Skip to main content

Linux Cloud Security Monitoring and Analytics

Thumbnail icon

The Cloud Security monitoring and Analytics app for Linux ingests any distribution of linux data to gain a better understanding of your production environments, and surface relevant insights by tuning out-of-the-box content to align with your security team’s focus. Consolidate analytics across various instances by wildcarding on data sources and gain full visibility into your Linux data for both monitoring and analytics use cases.

Follow the steps in this topic to install or uninstall a collector on Linux. See Installed Collectors for information on other OSs.

System requirements

  • Linux, major distributions 64-bit, or any generic Unix capable of running Java 1.8
  • Single core, 512MB RAM
  • 8GB disk space
  • Package installers require TLS 1.2 or higher.

Collecting Data for the Linux Integration

Download the Collector

Download the collector in either of the following ways:

  • In Sumo Logic, select Manage Data > Collection > Collection. Click Add Collector, click Installed Collector, and then click the link for the collector to begin the download.
    -or-
  • Open a browser and enter the static URL for your pod. See Download a Collector from a Static URL for a list of URLs for your deployment pod. The download begins immediately.

Install the Collector on Linux

Choose one of these methods to install the Collector:

Install Using the UI Installer

Run the installer on your server with root or Administrator privileges. If you are not logged in as root or Administrator, you might be prompted to reauthenticate to your system when you start the UI Installer.

  1. Open the downloaded installer file.
  2. If prompted, enter the root or Administrator user name and password for the system.
  3. Open the wizard to show the Welcome page. Click Next.
  4. Accept the license agreement and click Next.
  5. Browse to select a location for the collector or accept the default and click Next to install the Collector files on your machine.
  6. The Installer displays the summary of the default settings. If you want to change any of these, click Advanced UI Installer Settings and follow the instructions. Click Next.
  7. Choose an authentication method.
    • Access Key: If you have a Sumo Logic access ID and key, click Next, enter the access ID and key, and click Next.
    • Installation Token: The Setup Wizard has not yet been updated to provide an option for Installation Tokens. You can provide the Installation Token using the Setup Wizard Token option. Enter the Token String you want to use to register the Collector in the input box for a Setup Wizard one-time token.
    • Setup Wizard Token: If the Setup Wizard has provided you with a token for the UI Installer, click Next, enter the token, and click Next. The Setup Wizard Token is a one-time use token, available for one hour after it is generated, then it expires. This token authenticates the user. It is designed to be used for only one Collector. The token cannot be used with the API, and it cannot be disabled.
  8. Click Finish to complete the setup.
  9. In Sumo Logic select Manage Data > Collection > Collection and verify that you can see the Collector. Look for the name that is listed as Collector Name in the confirmation step of this procedure (the name can be customized under Advanced Settings). If a Collector with that name already exists, a suffix is appended to uniquely identify it. If you don’t see the collector, check the Error Codes list to help troubleshoot.
Install Using the Command-Line Installer
  1. Add execution permissions to the downloaded Collector file (.sh):
chmod +x SumoCollector.sh
  1. Run the script with the parameters that you want to configure. See Parameters for the Command Line Installer for a description of the parameters. By default, the Collector will be installed in either /opt/SumoCollector or /usr/local/SumoCollector.

Examples

Using an Installation Token
sudo ./SumoCollector.sh -q -Vsumo.token_and_url=<installationToken> -Vsources=<absolute_filepath>
Using access ID and access key
sudo ./SumoCollector.sh -q -Vsumo.accessid=<accessId> -Vsumo.accesskey=<accessKey> -Vsources=<absolute_filepath>
Adding proxy settings
sudo ./SumoCollector.sh -q -Vsumo.accessid=<accessId> -Vsumo.accesskey=<accessKey> -Vsources=<absolute_filepath> -Vproxy.host=<proxyHost> -Vproxy.port=<proxyPort>
Including syncSources and a customized Collector name
sudo ./SumoCollector.sh -q -Vsumo.accessid=<accessId> -Vsumo.accesskey=<accessKey> -VsyncSources=<absolute_filepath> -Vcollector.name=<name>
Install Using the RPM or Debian Package

You can use the RPM or Debian package to install a Collector on a Linux 64-bit system.

  1. Install the Collector using the downloaded installation package.

    • For the RPM package, use the command:
    sudo rpm -i SumoCollector-19.XXX-XX.x86_64.rpm
    • For the Debian package, use the command:
    sudo dpkg -i SumoCollector-19.XXX-XX.x86_64.deb

    The RPM and Debian packages install the collector in the /opt/SumoCollector directory. By default, the Collector is installed as a system service, but not yet started.

