Install LogRhythm NDR

Install Ubuntu

Download the Ubuntu Server 20.04.06 LTS (Focal Fossa) ISO file, available here.
Write the ISO file to a USB stick.
- For Windows instructions, see Create a bootable USB stick on Windows.
- For macOS instructions, see Create a bootable USB stick on macOS.
Boot the appliance with the USB stick inserted and install Ubuntu. For instructions, see Install Ubuntu Server.

When entering the hostname of the server, exclude the . character from the name.
Once Ubuntu is installed, you can configure the partition tables.

Configure the Partition Tables

The following steps are the same for all node types. The only difference is for the space available.

This example is for a NS7500 5GB node.

Create the /opt and /data Partitions

EXAMPLE

When the server is created, it will have a single drive dedicated for the partitions.

Find the list of disks:

CODE

sudo lvmdiskscan |grep -v ram

CODE

In this example, we had /dev/sda for the OS and /dev/sdb for the partitions.

Create the physical volume:
CODE
```
sudo pvcreate /dev/sdb
```
Create the volume groups:
CODE
```
sudo vgcreate vg-opt /dev/sdb
```
Create the logical volume:
Depending on the type of node, replace the values of the sizes.
CODE
```
sudo lvcreate -L 16T -n lv-opt vg-opt
sudo lvcreate -L 5T -n lv-data vg-opt
```
View the volume groups:
CODE
```
sudo lvdisplay
```

List mapper names:

CODE

sudo ls /dev/mapper/

CODE

control  vg--opt-lv--data  vg--opt-lv--opt

Create the filesystem:

CODE

sudo mkfs.ext4 /dev/mapper/vg--opt-lv--opt
sudo mkfs.ext4 /dev/mapper/vg--opt-lv--data

Add the partitions to fstab:

CODE

sudo echo "/dev/mapper/vg--opt-lv--opt /opt ext4 defaults 1 1 " >> /etc/fstab
sudo echo "/dev/mapper/vg--opt-lv--data /data ext4 defaults 1 1 " >> /etc/fstab

Make the data directory (opt will already exist):
CODE
```
sudo mkdir /data
```
Mount the filesystem:
CODE
```
sudo mount -a
```

Configure the Network Interfaces

Install the Networking Service

Install lfupdown (networking service):
CODE
```
sudo apt-get install -y ifupdown
```

Set Up the Configuration File for the Networking Service

EXAMPLE

In this procedure, the following sample interfaces are configured:

Interface Name	Interface Role
ens1	Management Interface
ens2	Fabric Interface
ens4	Capture Interface

To configure your interfaces, replace these sample names and roles with the names and roles of your interfaces.

Configure your /etc/network/interfaces file:
CODE
```
sudo vi /etc/network/interfaces
```

Insert the following lines. Replace ens1, ens2, and ens4 with the names of your interfaces.

CODE

source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback

# mistnet management interface
auto ens1
iface ens1 inet static 
    address <Management-ip>
    netmask <Management-SubNet-Mask>
    gateway <Management-Default-Gateway-IP>

# mistnet fabric/interconnect interface
auto ens2
iface ens2 inet static
    address <fabric-ip-0>
    netmask <fabric-mask>

# mistnet traffic interface-1
auto ens4
iface ens4 inet manual
iface ens4 inet6 manual
    up ifconfig $IFACE -arp up
    up ip link set $IFACE promisc on
    down ip link set $IFACE promisc off
    down ifconfig $IFACE down
    post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6

Switch the Management IP from Netplan to Networking. LogRhythm recommends using iDRAC for taking down the Management interface and bringing it back up by using the following ifdown/ifup command:
CODE
```
sudo ifdown --force ens1 lo && ifup -a
```

Enable the networking service:

CODE

sudo systemctl unmask networking
sudo systemctl enable networking
sudo systemctl restart networking

Set Up the DNS Configuration

Edit the file named /etc/systemd/resolved.conf and add the DNS server IPs with the following syntax (replace with your DNS server IPs):
```
DNS=8.8.8.8 9.9.9.9
```
Restart the systemd-resolved service:
CODE
```
sudo systemctl restart systemd-resolved
```

Disable and Uninstall the Netplan Appliances

Stop, disable and mask the systemd.networkd service:

CODE

sudo systemctl stop systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
sudo systemctl disable systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online
sudo systemctl mask systemd-networkd.socket systemd-networkd networkd-dispatcher systemd-networkd-wait-online

Remove the netplan service:

CODE

sudo apt-get --assume-yes purge nplan netplan.io

Reboot the Appliance

Reboot the appliance to verify the configuration is correct and permanent.

Reboot the server:
CODE
```
sudo systemctl --force reboot
```
Once the server has rebooted, check the network interfaces to verify they are up and have saved the configuration changes:
CODE
```
ifconfig
```

Install Salt Minion

Before installing the salt minion service, check the time and date.

Create directory for apt keyrings:
CODE
```
mkdir /etc/apt/keyrings
```

Get public key:

CODE

sudo curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/20.04/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg arch=amd64] https://repo.saltproject.io/salt/py3/ubuntu/20.04/amd64/latest focal main" | sudo tee /etc/apt/sources.list.d/salt.list

Install salt minion service on the server:
CODE
```
sudo apt install salt-minion
```
Modify the configuration file to point to the salt master IP address obtained via the SRE team:
CODE
```
sudo vi /etc/salt/minion
```
Restart the salt minion service:
CODE
```
sudo systemctl restart salt-minion
```
Check the salt minion service status by using the following command and look for "running" and "salt master has cached the public key for this node":
CODE
```
sudo systemctl status salt-minion
```