Blumira sensors collect logs that allow Blumira to detect threats in your environment. You can configure as many sensors as you need, but we recommend having one in each location.
After you build a sensor, you can install multiple modules on it. These modules allow you to integrate with third-party products, such as identity services, endpoint detection tools, and cloud infrastructure services. Additionally, you can enable features on a sensor by adding other modules, such as a honeypot module, which allows you to detect lateral movement attempts within a network.
This article describes how to install Ubuntu and then build and maintain a Blumira sensor.
Warning: Do not upgrade your Ubuntu Server version after installing it and setting up your sensors. Upgrades frequently cause failures. Blumira is currently working to support Ubuntu Server 22.
Before You Begin
To install a Blumira sensor on Ubuntu, you will need:
- at least 4GB RAM
- at least 4 CPUs (or a dual-core physical CPU, if physical)
Note: If you do not have the resources for 4GB RAM and 4 CPUs, you can use 2GB RAM and 2 CPUs, but your log delivery may become slow and your disk usage may increase.
- at least 100GB of disk space
Note: The exact amount of disk space depends on your log volume, but we recommend 100GB, plus the space needed for 7 days' worth of logs (uncompressed syslog). In general, 200GB is a good target.
- Ubuntu 18 LTS
Important: If you have a special reason to not use Ubuntu, please contact Blumira Security Operations below for help.
To install Ubuntu:
- Download the latest Ubuntu Server 18.04.x ISO.
Tip: Chrome does not always successfully open this link to download Ubuntu Server. If you have trouble, you can either use a different browser or you can copy the link, open a new Chrome tab, and then paste the link in the new tab.
Note: Blumira strongly recommends using Ubuntu Server 18 LTS, because it is much more stable than newer versions and will be supported until 2026. If the following steps or screenshots differ from what you see, verify that you are using ubuntu-18.04.6-live-server-amd64.iso.
- Boot your machine from the ISO.
- After the installer finishes loading and the Welcome page appears, use the UP and DOWN keys to select your language, and then press Enter.
- On the Keyboard Configuration page, press Enter to accept the default selections.
- On the Ubuntu 18.04 page, press Enter to select Install Ubuntu.
On the Network Connections page, press UP to select eth0, and then press Enter.
In the menu that appears, press DOWN to select Edit IPv4, and then press Enter to edit the settings.
- In the configuration window that appears, press Enter to access a list.
- Select Manual, and then press Enter again.
- In the Manual settings that appear, type the following:
- the subnet where you want to install the sensor
Note: Type the Subnet in CIDR format (xx.xx.xx.xx/yy, where yy is the number of bits in the net mask, and xx.xx.xx.xx is the first yy bits of your IP address).
- the sensor's IP address
- the gateway
- name servers
- search domains
- the subnet where you want to install the sensor
- Press DOWN to select Save, and then press Enter.
- On the Configure proxy page, enter an HTTP proxy if you have one. Otherwise, press Enter to accept the default.
- Do one of the following, based on whether you use Geo IP blocking on your firewall and/or restrict access to U.S. sites only:
- If you use Geo IP blocking or restrict access to U.S. sites only, then type http://us.archive.ubuntu.com/ubuntu in the Mirror address box, and then press Enter.
- If you do not use Geo IP blocking or restrict access to U.S. sites only, then press Enter to accept the default setting.
The default configuration creates a 4GB ubuntu-lv and leaves the rest as free (i.e., inaccessible) space. Instead of accepting the default, you want to maximize the size of ubuntu- lv to leave no free space.
Note: These login credentials are for a privileged user who has the ability to escalate to root.
Note: In Hyper-V, the installation ISO disconnects automatically, so you can press Enter immediately. If you are using VMware, depending on the version, you might need to manually disconnect the ISO mount. If the system boots back into the installer, remove the mounted ISO and reboot.
Configuring the sensor
To configure the sensor:
- Use an SSH client such as PuTTY to log into the Ubuntu machine using the IP address, username, and password that you created during the installation.
- Update your dependencies to ensure that Docker and Snap are both up-to-date. The latest releases of 18.04.03 seem to not have the most updated dependencies by running the following:
sudo apt update && sudo apt upgrade -y
- Configure the NTP servers by entering the commands below into PuTTY, changing the first line to contain your company’s NTP server(s). If you do not have any internal NTP servers for syncing time, you can use NTP=”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org” instead of internal IPs (as seen below):
NTP="10.1.123.1 10.1.123.2"Tip: If you want to paste these commands into PuTTY, paste them one line at a time, using Shift-Insert to paste.
sudo sed -ie "s/#*NTP=.*/NTP=$NTP/" /etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd
- Install the sensor using the information in Adding a Sensor in the Blumira App.
- Copy the command from the email that we sent when you created a sensor, and then paste it into PuTTY.
Maintaining the Ubuntu server
Keeping this Ubuntu server secure and operating properly is critical to your success with Blumira, and you should monitor and treat it as any other asset in your organization’s infrastructure.
The Ubuntu system automatically installs security patches on a daily basis, but if updates require the machine to reboot, it will not do this automatically. We recommend that you periodically check to ensure that security updates are successfully installed and reboot the machine if the login banner informs you that a reboot is required.