  2. Configure the Collector user.properties file in the /opt/SumoCollector/config/ directory. The Collector uses the settings defined in user.properties to register and start. See user.properties for a full list of all the supported parameters.

    • To use an access key, provide the accessid and accesskey parameters. For example:
    name = <collectorName>
    accessid = <accessId>
    accesskey = <accessKey>
    • To use an installation token, provide the authentication parameters token and url. To use these two parameters you'll need to manually base64 decode the Token String. Once decoded, you'll have a string with a token and a URL. For example, the following decoded Token String: sumoxxxxxxxxxxxxxxxxxxxxxxxxxxxxhttps://collectors.sumologic.com would be used as:
    name = <collectorName>
    url=https://collectors.sumologic.com
    token=SUMOXXXXXXXXXXXXXXXXXXXXXXXXXXXX
note
  • Starting with collector 19.170+, the installation directory is secured to users belonging to the sumologic_collector group.
  • Modifying user.properties may require sudo privileges. For more information, see Enhanced File System Security for Installed Collectors.
  1. (Optional) Provide a JSON Source information. You can pass all Source settings in a UTF-8 encoded JSON file. If you're using a JSON file, you must provide the file before starting the Collector. See Using JSON to configure Sources. Alternatively, you can configure Sources at any time by using the Sumo web app. See Sources.
  2. (Optional) Set the run a user for the Collector if you want the Collector to run as a user other than root. See run as for a Collector.
  3. (Optional on Collector version 19.253-3+ in the Fed deployment) Enable FIPS 140-2 compliant Java Cryptography Extension (JCE) to encrypt your data to Sumo Logic's Fed deployment in US1 only. FIPS mode is not supported for any other deployment. If you are unsure whether you are on the Fed deployment, check our deployments. To enable, locate and run the script configureFipsMode.sh contained in Collector's installation directory under /script:
$ sh ./script/configureFipsMode.sh
  1. Start the Collector using the following command.
sudo service collector start
Install using the Binary Package
  1. Install the version of JRE you want to use from the following location. (The collector requires Java 8 or higher). The binary installation process does not include JRE installation. https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html
  2. Check the version of Java is 8 or higher:
java -version
  1. Untar the downloaded binary file inside your desired destination directory to create a subdirectory named sumocollector:
tar -xvf SumoCollector_unix_XXX.tar.gz
  1. Copy the platform-specific wrapper file to the sumocollector directory:
cp tanuki/wrapper-<platform>
  1. Make the wrapper, collector, and script directory files executable:
chmod ug+x wrapper-<platform>
chmod ug+x collector
chmod ug+x script/*
  1. Configure the Collector user.properties file in the /opt/SumoCollector/config/ directory. The Collector uses the settings defined in user.properties to register and start. See user.properties for a full list of all the supported parameters. To use an access key, provide the accessid and accesskey parameters. For example:
name = <collectorName>
accessid = <accessId>
accesskey = <accessKey>
wrapper.java.command = java

To use an installation token, provide the authentication parameters token and url. To use these two parameters you'll need to manually base64 decode the Token String. Once decoded you'll have a string with a token and a URL. For example, the following decoded Token String: SUMOXXXXXXXXXXXXXXXXXXXXXXXXXXXXhttps://collectors.sumologic.com would be used as:

name = <collectorName>
url=https://collectors.sumologic.com
token=SUMOXXXXXXXXXXXXXXXXXXXXXXXXXXXX
wrapper.java.command = java
  1. Set access control for files under the sumocollector directory:
sudo script/secureFiles.sh
  1. (Optional) Provide JSON Source information. You can pass all Source settings in a UTF-8 encoded JSON file. If you're using a JSON file, you must provide the file before starting the Collector. See Using JSON to configure Sources. Alternatively, you can configure sources at any time by using the Sumo web app. See Sources.
  2. (Optional) Set the run as user for the Collector if you want the Collector to run as a user other than root. See run as for a Collector.
  3. (Optional on Collector version 19.253-3+) Enable FIPS 140-2 compliant Java Cryptography Extension (JCE) to encrypt your data. Once enabled, the Collector version cannot be downgraded below version 19.253-3. To enable, locate and run the script configureFipsMode.sh contained in Collector's installation directory under /script:
$ sh ./script/configureFipsMode.sh
  1. Install the Collector as a service. Use the following command to install the Collector as a service that is started when the machine starts.
sudo ./collector install
  1. Start the Collector service. Use the following command to start the collector service.
sudo ./collector start
  1. To verify that the collector is installed, go to Manage Data > Collection > Collection in the Sumo web app and verify that you can see the collector.

