Skip to main content
Skip table of contents

Baremetal Universal Hydra Deployment

The baremetal hydra is intended for installations on Linux hosts running directly on hardware with no virtualization hypervisor. This will provide similar services to the universal hydra but it requires additional steps to deploy.

The reason for the baremetal Hydra is that a lot of customers use VMware and the hydra build was created originally for the VMware customers. However as a result of Broadcom acquiring VMware and changing the licensing model our customers approached us for more options for our Hydra Appliance. As a result we have created the Universal Hydra that runs in Azure, AWS, or on bare-metal equipment

The following guide will cover the aspects of a deployment from a SIEMonster perspective.

Assumptions:

  • That the platform this is being deployed on is Debian 12.5 or later

  • That ssh and users to access ssh with sudo permissions have been configured

  • That vim and wget is installed

  • The storage is setup with a default, not encrypted, LVM configuration via the Debian installer and it utilizes the entire disk.

Requirements:

The following packages are required to be installed before deployment can take place, the commands for the package installation have been included below. These commands MUST be run as root using the sudo -s command to elevate privileges with a normal user. The command can be copied and pasted.

BASH
apt update && apt install -y unzip python3-distutils python3-pip j2cli uuid-runtime

Download the following installation zip file by using the command displayed below

BASH
wget https://docs.siemonster.com/__attachments/70090753/bare-metal-hydra.tar.gz

bare-metal-hydra.tar.gz

The Sha256 for the file is

2e9cea705bb5a4b56a0e34044ecc7c267f59a1c0da93973d1f16f4ee2a161851 bare-metal-hydra.tar.gz

Unzip the file using the following command

BASH
tar -xvf bare-metal-hydra.tar.gz && cd bare-metal-hydra/

Now sudo -s to elevate privileges and run the following command

BASH
./metal_builder.sh

The first prompt will be to enter a hostname for the hydra, please choose carefully as this name will also be reflected in the bastion VPN console. The hostname should provide information of where it is deployed in many cases or its' purpose e.g. hydra-london or hydra-ny. In cases where there are tenants involved it may be prudent to add a tenant prefix to it as well. Such as tenant1-hydra-ny

image-20240417-130430.png

Press [ENTER] when you have entered the hostname you want

Press [ENTER] again for the disabled_services listing, do not make changes here unless instructed to do so by the SIEMonster team.

image-20240417-130632.png

Press [ENTER] on OVPN_SSL_Verify leaving the default setting in place

image-20240417-130730.png

Specify your bastion connection for OVPN_URL, e.g. if your SIEMonster instance domain is siem.example.com and the tenant you are connecting the hydra to is tenant1 the URL will be

https://bastion.tenant1.siem.example.com:8443

image-20240417-131029.png

Press [ENTER] on the OVPN_Login prompt, leaving the default value

image-20240417-131344.png

Specify your bastion password in the next prompt and Press [ENTER]

image-20240417-131437.png

In the K8S_DOMAIN prompt please add your top-level domain with a prefix of the tenant you are connecting the hydra to. e.g. for a siem domain of siem.example.com you would add tenant1.siem.example.com. Press [ENTER] when you have entered the desired value.

image-20240417-131837.png

In the TENANT_NAME prompt Enter the name of the tenant you are connecting to and Press [ENTER]

image-20240417-131949.png

In the NODE_NAME prompt, add the text you want the node to display as in your XDR cluster, Press [ENTER] when you have added the desired node name.

🔖 Please note: it is recommended to use the same name as the hostname to not confuse hydra’s with the wrong tenants etc.

image-20240417-132115.png

For the KEY_NAME prompt, please provide the Wazuh XDR cluster key that is present in the configuration on the central node with the following steps.

  1. Login to the SIEMonster central platform

  2. Click on XDR in the left column

    image-20240417-132605.png

  3. Click on the drop down for modules at the top left

    image-20240417-132713.png

  4. Click Management and then Click “Configuration”

    image-20240417-132759.png

  5. Click “Edit configuration” ensuring that “node01 (master)” is selected in the dropdown

    image-20240417-132844.png

  6. Find the “<cluster>” section in the configuration and type out the contents of the “<key>” variable on the hydra configuration screen.

    image-20240417-132914.png

Enter the key at the prompt and Press [ENTER]

If you have followed the instructions correctly you will see the following with no errors.

image-20240417-133100.png

The deployment script for your custom baremetal hydra has now been created. You will note a new file called bare_metal.sh appear on the file system. To deploy it run the following command:

BASH
./bare_metal.sh

When the script finishes you will be prompted to reboot. Press [ENTER] to reboot

image-20240417-134156.png

Wait for the host to reboot and reconnect via ssh.

Elevate privileges with sudo -s

Run the following command and verify that suricata, openvpn and wazuh containers are running. The container names are in the last column.

BASH
docker ps

image-20240417-134431.png

Also perform the following command to see if OpenVPN has connected. Check for an interface tun0 and it should have an IP starting with 192.168.230.

BASH
ifconfig
image-20240417-134534.png

Connect to the Wazuh container to see if the cluster is connected with the following commands

BASH
docker exec -it wazuh bash
tail -f /var/ossec/logs/cluster.log

You should see output similar to the following, to stop the tail command press [CTRL]+C and then [CTRL+D] to exit the container.

image-20240417-134758.png

Your baremetal hydra is now deployed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.