Deploy RvSIEM (eng)
Download as PPTX, PDF1 like567 views
This document provides step-by-step instructions for deploying the RvSIEM virtual machine and configuring the RuSIEM agent to collect and analyze Windows event logs. Key steps include downloading the RvSIEM virtual image, deploying it in VMware or Hyper-V, configuring the network settings, installing the RuSIEM agent on Windows machines, and configuring the agent to send events to the RvSIEM server for analysis and querying. The document also provides tips on licensing, event searching, and troubleshooting log collection.
Deploy RvSIEM (eng)
- 1. Deploy RvSIEM CEO RuSIEM Olesya Shelestova https://rusiem.com support@rusiem.com
- 2. Step-by-step • Download virtual image. You have find download links on https://rusiem.com • Deploy image in VMware ESX (5.5+)/Hyper-v • Power on for VM • Setup network options (or use DHCP) • Set required options in the web interface Settings • Install RuSIEM agent for Windows OS (links for download you can find on the site) • Change management server in LogAgent.config file • Setup event source for agent in web interface
- 3. Download and deploy virtual machine • For ESX: https://www.dropbox.com/s/frp9hf02u9qonrg/RvSIEM.ova?dl=1
- 4. Deploy in VMWare ESX
- 5. Deploy in MS Hyper-V
- 6. • Power on VM • Check IP on console screen (if you have DHCP)
- 7. Setup ip and network • If you not have DHCP on you network: • Login to ssh or console. Username: rusiem, Password: P@ssw0rd2014 Ex. command: • ssh rusiem@you_vm_ip • sudo -i
- 8. Setup static ip and network • Set static ip, gateway in file /etc/network/interfaces • Save changes and reboot
- 9. Access to web interface • Use https proto and url: https://ip_you_vm • Username: admin, Password: admin • Hint: you may be resize web console. Use ctrl+“–” or cmd “–”
- 11. License settings • For RvSIEM free – you don’t need any license key • License required only for commercial version (RuSIEM) Ignore license messages for RvSIEM free :)
- 12. Download agent • Download x64 Agent http://www.mediafire.com/file/g51v275tac1ynfm/SetupRuAgent_x64-3.msi • Or x86 http://www.mediafire.com/file/j0p78icfw9judua/SetupRuAgent_x86-3.msi
- 13. Install RuSIEM agent Select Custom installation and set IP/fqdn name you server RvSIEM instead rusiem.com. Example: https://172.16.0.109/api/v1/remote/encrypt/agent
- 14. • You may check management server for agent after installation in c:Program FilesRusiemLogAgent.config
- 15. • Open web console “Sources”
- 16. • Press “+” icon on you installed agent • Select ‘Windows Event log’ module • For localhost – set hostname “.” (dot) • Set checkbox for event log journals • Click ‘Save’ button • For local log collection (when agent installed) – don’t need account. Agent will be use Local/System account
- 17. • After adding the source, set checkbox for apply changes
- 18. Remote collection • We may add many remote source for one agent • For remote log collection – we need add account with required rights in section ‘Settings Account for data collection’
- 19. Search events • Open web console section Events. Select search query “Windows events” in drop box menu.
- 20. When logs not received All OK, actual events received from agent source (0-10 min) Server don’t receive events from this source in 10-60 min Events from this source did not received more than 60 minutes
- 21. Query • Any query may be customized Query Filter Period and aggregate options Table events fields order in which the fields are displayed when viewing the event
- 22. Full text search and searches
- 23. Full text search and searches • Full text search. Ex. Olesya, ‘172.16.0.131’ • For field: key:”value” • With logical operators