Skip to main content
Skip table of contents

Universal Hydra Deployment

This document details the installation process for the Hydra Universal log collector. Hydra is a Ubuntu 22.04+ Linux machine virtual/physical that SIEMonster use for log centralization for branch offices or tenants for our MSSP Platform.

All onsite logs are aggregated & tokenized before being sent back to the SIEMonster Enterprise or MSSP Edition This is equivalent to a USM appliance that AlienVault use. If you prefer a physical device, a standard Linux server Dell/HP etc with 500GB storage, 16 GB RAM and 8 cores, standard network interface that will meet the requirements.

Current Hydra Download

Use the following URL to download the Hydra Image

https://releases.siemonster.io/SIEMonster-Hydra-Universal-V5.2.ova

Sha256

b281eba3af97ac61077f84c53ad363bac5187d1bdc7355adf0438a0068bdeb39

New Hydra Download

The following has been added to accommodate upcoming updates that will be deployed through the SIEMonster V5 update engine. This update will upgrade Wazuh to version 4.7.X. This new hydra can still be used. Please note that should you choose to use this version of the hydra and have not yet received the upgrade of Wazuh through the updating system, the following changes needs to be applied to the file located in /etc/siemonster/docker_images.env . Please perform the following steps:

  • deploy the new Hydra as per steps outlined below

  • login to the Hydra via ssh

  • edit /etc/siemonster/docker_images.env

  • change the DOCKER_WAZUH field to the below
    DOCKER_WAZUH=docker.io/siemonster/wazuh-edge-v5.1-hydra-vector:latest

  • perform a docker pull and restart the service with the following commands

    BASH
    docker pull docker.io/siemonster/wazuh-edge-v5.1-hydra-vector:latest && sleep 3 && systemctl restart wazuh

Use the following URL to download the Hydra Image

https://releases.siemonster.io/SIEMonster-Hydra-Universal-V5.07-Debian-Wazuh473.ova

Sha256

b281eba3af97ac61077f84c53ad363bac5187d1bdc7355adf0438a0068bdeb39

🔖 NOTE: The following steps and screenshots are from the ESXi 8.0 platform, there may be subtle graphical differences as well as shortcut location differences.

🔖 NOTE: The virtual hardware support for the OVA is limited to ESXi 6.7+, please ensure to have this version or higher available for deployment. Should you require a custom deployment script to deploy the log aggregator on a different hypervisor, please contact the sales team to provide a quote.

Importing the OVA

  1. Click on create/register VM

    image-20240219-161235.png
  2. Select “Deploy a virtual machine from OVF or OVA file” and Click “Next”

    image-20240219-161256.png
  3. Specify a preferred name for the VM instance.

  4. Drag and Drop the OVA file onto the box below the name

    image-20240219-161429.png
  5. Click “Next”

  6. Select the datastore where you want the VM to reside

  7. Click “Next”

  8. Choose the correct network mapping for the VM, Choose if you would like the disk to be thin or thick provisioned and Click “Next”.

  9. Untick “Power on Automatically”

  10. Click “Finish”

  11. Wait for VM deployment to complete. You can track the progress at the bottom of the interface in ESXi

    image-20240219-161554.png

VM Specifications

Once the VM is deployed. The correct hardware allocation needs to be assigned. The recommended settings are the following:

⚠️ NOTE: CPU core speed should allow for 2.4Ghz+

Item

CPU

RAM

DISK

Agent Count

Minimum

8vCPU

16GB

500GB

Up to 500

Recommended

8vCPU

16GB

1TB

500+

Maximum

16vCPU

32GB

1TB+

1500+

Configure the VM according to the above specifications based on the expected volumes*.

​🔖NOTE: For every 500 agents that will be connecting to the log aggregator please add 1 GB of RAM over and above the default allocation up to a maximum of 32GB of RAM. For agent volumes above 1500 please contact the SIEMonster Support team to assist with deploying an additional Hydra with a loadbalancer configuration. Please note the above resource estimations do not include syslog sources due to the varying nature of such log sources.

🔖 ADDITIONAL NOTE: Storage for higher volumes of agents should be flash based or with a consistent throughput capability of 350MBps+

Network Specifications

The following ports are required for the Hydra to function.

Protocol

Port

Source

Destination

Description

TCP

22

admin workstations

hydra

SSH

TCP

1514

Wazuh Agent

Hydra

Wazuh connectivity

TCP

1516

Wazuh Agent

Hydra

Wazuh agent registration

UDP

1194

Hydra

Central Platform (AWS)

OpenVPN

TCP

8443

Hydra

Central Platform (AWS)

OpenVPN registration service

TCP

443

Hydra

Multiple

HTTPS is required for various aspects and should be allowed. If this cannot be allowed due to compliance etc and custom routing is required for breakout over AWS vpn channel please request a quote for professional services to have this configured.

