Single Image Build Guide

July 14th, 2019

Doc Version 1.2

1
TABLE OF CONTENTS
1 Installation ................................................................................ 3
1.1 Download .............................................................................. 3
1.2 VMware ................................................................................. 3
1.3 SIEMonster SETUP configuration .............................................. 4
1.4 Automatic Package installation ................................................. 7
1.5 SIEMonster first time Start-Up ................................................. 9
1.6 Demo Data .......................................................................... 10
1.7 Open ports for data ingestion (Endpoints clients) ..................... 11
1.8 How to access the infrastructure dashboard (Kubernetes
dashboard) ................................................................................. 12

2
1 INSTALLATION

The single instance OVA is a quick way to test SIEMonster without the overhead of a multi-server
Enterprise installation. The OVA deployment overview contains the following steps.

• Download the OVA file from the SIEMonster website

• Import the OVA into VMware with the minimum requirements
• Boot up the OVA, and open the SIEMonster Application startup from a browser
• Domain name selection, IP addresses or DHCP and proxy setup
• Automatic packages download
• Launch SIEMonster

1.1 DOWNLOAD
1. Download the OVA file from the SIEMonster website www.siemonster.com Fill in your
details and the details will be emailed to you.

1.2 ESXI

• If you want to use ESXi instead of VMware download the ESXI ova instead from the
welcome email. They are not cross compatible without conversion. We have converted
it for you.

1.3 VMWARE

2. Import the OVA file into VMware. Set the minimum requirements to
• 8 CPU Cores
• 48-49 GB Ram
• 80GB HDD
• Set Network Adaptor 2 to Host Only

3
 3. The system should be ready in 3-5 minutes after it is powered up. You will see Machine
is ready message with <IPADDR>:8090 in the virtual machine console.
<IPADDR> is IP address of the virtual machine, for example 192.168.0.20

1.4 SIEMONSTER SETUP CONFIGURATION

4. Once you have put the IP address and port in the browser you will be presented with
entries to customize your build.

4
 Select one of the options:

• Default DNS if you want to use siemonster.internal.com domain name (OVA will
be configured with siemonster.internal.com domain name and self-signed
certificate);

• Custom DNS if you want to use another domain name (OVA will be configured
with custom domain name and a self-signed certificate). Do not use pseudo top
level domain names such as .loc, .local, .internal etc.

5. Type an admin email in SIEMonster Admin Email field to create a default admin user.
This email address is used for Kibana / ElasticSearch integration.

The Admin email must be the same as the email that will be used for activating the
SIEMonster web application, otherwise Kibana will not be able to connect with
Elasticsearch.

6. Optionally to configure sending alerts from Alertmanager to Slack - fill in 2 fields:

• Slack incoming webhook URL - enter necessary Slack URL;

• Slack channel - enter necessary Slack channel.

7. Select DHCP if OVA network has DHCP server or Manual if OVA network does not have
DHCP server or you want to set up IP address manually.

5
8. Download self-signed CA certificate for siemonster.internal.com by pressing Download
certificate button.

9. Install the self-signed CA certificate to the browser for SSL to work correctly, using this
guide.

https://www.bounca.org/tutorials/install_root_certificate.html

10. In the SIEMonster Demo page, click on the NEXT button to install SIEMonster
components. Confirm the virtual machine meets the minimum requirements.

Click on OK to confirm. The following actions will now begin: -

• the system starts and installs Kubernetes, using Kubespray;

• the system installs SIEMonster components using Helm Charts.

11. Also, you should see the list of A records. The records must be added to /etc/hosts on
Linux or Windows\System32\Drivers\etc\hosts on Windows of the host machine for
SIEMonster components to be available.

6
1.5 AUTOMATIC PACKAGE INSTALLATION

12. SIEMonster will now download the latest packages and you can watch the status of the
downloads. This can take 10-40 minutes plus depending on your Internet connection.
Below are some screen shots of what you will see as it downloads and starts up. You can
download the certificate here if you forgot to do it before.

7
13. Once the download has completed and each module has a green tick the download is
completed. It takes approximately additional 5-10 minutes after all components are
marked as finished to start them. E.g. Kibana boot takes approximately 5-10 minutes after
its pod is started. If you want to see the demo data as described in Section 1.6, wait
another 30 minutes for a full Dashboard and data experience.

14. Take note of the token at the bottom of the page, that is used for accessing the
infrastructure dashboard (Kubernetes dashboard). The token must be saved, as its
restoration requires manual actions.

15. When all components are green click on FINISH button to be forwarded to SIEMonster
portal page.

8
1.6 SIEMONSTER FIRST TIME START-UP

• Enter the chosen DNS name and Admin Email used during the install process.
• Use the Proxy options if behind a corporate Firewall.
• Toggle the Activate Trial slider for a 30-day free trial, then click on Setup. Once the
trial is activated you can login with the chosen credentials

9
1.7 DEMO DATA

SIEMonster runs its own Honeypot environment with a range of Firewalls, Web Servers and
internal Active Directory servers accessible to the public. This environment is built to provide
rich data for your demo SIEM environment. We have captured 24 hours of data and included
this in your SIEMonster Trial Application. After the SIEMonster platform is built it can take 30
minutes for this data to be displayed in your dashboards. If you receive any errors on the links
to the Dashboards the data is still being loaded into the system.
Below is a sample of some of the Dashboards we have preloaded for you. Feel free to delete
these, but it provides you a quick snap shot of what you can do with the SIEMonster suite. For
more information have a look at the Dashboard creation section of the Operations Guide.

10
1.8 OPEN PORTS FOR DATA INGESTION (ENDPOINTS CLIENTS)

External services open ports are:

• Logstash Collector - TCP ports 1516, 1517, 3520-3529;

• Wazuh - TCP ports 1514, 1515 and 55000;
• Kafka - 9094.

The endpoints of external services are available at IP address of the virtual machine, for
example:

• Logstash Collector - 10.0.0.73:3520 - 10.0.0.73:3529;

• Wazuh - 10.0.0.73:1514, 10.0.0.73:1515, 10.0.0.73:55000;
• Kafka - 10.0.0.73:9094.

11
1.9 HOW TO ACCESS THE INFRASTRUCTURE DASHBOARD
(KUBERNETES DASHBOARD)

To access the dashboard:

Use the following URL: infrastructure-dashboard.<domain_name>, where <domain_name> is

the DNS name, you have specified in Section 1.3.

For example infrastructure-dashboard.siemonster.internal.com

Login to the dashboard:

Login: admin
Password: !1qwerty

Enter the token, obtained from section 1.4

12
For further information use the SIEMonster Operations Guide.

13
Appendix A: Change Management for password.
Use only Alphanumeric passwords, e.g. Ys3CretpAss624

Application Username Password

Grafana admin admin
(Health)
Web App siemuser01 s13M0nSterV3
Mongo
Mongo Hash N/A 6B44D8EDB86B4CA8BB8F3AAA35DDAF7D
Salt
Wazuh API siemonster siemonster
Logstash logstash s13M0nSterV3
CA N/A s13M0nSterV3
411 admin admin
IR admin admin
Minemeld admin minemeld
Truststore N/A s13M0nSterV3
Keystore N/A s13M0nSterV3
Elastic elastic s13M0nSterV3
Beats beats s13M0nSterV3
Skedler skedler s13M0nSterV3
MySQL dbuser dbpass
MySQL Root root HmKCUMrTBuc7MyxLw36U8wJAakyX3xtFo9gMxv
ArQPthpTAojNN
Kubernetes admin !1qwerty
Dashboard
SSH demo tcuser

14