Installing FortiSIEM in Linux KVM
This document provides instructions to install FortiSIEM on Linux KVM.
- Pre-installation check-list
- Installing FortiSIEM Virtual Appliance in KVM
- Installing FortiSIEM Report Server in KVM
Pre-installation check-list
Step A: Determine your FortiSIEM hardware needs and deployment type
Before you begin, check the following:
- Number of Workers needed, if any.
- Number of Collectors needed, if any.
- Hardware specification of Supervisor, Worker and Collectors (CPU, RAM, Local Storage)
If Elasticsearch is chosen as the Event Database, the Supervisor needs an additional 8 GB RAM - in this case, the minimum requirement of the Supervisor is 32 GB RAM. - Event Database Storage – Local or Remote (For Remote - NFS or Elasticsearch)
Note: Remote option is required if you are deploying Workers. If you are going to add Workers in the future, then it is recommended to choose a Remote database option to avoid data migration. - Deployment type – Enterprise or Service Provider
Step B: Deploy Remote Storage
If required, install and configure NFS or Elasticsearch before beginning the installation below:
Installing FortiSIEM Virtual Appliance in KVM
The basic process for installing FortiSIEM Supervisor, Worker, or Collector node in KVM is the same as installing these nodes under VMware ESX. Since Worker nodes are only used in deployments that use NFS storage, you should first configure your Supervisor node to use NFS storage, and then configure your Worker node using the Supervisor NFS mount point as the mount point for the Worker. Collector nodes are only used in Service Provider deployments, and must be registered with a running Supervisor node.
Follow the steps below to install FortiSIEM Virtual Appliance in KVM:
Step 1: Setup a Network Bridge for Installing FortiSIEM in KVM
If FortiSIEM is the first guest on KVM, then a bridge network may be required to enable network connectivity. For details see the Red Hat documentation on KVM Bridge Configuration.
Step 2: Import the Supervisor, Worker or Collector into KVM
- Go to the Fortinet Support website https://support.fortinet.com to download the KVM package. See "Downloading FortiSIEM Products" for more information on downloading products from the support website.
- Download and unzip the packages for Super/Worker and Collector to the location where you want
to install the image.
When you open the zip fileFSM_Full_Super-Worker_KVM_5.4.0_build<build_number>.zip
, there will be three files for Supervisor/Worker:system.qcow2
cmdb.qcow2
svn.qcow2
and one file in the Collector zip file
FSM_Full_Collector_KVM_5.4.0_build<build_number>.zip
:system.qcow2
- Start the KVM Virtual Machine Manager.
- Select and right-click on a host to open the Host Options menu, and select New.
- In the New VM dialog, enter a Name for your FortiSIEM node.
- Select Import existing disk image, and click Forward.
-
Browse to the location and select
system.qcow2
for Supervisor/Worker orsystem.qcow2
for the Collector. - Choose the OS Type and Version you want to use with this installation, and click Forward.
- Allocate Memory and CPUs to the FortiSIEM node, and click Forward.
- Select the checkbox for Customize configuration before install.
- Confirm the installation configuration of your node, and click Finish.
Step 3: Configure the Supervisor Hardware Settings in KVM
- In KVM Virtual Machine Manager, select the FortiSIEM Supervisor, and click Open.
- Click the Information icon to view the Supervisor hardware settings.
- Select the Virtual Network Interface.
- For Source Device, select an available bridge network.
See Setup a Network Bridge for Installing FortiSIEM in KVM for more information. - For Device Model, select Virtio and click Apply.
- In the Supervisor Hardware settings, select Virtual Disk.
- In the Virtual Disk dialog, open the Advanced options. For Disk bus, select Virtio and for Storage format select qcow2.
- Click Add Hardware, and select Storage.
- Select the Select managed or other existing storage option, and browse to select
cmdb.qcow2
. - Select the Device type as Virtio Disk, Cache mode as 'default' and Storage format as
qcow2
. - Add the disk
svn.qcow2
as above. - If the storage type is Local, add one more disk for EventDB using the option Create a disk image on the computer’s hardware with Device type as Virtio Disk, Cache mode as default and Storage format as qcow2.
Step 4: Configure the Supervisor, Worker, or Collector from the VM Console
- In the KVM Virtual Machine Manager, select the Supervisor node.
- Right-click to open the Virtual Appliance Options menu, and select Power > Power On.
- In the Virtual Appliance Options menu, select Open Console
Network Failure Message: When the console starts up for the first time you may see aNetwork eth0 Failed
message, but this is expected behavior. - In VM console, select Set Timezone and press Enter.
- Select your Location and press Enter.
- Select your Country and press Enter.
- Select your Timezone and press Enter.
- Review your Timezone information, select 1, and press Enter.
- When the Configuration screen reloads, select Login, and press Enter.
