Data Node Cluster Configuration

Topics

• Browser layer encryption

• Building a cluster

• Node roles

• Naming convention

• Config files

• TLS Certificates

• Example setup

• Adding a new node to the existing cluster

Since 7.6.1 there is a default configuration for enabled algorithms on path /etc/logserver-probe/java.properties.

Make sure there is a fallowing definition in /etc/logserver-probe/jvm.options:

-Djava.security.properties=/etc/logserver-probe/java.properties

You can edit it and after restarting Network Probe, changes will be applied.

7.6.0 and before

1. To recreate current default behavior, create file /etc/logserver-probe/java.properties with content:

   security.useSystemPropertiesFile=false
   jdk.tls.ephemeralDHKeySize=2048
   jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
   jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
   jdk.tls.legacyAlgorithms=
   

2. And add to /etc/logserver-probe/jvm.options:

   -Djava.security.properties=/etc/logserver-probe/java.properties
   

3. After restarting Network Probe service, changes will be applied.

Masteragent

Since 7.6.1 Masteragent has a predefined strong ciphers already set. Updating is recommended.

Browser layer encryption

Browser layer encryption is available in the Web Security section.

Building a cluster

Node roles

Every instance of the Data Node server is called a node. A collection of connected nodes is called a cluster. All nodes know about all the other nodes in the cluster and can forward client requests to the appropriate node.

Besides that, each node serves one or more purposes:

• Master-eligible node - A node that has a node.master set to true (default), which makes it eligible to be elected as the master node, which controls the cluster

• Data node - A node that has a node.data set to true (default). Data nodes hold data and perform data-related operations such as CRUD, search, and aggregations

• Client node - A client node has both node.master and node.data set to false. It can neither hold data nor become the master node. It behaves as a “smart router” and is used to forward cluster-level requests to the master node and data-related requests (such as search) to the appropriate data nodes

• Tribe node - A tribe node, configured via the tribe.* settings, is a special type of client node that can connect to multiple clusters and perform search and other operations across all connected clusters.

Naming convention

Data Node requires little configuration before going to work.

The following settings must be considered before going to production:

• path.data and path.logs - default locations of the data.

• cluster.name - A node can only join a cluster when it shares its cluster.name with all the other nodes in the cluster. The default name is “logserver”, but you should change it to an appropriate name that describes the purpose of the cluster. You can do this in the /etc/logserver/logserver.yml file.

• node.name - By default, Data Node will use the first seven characters of the randomly generated UUID as the node ID. Node ID is persisted and does not change when a node restarts. It is worth configuring a more human-readable name: node.name: prod-data-2 in file /etc/logserver/logserver.yml

• network.host - parameter specifying network interfaces to which Data Node can bind. The default is network.host: [“_local_”, “_site_”].

• discovery - Data Node uses a custom discovery implementation called “Zen Discovery”. There are two important settings:

  • discovery.zen.ping.unicast.hosts - specify a list of other nodes in the cluster that are likely to be live and contactable;

  • discovery.zen.minimum_master_nodes - to prevent data loss, you can configure this setting so that each master-eligible node knows the minimum number of master-eligible nodes that must be visible to form a cluster.

• heap size - By default, Data Node tells the JVM to use a heap with a minimum (Xms) and maximum (Xmx) size of 1 GB. When moving to production, it is important to configure heap size to ensure that Data Node has enough heap available

Config files

To configure the Data Node cluster you must specify some parameters in the Data Node main .yml configuration file on every node that will be connected to the cluster:

• /etc/logserver:

  • cluster.name:name_of_the_cluster - same for every node;

  • node.name:name_of_the_node - uniq for every node;

  • node.master:true_or_false

  • node.data:true_or_false

  • network.host:["_local_","_site_"]

  • discovery.zen.ping.multicast.enabled

  • discovery.zen.ping.unicast.hosts

• /etc/logserver/log4j2.properties:

  • logger: action: DEBUG - for easier debugging.

TLS Certificates

To generate TLS certificates for each node of the cluster, you can check the logserver-cluster.yml config that is provided with the tlstool.sh.

cd /usr/share/logserver/utils/tlstool
bash tlstool.sh -c config/logserver-cluster.yml -ca -crt

Example setup

Example of the Data Node cluster configuration:

• file /etc/logserver/logserver.yml:

  cluster.name: tm-lab node.name: “logserver” node.master: true node.data: true network.host: 127.0.0.1,10.0.0.4 http.port: 9200 discovery.zen.ping.multicast.enabled: false discovery.zen.ping.unicast.hosts: [“10.0.0.4:9300”,“10.0.0.5:9300”,“10.0.0.6:9300”]

• to start the Data Node cluster execute the systemctl restart command:

• to check the status of the Data Node cluster execute the command:

  • check the Data Node cluster nodes status via TCP port:

     curl -XGET '127.0.0.1:9200/_cat/nodes?v'
      
       host            ip   heap.percent ram.percent load node.role master name
       10.0.0.4   10.0.0.4     18           91      0.00 -        -       els01
       10.0.0.5   10.0.0.5     66           91      0.00 d        *       els02
       10.0.0.6   10.0.0.6     43           86      0.65 d        m       els03
       10.0.0.7   10.0.0.7     45           77      0.26 d        m       els04
    

  • check the status of the Data Node cluster via the log file:

    tail -f /var/log/logserver/tm-lab.log (cluster.name)
    

Adding a new node to the existing cluster

Install the new Energylogserver SIEM instance. The description of the installation can be found in the chapter “First Configuration Steps”

Change the following parameters in the configuration file:

• cluster.name:name_of_the_cluster same for every node;

• node.name:name_of_the_node uniq for every node;

• node.master:true_or_false

• node.data:true_or_false

• discovery.zen.ping.unicast.hosts: [ “10.0.0.4:9300”, “10.0.0.5:9300”, “10.0.0.6:9300” ] - IP addresses and instances of nodes in the cluster.

If you add a node with the role data, delete the contents of the path.data directory, by default in /var/lib/logserver

Restart the Data Node instance of the new node with systemctl restart command