The XDR Collector runs as a service in your environment. While the minimum specifications are listed below, the required resources depend on the number of active integrations and the amount of data being processed.
Minimum requirements
To set up the XDR Collector, the minimum requirements are the following:
Minimum requirements | |
---|---|
CPU | 2vCPU |
Disk Size | 10GB SSD |
Memory | 1GB |
Network interface cards (NICs) | 2 |
Operating System
Ubuntu 22.04 (Recommended)
For other versions, see the Elastic Agent 8.12.x row in the Elastic Agent table on this page.
Required Endpoint/Port Communication
The XDR Collector must be able to communicate to the following endpoints/ports:
Logstash | a96190b49bd294a5fbb3725ff20aab78-c7f64fe7557a87d2.elb.us-east-1.amazonaws.com:5044 |
Management Server | b5e9a5096e0a4f7782cc444c8edbbd5e.fleet.us-east-1.aws.found.io:443 |
Update Server | artifacts.elastic.co:443 |
Dedicated Host Requirements
Barracuda IDS/Suricata requires that the collector run in a dedicated host.
Setting up the XDR Collector for Linux for Barracuda IDS
To set up the XDR Collector for Linux, perform the following procedures:
To install the XDR Collector
To set up switch port mirroring
To edit the Suricata configuration
To install the XDR Collector
In Barracuda XDR Dashboard, click Infrastructure > Collectors.
In the Policies table, next to the on-prem policy, click Action > Install.
Click Linux.
Click the copy to clipboard icon to copy the install command to your clipboard.
Open a terminal on the appropriate system, paste the command, and run it.
To set up switch port mirroring
Click a link for specific configurations for the following:
Connect the secondary Ethernet interface on the XDR Collector's host machine to the mirrored port on the switch.
Configure the switch to mirror traffic in both directions on all other ports on the switch.
Installing Suricata
To install Suricata, follow the procedure for your environment (below):
To install Suricata on Ubuntu/Debian
To install Suricata on RHEL/CentOS/Rocky/Alma/Fedora
To install Suricata on Ubuntu/Debian
To run the install script, copy and run the following commands:
sudo mkdir -p "/usr/local/bin/suricata"
sudo bash -c 'curl -L "https://skout-csd-assets-public.s3.amazonaws.com/suricata/linux/suricata-scripts.tar.gz" | tar -xz -C "/usr/local/bin/suricata"'
sudo find "/usr/local/bin/suricata" -type f -exec chmod +x {} \;
cd /usr/local/bin/suricata
sudo ./install.sh
Follow the prompts through the configuration.
To install Suricata on RHEL/CentOS/Rocky/Alma/Fedora
To run the install script, copy and run the following commands:
sudo dnf update -y
sudo dnf install suricata
sudo suricata-update
Enable the Suricata service by running the following:
sudo systemctl enable suricata.service --now
Copy and run the following commands to download the configuration file:
sudo mkdir -p "/usr/local/bin/suricata"
sudo bash -c 'curl -L "https://skout-csd-assets-public-dev.s3.us-east-1.amazonaws.com/suricata/linux/7.0.7/default/suricata-xdr-update.tar.gz" | tar -xz -C "/usr/local/bin/suricata"'
sudo mv /usr/local/bin/suricata/suricata.yaml /etc/suricata/suricata.yaml
sudo mv /usr/local/bin/suricata/disable.conf /etc/suricata/disable.conf
Set the HOME_NET and interface values in the configuration file:
To open the suricata.yaml configuration file in Nano, open a terminal on the appropriate system and run the following command:
sudo nano /etc/suricata/suricata.yaml
To search for HOME_NET, press CTRL+W.
Next to HOME_NET:, modify the subnet(s) of your internal networks in cidr format.
For example, if the subnet to be monitored is 192.168.0.0/16, the configuration should read: HOME_NET: "[192.168.0.0/16]"
To search for af-packet, press CTRL+W.
Next to interface:, press the spacebar, then enter the secondary network interface. For example, if the secondary network interface is eth1, the configuration should read:
af-packet:
- interface: eth1
To create the log cleanup and suricata-update cron jobs, from the terminal open crontab with nano, do the following:
Type sudo
EDITOR=nano crontab -e
Add a cronjob that runs hourly and delete log files older than 3 hours, and a cronjob that runs daily to update the rules:
0 * * * * find /var/log/suricata/ -name "*.json" -mmin +180 -delete
0 2 * * * suricata-update
To save the file, press CTRL + O.
To exit, press CTRL + X.
Restart the Suricata service:
sudo systemctl restart suricata.service
To Uninstall Suricata
To uninstall Suricata, follow the procedure for your environment (below):
To uninstall Suricata on Ubuntu/Debian
To uninstall Suricata on RHEL/CentOS/Rocky/Alma/Fedora
To uninstall Suricata on Ubuntu/Debian
Run the following commands:
cd /usr/local/bin/suricata
sudo ./uninstall.sh
To uninstall Suricata on RHEL/CentOS/Rocky/Alma/Fedora
Run the following command:
sudo dnf remove suricata
To remove the log cleanup and suricata-update cron jobs, from the terminal open crontab with nano:
Type sudo EDITOR=nano crontab -e
Remove the following entries:
0 * * * * find /var/log/suricata/ -name "*.json" -mmin +180 -delete
0 2 * * * suricata-update
To save the file, press CTRL + O.
To exit, press CTRL + X.