You can build a Collector into a Linux machine image such as an Amazon AMI or VMware image.

After installing Collectors, you can configure Sources from Sumo Logic or by providing the Source settings in a JSON file. If you're using a UTF-8 encoded JSON file, you must provide the file before starting the collector. The JSON file needs to be UTF-8 encoded.

Uninstalling the Collector

Uninstalling a collector requires the following two steps:

  1. Uninstall the collector from the Linux system using any of these methods:
Uninstall using the UI Installer
  1. On your system, in the Applications folder, find the Sumo Logic Collector folder.
  2. Double-click the file Sumo Logic Collector Uninstaller.
  3. If prompted, select your language and click OK.
  4. Enter the user name and password for the system.
  5. When the Sumo Logic Collector Uninstall wizard is displayed, click Next to remove the collector.
  6. When the success message is displayed, click Finish.
Uninstall using the Command Line
  1. In a terminal prompt, change the directory to the collector installation directory. By default, the collector will be installed in either /opt/SumoCollector or /usr/local/SumoCollector.
cd /usr/local/SumoCollector
  1. Run the uninstall binary with the -q option. The -q option executes the command without presenting additional prompts.
sudo ./uninstall -q
Uninstall using the RPM/Debian packages

For the RPM package, use the command:

sudo rpm -e SumoCollector

For the Debian package, use the command:

sudo dpkg -r SumoCollector
Uninstall using the binary package
  1. Uninstall the collector service.
sudo <Collector Installation Directory>/collector remove
  1. Remove the collector installation directory.
sudo rm -rf <Collector Installation Directory>
  1. (Optional) On some distributions, for instance, Ubuntu, you may need to re-synchronize the daemon setting before installing the collector again.
sudo systemctl daemon-reload
  1. Remove the collector from Sumo Logic:
    1. In Sumo Logic, select Manage Data > Collection > Collection.
    2. Find the collector you want to remove, and click Delete.
    3. When the Confirm dialog displays, click OK.

A success message is displayed and the collector is removed from the list.

Installing the Linux app

Now that you have set up collection, install the Sumo Logic App for PCI Compliance for Linux to use the preconfigured searches and Dashboards that provide insight into your data.

To install the app, do the following:

  1. From the Sumo Logic navigation, select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can scroll down to preview the dashboards included with the app.
  3. To install the app, click Install App.
  4. Click Next in the Setup Data section.
  5. In the Configure section of the respective app, complete the following fields.
    1. Key. Select either of these options for the data source.
      • Choose Source Category, and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
  6. Click Next. You will be redirected to the Preview & Done section.

Your app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, updating with full graphs and charts over time.

Viewing Linux Security Monitoring dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Security Monitoring - Overview

The Security Monitoring - Overview dashboard provides an overview of security statistics relevant for Linux systems. It presents information about successful and failed logins, root login successes and failures, user accounts created and deleted, sudo attempts and total Services.

Use case: Use this dashboard to monitor administrative actions (create, delete users) performed by end users, ensure proper services are running on all systems, detect attempts to change the system time, and verify that critical systems are up and running.You can also monitor excessive failed login attempts to detect attempts to break into the system.

Linux Security dashboards

Security Analytics - Login Activity

The Security Analytics - Login Activity dashboard tracks login activity. It provides information about failed and successful user logins, and failed and successful root logins.

Use case: Use this dashboard to monitor access to the linux computing environment. You can monitor failed and successful user logins.

Linux Security dashboards

Security Analytics - Privileged Activity

The Security Analytics - Privileged Activity dashboard provides information about total sudo attempts, failed sudo attempts, the top 10 users and hosts that have issued sudo attempts, recent sudo attempts, and sudo attempts over time.

Use case: Use this dashboard to monitor successful and failed access attempts to systems, especially with administrative privileges. It also helps monitor actions performed by users with administrative privileges.

Linux Security dashboards

Security Monitoring - User, Service, and System Monitoring

The Security Monitoring - User, Service, and System Monitoring dashboard provides information about total sudo attempts, failed sudo attempts, the top 10 users and hosts that have issued sudo attempts, recent sudo attempts, and sudo attempts over time.

Use case: Use this dashboard to monitor accounts created and deleted. It also helps monitor service usage and other system activity.

Linux Security dashboards
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.