- Enter the default login credentials:
- Login:
root
- Password:
ProspectHills
- Login:
- Run the
vami_config_net
script to configure the network:/opt/vmware/share/vami/vami_config_net
- Based on your network type, enter one of the options below:
-
1 for IPv6 Network Only
- When prompted, enter the information for these IPv6 network components to configure the Static IPv6 address: IPv6 Address, IPv6 Prefix, IPv6 Gateway, and IPv6 DNS Server(s).
-
2 for IPv4 Network Only
- When prompted, enter the information for these IPv4 network components to configure the Static IPv4 address: IPv4 Address, IPv4 Netmask, IPv4 Gateway, and IPv4 DNS Server(s).
-
3 for Both Networks
- When prompted, enter the information for these IPv6 network components to configure the Static IPv6 address: IPv6 Address, IPv6 Prefix, IPv6 Gateway, IPv6 DNS Server(s).
- Follow Step 13 below to turn off the proxy server and continue with step c.
- When prompted, enter the information for these IPv4 network components to configure the Static IPv4 address: IPv4 Address, IPv4 Prefix, IPv4 Gateway, IPv4 DNS Server(s).
-
1 for IPv6 Network Only
- Enter n.
Note: The authenticated proxy server is not supported in this version of FortiSIEM. You must turn off the proxy server authentication or completely disable the proxy for the KVM host. - Enter y to accept the network configuration settings.
- Enter the Host name, and press Enter.
- For Supervisor and Worker: You will be prompted to choose Supervisor [s] or Worker [w].
Choose accordingly:- For Supervisor, the system will initialize the PostGreSQL database which will take around 40 minutes and then reboot the system. A few minutes after reboot, the system GUI will be ready to upload license and configure the Event Database Storage option.
- For a Worker node, the system will reboot quickly and a few minutes after reboot, it will be ready to be added as a Worker from the Supervisor GUI.
- For Collector, the system will reboot and after a few minutes it will be ready.
Step 5: Upload the FortiSIEM License on Supervisor
You will now be asked to input a license.
- Click Browse and upload the license file.
Make sure that the 'Hardware ID' shown in the License Upload page matches the license. - For User ID and Password, choose any 'Full Admin' credentials.
For the first time, install by choosing user as 'admin' and password as 'admin*1' - Choose License type as 'Enterprise' or 'Service Provider'.
This option is available only on first install. Once the database is configured, this option will not be available.
Step 6: Choose FortiSIEM Event Database Storage
For fresh installation, you will be taken to the Event Database Storage page. Based on Step B: Deploy Remote Storage, you will be asked to choose between Local Disk, NFS or Elasticsearch options.
For more details, see here.
Step 7: (Optional) Install Workers and Add to Supervisor Node
- Follow Step 4 to configure a Worker.
- Add the Worker node to the Supervisor by visiting ADMIN > License > Nodes > Add.
- See ADMIN > Health > Cloud Health to ensure that the Workers are up, healthy and properly added to the system.
Step 8: (Optional) Install Collectors
Collectors can be installed as Virtual Appliances or Hardware appliances (FSM-500F). Follow the steps from Step 1 to 9 in this section, but exclude Step 3.
Step 9: (Optional) Register Collectors to Supervisor Node
For Enterprise deployments, follow these steps:
- Login to Supervisor with 'Admin' privileges.
- Go to ADMIN > Setup > Collectors and add a Collector by entering:
- Name – Collector Name
- Guaranteed EPS – this is the EPS that Collector will always be able to send. It could send more if there is excess EPS available.
- Start Time and End Time – set 'Unlimited'.
-
SSH to the Collector and run following script to register Collectors:
phProvisionCollector --add <user> <password> <Super IP or Host> <Organization> <CollectorName>
- Set User and Password use the admin User Name and password for the Supervisor
- Set IP Address as 'Supervisor IP'.
- Set Organization as 'Super'.
- Set CollectorName from Step 2a.
The Collector will reboot during the Registration
- Go to ADMIN > Health > Collector Health and see the status.
Installing FortiSIEM Report Server on KVM
Follow the steps below to install the FortiSIEM Report Server on KVM:
Step 1: Import the Report Server Image into KVM
- Go to the Fortinet Support website https://support.fortinet.com to download the KVM package. See "Downloading FortiSIEM Products" for more information on downloading products from the support website.
- Download and unzip the packages for Report Server to the location where you want to install the image.
There are two files in theFSM_Full_ReportServer_KVM_5.4.0_build<build_number>.zip
file:system.qcow2
cmdb.qcow2
- Start the KVM Virtual Machine Manager.
- Select and right-click on a host to open the Host Options menu, and select New.
- In the New VM dialog, enter a Name for your FortiSIEM node.
- Select Import existing disk image, and click Forward.
-
Browse to the location of
system.qcow2
and select it. - Choose the OS Type and Version you want to use with this installation, and click Forward.
- Allocate the Memory and CPUs to the FortiSIEM node, and click Forward.
- Select the checkbox for Customize configuration before install.
- Confirm the installation configuration of your node, and click Finish.
Step 2: Configure the Report Server Hardware Settings in KVM
- In KVM Virtual Machine Manager, select the FortiSIEM Supervisor, and click Open.
