N4Mative NiLA Install

  1. Supported Operating Systems: Ubuntu and Redhat/CentOS
  2. Requires JAVA 1.8 or 1.9
  3. Follow the steps to install N4Mative NiLA
    1. Open a shell prompt and sudo to root
    2. Execute: wget http://nila.n4mative.com/n4m/nila/install-n4mative-nila
    3. You will see the script downloaded in the current directory.
    4. chmod +x install-n4mative-nila
    5. Execute: ./install-n4mative-nila
    6. It will go through series of steps and will install the application and configure it to run locally.
    7. Verify that there are no error messages on the screen.
  4. Start N4mative NiLA
    1. cd /opt/n4mative
    2. ./n4mative-nila start
    3. This will start all necessary processes for NiLA.
    4. To stop NiLA execute ./n4mative-nila stop
  5. Verification
    1. Using webbrowser connect to http://<IP address of NiLA Host>:5601. You should see the NiLA screen.
    2. Click on Discover tab on the left. You will see the data flowing into the UI screen. If the data is not visible, increase the time windows mentioned in the upper right corner window.
  6. Setup NILA server as a syslog server
    1. Ubuntu:
      1. Using sudo edit /etc/rsyslog.conf.
      2. Uncomment following lines
      3. # provides UDP syslog reception
        module(load=”imudp”)
        input(type=”imudp” port=”514″)# provides TCP syslog reception
        module(load=”imtcp”)
        input(type=”imtcp” port=”514″)
      4. Save the file
      5. Edit /etc/rsyslog.d/50-default.conf
      6. Uncomment following lines
      7. *.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none -/var/log/messages
      8. Save the file.
      9. Restart rsyslog daemon using: sudo service rsyslog restart
    2. RedHat
      1. vi /etc/rsyslog.conf
      2. Uncomment following lines
        1. # Provides UDP syslog reception
          $ModLoad imudp
          $UDPServerRun 514# Provides TCP syslog reception
          $ModLoad imtcp
          $InputTCPServerRun 514
      3. Save the file
      4. Restart rsyslog service: service rsyslog restart
      5. Turn off iptables: service iptables stop
    3. Verify the setup
      1. using command send message to syslog server
      2. logger -n localhost This is a test for NILA syslog
      3. Check if the command executed successfully and the message is logged into /var/log/messages file. If you see the message rsyslog server is configured properly.
    4. Go ahead and point all other devices to NILA server and check if NILA UI shows the messages from those servers.
  7. Setup Data Retention Policy on NILA Server
    1. Need to install ElasticSearch curator module which will be used to delete indices older than X days. Here is the process for that.
    2. Install pip: apt-get install python-pip or yum install python-pip
    3. Using pip install curator: pip install elasticsearch-curator
    4. It should install elasticsearch python module as well along with curator.
    5. Check if you see /usr/local/bin/curator file on the host.Verify curator config
      1. /usr/local/bin/curator –config /opt/n4mative/src/nila-config.yml –dry-run /opt/n4mative/src/nila-index-aging.yml
      2. It should show indices older than 15 days if exists.
  1. Update /opt/n4mative/src/nila-index-aging.yml and update the days field to reflect the aging duration. Default setup is 15 days. Save the file.
  2. Setup cron to execute following command once a day
    1. 0 6 * * * /usr/local/bin/curator –config /opt/n4mative/src/nila-es-config.yml /opt/n4m/nila-index-aging.yml >/dev/null 2>&1
    2. This will set the curator to run everyday at 6am. You should adjust the time based upon least load on the server.

 

Install Filebeat on other hosts:

  1. From the target machine download the filebeat rpm or deb package using the same URL used earlier.
  2. Install the package.
  3. Edit /etc/filebeat/filebeat.yml and
    1. Uncomment line 143
    2. Line 145: Update localhost to the IP address of the NiLA host.
  4. Execute: filebeat modules list
  5. This will show all available modules. Depending upon the application running on the host select the module names
  6. Execute: filebeat enable modules <list of modules separated by space>
    1. e.g.: filebeat modules enable system mysql apache2 auditd
  7. Execute: service filebeat start
  8. Data from this host will also start to flow into NiLA platform.

 

Remove / Uninstall NiLA

  1. Become root
  2. cd /opt/n4mative
  3. ./n4mative-nila remove
  4. The above command will stop NiLA and uninstall all NiLA components from the server.