1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Getting Started

Cluster Installation and Prerequisites

Updated

1. Cluster Architecture

Cluster architecture or cluster structures; they are server clusters that work together or with redundancy for the same purpose by being configured with certain configurations. Make a point of the word redundant here, because the most important criteria of cluster architecture are that they are redundant systems.

Cluster structures are not only specific to Logsign, they are used in many systems. Two or more servers called “nodes” working together, are needed to create each cluster in the cluster structure. In the Logsign Cluster structure, the number of these servers is three and Logsign configures the cluster architecture on three servers.

The cluster provides availability, reliability and scalability. Logsign cluster architecture has an “ACTIVE/ACTIVE” working structure and in this structure, load balancing and backup are at the forefront.

1.1. Why Cluster Architecture ?

  1. Redundancy
  2. Load Balancing
  3. In the cluster structure, each node can perform the task of another node which is a trouble and thus Hardware / Software errors can be tolerated faster.
  4. Big data can be processed faster as load balancing is done in cluster structures.
  5. Although there are three or more servers in the back in cluster structures, it is centralized and easy to manage because it can be managed from a single server.
  6. Disk Space and Disk Performance is more powerful and flexible in cluster structure.
  7. Factors related to EPS/Number of Sources/Offline Reports/Index work more efficiently in the cluster structure. Therefore, cluster architecture is needed.
  8. The increasing number of Log Sources and log flow requires customers to pass on to clusters.
  9. Structures such as offline reports work faster in the cluster structure.

2. Requirements for Cluster Installation

Based on the EPS and size of the logs we will define what is expected from the customer is the CPU value, RAM, hard disk and IP information suitable for their structure. 2N+4 IPs suitable for cluster structure are required. (2X3+4=10) for (Threefold cluster structure)

The disk size is calculated based on metrics such as the EPS rate and data retention in the customer environment individually. As general information:

  1. All cluster servers should have the same disk size.

  2. Disks should be thick provisioned, meaning they must be dedicated.

3. Definition of NIC

We need to define 2 NICs, the first is a local(internal- isolated) and the second is required for a global network. The global network is defined on Ubuntu.

In order to define a NIC, first of all, a local switch must be added to all machines.

3. Network Settings
In this section, the necessary network and authorization configurations required for setting up the components and collecting logs from the customer requesting the PoC are explained. This includes open ports, file sharing, authorized user accounts, etc.

Server Installation 

update.logsign.com           80, 443   update / callhome
update2.logsign.com          80, 443   update / callhome

license.logsign.com          80, 443   license validation

repv2.logsign.com            80, 443   threat intelligence (TI) update

update.innotim.com           80, 443   logsign update
update2.innotim.com          80, 443   logsign update

remotes.logsign.com          443       remote access / management

ppa.launchpad.net            80, 443   Ubuntu PPA packages

security.ubuntu.com          80, 443   Ubuntu security updates
archive.ubuntu.com           80, 443   Ubuntu packages
us.archive.ubuntu.com        80, 443   Ubuntu packages mirror
esm.ubuntu.com               80, 443   Ubuntu Extended Security Maintenance (ESM)

storage.googleapis.com       443       cloud storage / dependencies

** http and https permissions should be defined as Service /application.

Log Collection:

For Windows-based servers: TCP/135, TCP/139, UDP/514 (nxlog)

Between syslog format log sources and Logsign: UDP/514

For collecting DHCP logs: Shared folder in the location of DHCP logs and an authorized user account for this share

For collecting Exchange logs: Shared folder in the location of Exchange logs and an authorized user account for this share

Server Management:

For Logsign server management: TCP/443, TCP/8443, TCP/22

For NTP: UDP/123

For DNS: UDP/53

For LDAP/S: TCP/389, TCP/636

 


 

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.