- Click the Information icon to view the Supervisor hardware settings.
- Select the Virtual Network Interface.
- For Source Device, select an available bridge network.
See Setup a Network Bridge for Installing FortiSIEM in KVM for more information. - For Device Model, select Virtio and click Apply.
- In the Report Server Hardware settings, select Virtual Disk.
- In the Virtual Disk dialog, open the Advanced options, and for Disk bus, select Virtio and for storage format select 'qcow2'.
- Click Add Hardware, and select Storage.
- Select the Select managed or other existing storage option, and browse to
cmdb.qcow2
. - Select the Device type as 'Virtio Disk', Cache mode as 'default' and Storage format as 'qcow2'.
- If the storage type is 'Local', add one more disk for EventDB using the option Create a disk image on the computer’s hardware with Device type as 'Virtio Disk', Cache mode as 'default' and Storage format as 'qcow2'. Use the command
fdisk -l
to get the disk name.
Step 3: Configure the Report Server from the VM Console
- In the KVM Virtual Machine Manager, select the Report Server node.
- Right-click to open the Virtual Appliance Options menu, and select Power > Power On.
- In the Virtual Appliance Options menu, select Open Console
Network Failure Message: When the console starts up for the first time you may see aNetwork eth0 Failed
message, but this is expected behavior. - In VM console, select Set Timezone and press Enter.
- Select your Location and press Enter.
- Select your Country and press Enter.
- Select your Timezone and press Enter.
- Review your Timezone information, select 1, and press Enter.
- When the Configuration screen reloads, select Login, and press Enter.
- Enter the default login credentials:
- Login:
root
- Password:
ProspectHills
- Login:
- Run the
vami_config_net
script to configure the network./opt/vmware/share/vami/vami_config_net
- Based on your network type, enter one of the options below:
-
1 for IPv6 Network Only
- When prompted, enter the information for these IPv6 network components to configure the Static IPv6 address: IPv6 Address, IPv6 Prefix, IPv6 Gateway, and IPv6 DNS Server(s).
-
2 for IPv4 Network Only
- When prompted, enter the information for these IPv4 network components to configure the Static IPv4 address: IPv4 Address, IPv4 Netmask, IPv4 Gateway, and IPv4 DNS Server(s).
-
3 for Both Networks
- When prompted, enter the information for these IPv6 network components to configure the Static IPv6 address: IPv6 Address, IPv6 Prefix, IPv6 Gateway, IPv6 DNS Server(s).
- Follow Step 13 below to turn off the proxy server and continue with step c.
- When prompted, enter the information for these IPv4 network components to configure the Static IPv4 address: IPv4 Address, IPv4 Prefix, IPv4 Gateway, IPv4 DNS Server(s).
-
1 for IPv6 Network Only
- Enter n. Note: The authenticated proxy server is not supported in this version of FortiSIEM. You must turn off the proxy server authentication or completely disable the proxy for the KVM host.
- Press y to accept the network configuration settings.
- Enter the Host name, and then press Enter.
- Enter the mount point for your data. Set one of the following:
- 'Local' (
/dev/<disk_name>
) .
Use thedisk_name
from Step 2 - 11. - 'NFS' storage mount point
Note: Do not use the same mount point as EventDB on Supervisor. This should be a different mount point/storage path.
- 'Local' (
After you set the mount point, the Report Server will automatically reboot, and in 10 to 15 minutes the Report Server will be successfully configured.
Step 4: Register FortiSIEM Report Server to Supervisor
- Log in to your Supervisor node.
- Open the 'License Management' page on:
- Flash GUI: Go to Admin > License Management. Under 'Report Server Information', click Add.
- HTML5 GUI: Go to ADMIN > License > Nodes tab. Click Add and select 'Report Server' from the Type drop-down.
- Enter the Report Server IP Address, Database Username and Database Password of the Report Server you want to use to administer.
Use the same credentials to set up the Visual Analytics Server for reading data from the Report Server. - Click Run in Background if you want Report Server registration to run in the background for larger installations. When CMDB size is below 1 GB, registration takes approximately three minutes to complete.
- When the registration is complete, click OK in the confirmation dialog.
- Make sure the Report Server is up and running by navigating to:
- Flash GUI: Admin > Cloud Health
- HTML5 GUI: ADMIN > Health > Cloud Health
Step 5: Sync Reports from FortiSIEM Supervisor to Report Server
- Log in to your Supervisor node.
- Select Synced Reports from:
- Flash GUI: RESOURCE > Reports > Synced Reports
- HTML5 GUI: RESOURCES > Reports > Synced Reports
- Select a Report.
Currently, only reports that contain a 'Group By' condition can be synced. Both system and user-created reports can be synched as long as it contains a 'Group By' condition. - Select Sync.
When the sync process initiates, the Supervisor node dynamically creates a table within the Report Server reportdb database. When the sync is established, it will run every five minutes, and the last five minutes of data in the synced report will be pushed to the corresponding table. This lets you run Visual Analytics on event data stored in the Report Server reportdb database.