Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deploy RvSIEM (eng)

280 views

Published on

How to deploy RvSIEM free server and agent for Windows

Published in: Software
  • Be the first to comment

Deploy RvSIEM (eng)

  1. 1. Deploy RvSIEM CEO RuSIEM Olesya Shelestova https://rusiem.com support@rusiem.com
  2. 2. Step-by-step • Download virtual image. You have find download links on https://rusiem.com • Deploy image in VMware ESX (5.5+)/Hyper-v • Power on for VM • Setup network options (or use DHCP) • Set required options in the web interface  Settings • Install RuSIEM agent for Windows OS (links for download you can find on the site) • Change management server in LogAgent.config file • Setup event source for agent in web interface
  3. 3. Download and deploy virtual machine • For ESX: https://www.dropbox.com/s/frp9hf02u9qonrg/RvSIEM.ova?dl=1
  4. 4. Deploy in VMWare ESX
  5. 5. Deploy in MS Hyper-V
  6. 6. • Power on VM • Check IP on console screen (if you have DHCP)
  7. 7. Setup ip and network • If you not have DHCP on you network: • Login to ssh or console. Username: rusiem, Password: P@ssw0rd2014 Ex. command: • ssh rusiem@you_vm_ip • sudo -i
  8. 8. Setup static ip and network • Set static ip, gateway in file /etc/network/interfaces • Save changes and reboot
  9. 9. Access to web interface • Use https proto and url: https://ip_you_vm • Username: admin, Password: admin • Hint: you may be resize web console. Use ctrl+“–” or cmd “–”
  10. 10. License settings • For RvSIEM free – you don’t need any license key • License required only for commercial version (RuSIEM) Ignore license messages for RvSIEM free :)
  11. 11. Download agent • Download x64 Agent http://www.mediafire.com/file/g51v275tac1ynfm/SetupRuAgent_x64-3.msi • Or x86 http://www.mediafire.com/file/j0p78icfw9judua/SetupRuAgent_x86-3.msi
  12. 12. Install RuSIEM agent Select Custom installation and set IP/fqdn name you server RvSIEM instead rusiem.com. Example: https://172.16.0.109/api/v1/remote/encrypt/agent
  13. 13. • You may check management server for agent after installation in c:Program FilesRusiemLogAgent.config
  14. 14. • Open web console  “Sources”
  15. 15. • Press “+” icon on you installed agent • Select ‘Windows Event log’ module • For localhost – set hostname “.” (dot) • Set checkbox for event log journals • Click ‘Save’ button • For local log collection (when agent installed) – don’t need account. Agent will be use Local/System account
  16. 16. • After adding the source, set checkbox for apply changes
  17. 17. Remote collection • We may add many remote source for one agent • For remote log collection – we need add account with required rights in section ‘Settings  Account for data collection’
  18. 18. Search events • Open web console  section Events. Select search query “Windows events” in drop box menu.
  19. 19. When logs not received All OK, actual events received from agent source (0-10 min) Server don’t receive events from this source in 10-60 min Events from this source did not received more than 60 minutes
  20. 20. Query • Any query may be customized Query Filter Period and aggregate options Table events fields order in which the fields are displayed when viewing the event
  21. 21. Full text search and searches
  22. 22. Full text search and searches • Full text search. Ex. Olesya, ‘172.16.0.131’ • For field: key:”value” • With logical operators
  23. 23. Thank you support@rusiem.com https://rusiem.com

×