously installed an earlier version and built Blumira sensors on it. Upgrading in place can cause failures. You must install new servers when old Ubuntu servers are no longer supported and deprecate the previous installations to avoid log duplication.
Before You Begin
To install a Blumira sensor on Ubuntu, you will need a virtual or physical server that meets these minimum requirements:
- Ubuntu Server 22.04 LTS
Note: Support for Ubuntu Server 18.04 LTS ends in mid-2023.
- at least 4 GB RAM
- at least 4 CPUs (or a dual-core physical CPU, if physical)
Note: If you do not have the resources for 4 GB RAM and 4 CPUs, you can use 2 GB RAM and 2 CPUs, but your log delivery may become slow and your disk usage may increase.
- at least 100GB of disk space
Note: The exact amount of disk space depends on your log volume, but we recommend 100 GB plus the space needed for 7 days of logs (uncompressed Syslog). 200 GB is a good target.
Build your new Blumira sensors on Ubuntu Server 22.04 LTS. We do not recommend using older versions of Ubuntu.
To install Ubuntu Server 22.04 LTS:
- Download Ubuntu Server 22.04 ISO.
Tip: Chrome does not always successfully open this link to download Ubuntu Server. If you have trouble, you can either use a different browser or you can copy the link, open a new Chrome tab, and then paste the link in the new tab.
- Boot your sensor server from the ISO.
- After the installer finishes loading and the Welcome page appears, use the UP and DOWN keys to select your language, and then press Enter.
- If you are prompted to update the installer, it is best to do so as it likely contains bug fixes and/or performance improvements.
- Continue to follow the prompts on screen to install Ubuntu with the default settings, except as noted here:
- On the Choose type of install page, select Ubuntu Server (default settings).
- On the Network connections page, the server must be configured with a fixed IP. You can use either a DHCP reservation or a static IP.
Note: When configuring a static IP instead of using a DHCP reservation, the subnet must be configured in CIDR format (example: 192.168.1.0/24).
- On the storage configuration page, edit the ubuntu-lv configuration to use the entire disk. Set to the maximum usable size, which is shown to the left of the field.
Note: By default, Ubuntu will only configure the use of a small fraction of the available volume size.
- On the SSH Setup page, select the Install Open SSH server checkbox, press DOWN to select Done, and then press Enter.
- Do not install any additional packages, such as Docker, during the initial install. The sensor installation script (see the procedure below) will configure all of the necessary packages to run a Blumira sensor.
- After Ubuntu installs, press Enter to reboot the Ubuntu machine.
Configuring the sensor
To configure the sensor:
- Use an SSH client such as PuTTY to log into the Ubuntu machine using the IP address, username, and password that you created during the installation.
- To ensure that Docker and Snap are both up-to-date, run the following:
sudo apt update && sudo apt upgrade -y
- Configure the NTP servers by entering the commands below into PuTTY.
NTP="0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"Tip: If you want to paste these commands into PuTTY, paste them one line at a time, using Shift-Insert to paste.
sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd
Note: You can change the first command to contain your company’s internal IP(s) if necessary, such as NTP=”10.1.123.1 10.1.123.2”.
- Install the sensor by completing these steps:
- In Blumira, navigate to Settings.
- In the Location box, select the sensor's location. If it does not exist yet, click Add New Location, and then add its information.
- In the Settings menu, click Sensors.
- Click Add New Sensor.
- Type a unique name for the sensor (excluding spaces) in the Name box.
- Type any notes or descriptors that are helpful to know about this sensor in the Description box. For example:
- If you do not want all administrators in your Blumira account to receive a sensor installation email then select the check box next to Email sensor installation link only to me.
Important: Some email security settings can cause the emailed link to break. Step 12 provides details about where to find the installation instructions in the app.
- From the Location menu, select the location that you verified or added above.
- Click Install.
- After the page refreshes on its own (do not refresh it manually), the new sensor record appears in the table.
- Click the name of the sensor to open its details page.
- Under Installation Instructions, copy the provided script and paste it into a Linux terminal to run the script.
- When the install script successfully completes, a docker container appears on your host, which contains the sensor stack. After five to 10 minutes, refresh the Sensor page. The details of the host appear and the sensor's status is green.
Tip: The circle next to the sensor's name indicates its status and transitions from red to green after it connects to Blumira. It is normal to not see logging devices.
Sending the sensor's logs to Blumira
The sensor's OS logs generated on the new Ubuntu server are not automatically sent to Blumira. You can send the logs from the sensor server to Blumira's logger module by following the instructions in Integrating with Linux servers. For the <sensorip>, use "127.0.0.1".
Within about 10 minutes, the logging device appears on the sensor's detail page in Blumira. The device may have a device address that you do not recognize, as this will be an internally-routable address used only within the sensor. The Type should be “Unix”.
Maintaining the Ubuntu server
Keeping the Ubuntu server secure and operating properly is critical to your success with Blumira, and you should monitor and treat it as any other asset in your organization’s infrastructure.
The Ubuntu system automatically installs security patches on a daily basis, but if updates require the machine to reboot, it will not do this automatically. We recommend that you periodically check to ensure that security updates are successfully installed and reboot the machine if the login banner informs you that a reboot is required.