⚠️ NOTE: SSL interception and/or inspection MUST be turned of on all rules that are applied to allow this traffic. Failing to do so will prevent successful communication.

Configuring the Hydra connection to the central platform

Once the Hydra hardware configuration is complete, power on the virtual machine and wait for the “User Configuration” screen to load on the VM console.

  1. Specify the hostname for this aggregator instance, this will be reflected in the VPN dashboard on the bastion host.

    image-20240219-162437.png

  2. Specify the username you prefer to use and Press the [Down Arrow]

  3. Specify the password you would like to use and Press the [Down Arrow]
    🔖 TIP: use a simple password at this point that can be easily typed without a low risk of error. It has been found that complex passwords can pose problems in some circumstances through the VMware console interface. This password can be changed to high complexity after the setup completes or be replaced by certificate authentication.

  4. Confirm the password you would like to use and Press the [Down Arrow], then Press [ENTER]

    1. Should the next screen present display error, it means that the passwords don’t match.

  5. On the next screen, the networking configuration will be captured. If using a VMWare environment, the default interface [ens33] can be used. If you require a different interface Press [ENTER] and Select it from the dropdown list. Then Press the [Down Arrow]

  6. Change the “Type:” to Static by Pressing [Enter] and Selecting “Static”

  7. If there is DHCP present on the VLAN being used, an example configuration will be presented. Feel free to change the settings accordingly, line by line and Pressing [Down Arrow] when done with each line.

  8. When the prompt is moved down and reaches “previous”, Press [Right Arrow] and then Press [ENTER]

  9. The next screen deals with the registration of the Hydra to the central platform. This requires a registration URL, username and password. [pin here]

  10. In the URL line, Specify the provided URL and Press the [Down Arrow]

  11. On the “Login:” line please Type the username provided and Press the [Down Arrow]

  12. On the last line, please Specify the password provided and Use the arrow keys to Move to “Next”, then Press [ENTER]

  13. The system will then attempt to connect to the OpenVPN host

    1. If you should receive an error, please ensure that that all details were correctly type without error, the host can access all services through the firewall as stipulated under the network specifications and that not SSL interception or inspection has been enabled for the rules that apply to the traffic. Press [ENTER] to return to the previous screen if it is required.

  14. The next step will automatically detect the Kafka Brokers, this will only happen if the authentication was successfull. Use the arrow keys to Move to the “<Next>” prompt and Press [ENTER]

    image-20240219-162945.png
  15. You will now be presented with a Wazuh configuration window, in this window you need to specify tenant name in the field name “Cluster Name”.

    image-20240219-163236.png


    ⚠️ NOTE: This MUST be the tenant name exactly otherwise the hydra will not join the Wazuh cluster and require revisiting the configuration once the hydra is restarted.

  16. Please specify the Wazuh cluster key based on the configuration on the central platform. This can be retrieved by following these steps:

    1. Login to the SIEMonster central platform

    2. Click on XDR in the left collumn

      image-20240219-163445.png
    3. Clicks on the drop down for modules at the top left

      image-20240219-163627.png
    4. Click Management and then Click “Configuration”

      image-20240219-163715.png
    5. Click “Edit configuration” ensuring that “node01 (master)” is selected in the dropdown

      image-20240219-163830.png
    6. Find the “<cluster>” section in the configuration and type out the contents of the “<key>” variable on the hydra configuration screen.

      image-20240219-164221.png
    7. Your configuration should now look similar to the below

      image-20240219-164255.png
  17. Use the arrow keys to move the navigate to the “<Finish>” option and Press [ENTER]

  18. You will be presented with a “Setup is complete.” screen, Press [ENTER] to reboot.

  19. Please wait until you see a line similar to the screenshot below before proceeding to login.

  20. You will now be able to SSH to the hydra.

  21. Using a browser, proceed to the bastion URL used for registering the hydra (Chrome preferred), and Login with the same credentials. You should be presented with a dashboard like the screenshot below showing the OpenVPN tunnel

    image-20240219-164628.png
  22. Once the restart has taken place and the services have started you should be able to login to your hydra with the credentials you specified.

    image-20240219-164858.png
  23. Ensure that your hydra joined the Wazuh cluster be performing the following steps

    1. Click the drop down for Modules at the top left

      image-20240219-165205.png
    2. Click on “Management” and then on “Cluster”

      image-20240219-165321.png
    3. If your configuration steps were correct your hydra will be reflected in the list

      image-20240219-165449.png

Your Hydra is now up and running.

⚠️ NOTE: If your Wazuh cluster is not connecting, please follow the following guide

https://docs.siemonster.com/current/configuring-the-hydra-wazuh-cluster

🔖 There are additional settings required. Please see the following sections:

https://docs.siemonster.com/current/configuring-the-hydra-suricata-instance

Optional Configuration:

https://docs.siemonster.com/current/configure-the-hydra-syslog-receiver

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.