Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • opensearch
  • master-wo-opendistro-plugins
  • dev-bartos
  • tag-modification
  • java-upgrade
  • ports
  • nifi-update
  • kiril.kjiroski-master-patch-71888
  • user-mgmt-ui
  • interactive
  • cluster-support
  • dev5
  • dev4
  • dev02
  • dev01b
  • dev1
  • dev3
  • dev2
  • v1.0
  • v0.7
21 results
Blame Permalink
install.md 3.20 KiB

Installation

The current version of SOCTools only runs on a single server. A fully distributed versiob will be released soon.

Hardware requirements

  • CPU: 8 cores
  • Memory: 32GB (It is possible to run on less but it is not recommended)
  • Disk: >30GB (This depends entirely on how much data you want to collect and how long you want to keep the data. For just testing SOCTools, 30GB is enough.)

Prerequisites

  • Minimal installation of CentOS7
  • Install Ansible
    • sudo yum -y install epel-release
    • sudo yum -y install ansible git
    • sudo ansible-galaxy collection install ansible.posix

Download SOCTools

To test the development version you can clone the repository instead of downloading the latest release:

Install SOCTools

Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it points to the FQDN of the server.

  • vi group_vars/all/main.yml

If you want to use MaxMind GeoLite2 database for enrichment, add the license key to the variable 'maxmind_key'
Users can be configured in the file group_vars/all/users.yml

  • vi group_vars/all/users.yml

Configure the server running SOCTools:

  • ansible-playbook -i inventories soctools_server.yml

Build the Docker images:

  • ansible-playbook -i inventories buildimages.yml

Build SOCTools CA needed for service and user certificates:

  • ansible-playbook -i inventories buildca.yml
    This playbook will generate some errors but this is normal as long as the playbook ignores them and finish without stopping.

Start SOCTools:

  • ansible-playbook -i inventories soctools.yml -t start-docker-containers
  • ansible-playbook -i inventories soctools.yml -t init

Stop SOCTools:

  • ansible-playbook -i inventories soctools.yml -t stop

Errors building SOCTools

If there are any errors during building of SOCTools then it is often best to start from the top. The easiest way is to delete any existing Docker images that are already built and then restart the installation. To prune existing Docker images run docker system prune -a. This command will delete all images so it assumes that SOCTools is the only service running on the server.

Certificates

To access the web interfaces of the various services in SOCTools, you need to import the root certificate located in secrets/CA/ca.crt. For windows the CA certificate should be installed in the Trusted Root Certficiation Authorities store.
User authentication is done using client certificates. A certificate is generated automatically for all users specified in the file group_vars/all/users.ymland can be found in the directory secrets/certificates. Passwords for the certificates can be found in the directory secrets/passwords. Install one of the client certificates in the the browser to access the web interfaces of SOCTools.

Web interfaces

All Web interfaces of the various services are access by going to https://<server name>:<port>/using the following port numbers:

  • 9443 - NiFi
  • 5601 - Kibana
  • 6443 - Misp
  • 9000 - The Hive
  • 9001 - Cortex
  • 12443 - Keycloak