Universal Hydra Deployment

This document details the installation process for the Hydra Universal log collector. Hydra is a Ubuntu 18.04+ Linux machine virtual/physical that SIEMonster use for log centralization for branch offices or tenants for our MSSP Platform.

All onsite logs are aggregated & tokenized before being sent back to the SIEMonster Enterprise or MSSP Edition This is equivalent to a USM appliance that AlienVault use. If you prefer a physical device, a standard Linux server Dell/HP etc with 500GB storage, 16 GB RAM and 8 cores, standard network interface that will meet the requirements.

Download Hydra

Use the following URL to download the Hydra Image

https://releases.siemonster.io/Hydra-Universal-4.6.4.ova

Sha256

54dbb7e4b653d2cddd673a398a8d07f678a6e070a2dfdb2d25ea0ee3070f1ce8

Importing the OVA

1. Click on create/register VM

2. Select “Deploy a virtual machine from OVF or OVA file” on the next screen

3. Specify a preferred name for the VM instance.

4. Drag and Drop the OVA file onto the box below the name
   

   

5. Click “Next”

6. Select the datastore where you want the VM to reside

7. Click “Next”

8. Choose the correct network mapping for the VM, Choose if you would like the disk to be thin or thick provisioned and Click “Next”.

9. Untick “Power on Automatically”

10. Click “Finish”

11. Wait for VM deployment to complete.

VM Specifications

Once the VM is deployed. The correct hardware allocation needs to be assigned. The recommended settings are the following:

Configure the VM according to the above specifications based on the expected volumes*.

NOTE: For every 500 agents that will be connecting to the log aggregator please add 1 GB of RAM over and above the default allocation up to a maximum of 32GB of RAM. For agent volumes above 1500 please contact the SIEMonster Support team to assist with deploying an additional Hydra with a loadbalancer configuration. Please note the above resource estimations do not include syslog sources due to the varying nature of such log sources.

ADDITIONAL NOTE: Storage for higher volumes of agents should be flashbased or with a consistent throughput capability of 350MBps+

Network Specifications

The following ports are required for the Hydra to function.

NOTE: SSL interception and/or inspection should be turned of on all rules that are applied to allow this traffic. Failing to do so will prevent successful communication.

Configuring the Hydra connection to the central platform

Once the Hydra hardware configuration is complete, power on the virtual machine and wait for the “User Configuration” screen to load on the VM console.

1. Specify the username you prefer to use and Press the [Down Arrow]

2. Specify the password you would like to use and Press the [Down Arrow]
   TIP: use a simple password at this point that can be easily typed without a low risk of error. It has been found that complex passwords can pose problems in some circumstances through the VMware console interface. This password can be changed to high complexity after the setup completes or be replaced by certificate authentication.

3. Confirm the password you would like to use and Press the [Down Arrow], then Press [ENTER]

   1. Should the next screen present display error, it means that the passwords don’t match.

4. On the next screen, the networking configuration will be captured. If using a VMware environment, the default interface [ens33] can be used. If you require a different interface Press [ENTER] and Select it from the dropdown list. Then Press the [Down Arrow]

5. Change the “Type:” to Static by Pressing [Enter] and Selecting “Static”

6. If there is DHCP present on the VLAN being used, an example configuration will be presented. Feel free to change the settings accordingly, line by line and Pressing [Down Arrow] when done with each line.

7. When the prompt is moved down and reaches “previous”, Press [Right Arrow] and then Press [ENTER]
   

   

8. The next screen deals with the registration of the Hydra to the central platform. This requires a registration URL, username and password. [pin here]

9. In the URL line, Specify the provided URL and Press the [Down Arrow]

10. On the “Login:” line please Type the username provided and Press the [Down Arrow]

11. On the last line, please Specify the password provided and Use the arrow keys to Move to “Next”, then Press [ENTER]

12. The system will then attempt to connect to the OpenVPN host

    1. If you should receive an error, please ensure that that all details were correctly type without error, the host can access all services through the firewall as stipulated under the network specifications and that not SSL interception or inspection has been enabled for the rules that apply to the traffic. Press [ENTER] to return to the previous screen if it is required.

13. The next step will automatically detect the Kafka Brokers, this will only happen if the authentication was successfull. Use the arrow keys to Move to the “<Finish>” prompt and Press [ENTER]
    

    

14. You will be presented with a “Setup is complete.” screen, Press [ENTER] to reboot.

15. Please wait until you see a line similar to the screenshot below before proceeding to login.
    

    

16. You will now be able to SSH to the hydra.

17. Using a browser, proceed to the bastion URL used for registering the hydra (Chrome preferred), and Login with the same credentials. You should be presented with a dashboard like the screenshot below showing the OpenVPN tunnel
    

    

Your Hydra is now up and running. There are additional settings required. Please see the following sections:

https://docs.siemonster.com/current/configuring-the-hydra-wazuh-cluster

https://docs.siemonster.com/current/configuring-the-hydra-suricata-instance

Optional Configuration:

https://docs.siemonster.com/current/configure-the-hydra-syslog-receiver