Академический Документы
Профессиональный Документы
Культура Документы
NetMon-4.0.1-SoftwareInstallationConfiguration_revA
– NetMon Software Installation and Configuration Guide
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use of
this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may
be trademarks, registered trademarks, or service marks of their respective holders.
VMware, ESX, and ESXi, VMware Certified Professional, vCenter, and vSphere are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
Contents
Overview .......................................................................................................................................... 1
Overview
This guide provides installation instructions for NetMon software on both hardware and virtual machines,
including minimal resource evaluation systems, as well as instructions for configuring your new deployment to
begin capturing data.
NOTE: If you purchased a NetMon appliance from LogRhythm, you do not need to install the software
separately—it is preinstalled on your appliance. For more information, see the NetMon Appliance
Installation and Configuration Guide, available on the LogRhythm Community.
Supported Platforms
NetMon can be installed directly on supported hardware or on a virtual machine. For more information, see
the NetMon VMware Installation and Configuration Guide, available on the LogRhythm Community.
IMPORTANT: The limited installation platform should not be used for production deployments of NetMon.
For information about how to maintain a limited installation, see Appendix: Maintain a
Minimal NetMon.
IMPORTANT: NetMon is not supported on systems that use shared disks. Installing on a system that uses
shared disks can have a significant negative impact on performance.
NOTE: NetMon is an I/O-intensive solution that requires dedicated physical drives to achieve the
published rates specified. NetMon makes no distinction between Direct Attached Storage (DAS) or
Storage Area Network (SAN), but the disk volumes must be dedicated.
NOTE: All performance values listed in the table that follows can vary based on your system configuration
and the type of traffic NetMon is processing.
PAGE 1
– NetMon Software Installation and Configuration Guide
Data Drives:
8 x 600 GB 10K RPM SAS
RAID 5 + 1 HS
Hardware IOPS: 717
Recommended IOPS: 717
3,312 GB
More than 1000 Processing: 2 x 2.6 Ghz 14 Core CPU OS Drive:
Up to 5 Gb/s 56 vCPU 2 x 240 GB M.2 SSD
Capture: ≥ 128 GB RAM 0.3 DWPD
Up to 2.5 Gb/s PERC H740 Integrated RAID RAID 1
Controller (8 GB cache) Hardware IOPS: 85,000
2 x 10 Gb/s NIC Recommended IOPS: 150
2 x 1 Gb/s NIC 220 GB usable
Data Drives:
24 x 600 GB 10K RPM SAS
RAID 5 + 1 HS
Hardware IOPS: 2,115
Recommended IOPS: 2,115
12,232 GB
Network Interfaces
On systems with four or more network interfaces, the NetMon installation will bond interfaces 5 and 6 to
create the bond0 interface. This is the default input interface (network TAP) for NetMon. Additionally, the first
network interface will be configured to start when the NetMon system starts.
NOTE: LogRhythm testing confirms that NetMon runs up to 30 network interfaces without significant user
interface issues or performance degradation. It is not recommended to go beyond 30 interfaces.
NOTE: When installing CentOS, all of the required disk partitions will be created and sized according to
LogRhythm’s recommendations.
The .iso can be used to install CentOS and NetMon on a physical or virtual system that has a primary disk as
small as 60 GB.
PAGE 2
– NetMon Software Installation and Configuration Guide
NOTE: The .iso installation is supported on systems containing up to four physical disks.
Prerequisites
• If you have not already registered, you can sign up for an account on the LogRhythm Community.
Click Not a Member, and then complete the New Member Registration. Your registration confirmation
will be emailed to you. Check your spam folder in case the approval email is not recognized.
NOTE: Although strongly recommended, this step is not required before installing NetMon.
• If you have not yet obtained the NetMon installation .iso, download the .iso from the Community.
After logging in, click NetMon Resources, click the version of NetMon Freemium you would like to
run, and then click Network Monitor ISO (Checksum) under the Installation Files header.
• For a virtual installation, create a new VM that meets the following requirements:
o OS Type is Linux
o OS Version is Linux 64-bit or Other 64-bit
o Hard drive, RAM, and processor meet the requirements stated in Select the Installation
Platform
o Primary network adapter in “bridged” mode, and promiscuous mode is set to allow all traffic
o VMware Workstation is powered on as “Startup Guest”; VirtualBox VM is powered on as
“Normal Start”
• For a list of software packages installed with NetMon, open the NetMon User Guide or the online Help
and go to Appendices > Installed Packages.
Installation Steps
To install CentOS 7.4 Minimal and NetMon using the LogRhythm .iso:
1. If you are installing on a physical computer, burn the .iso image to a writeable CD or DVD, or build a
NetMon USB. For a virtual install, you can mount the .iso for the installation.
2. Boot the computer from the CD, DVD, or USB, or start the VM with the mounted .iso.
3. When the welcome screen loads, select Install LogRhythm Network Monitor.
PAGE 3
– NetMon Software Installation and Configuration Guide
Log In
1. When the system reboots, log in to the console using logrhythm as the login and changeme as the
password.
2. To change the password for the logrhythm user, type the command passwd, type the default
password (changeme), and then type and verify your new password.
NOTE: You will need to change the input interface for analyzing network traffic in the NetMon Web
Management interface. By default, this field is set to bond0. For more information, see
“Changing Engine Parameters” in the NetMon online Help or the NetMon User Guide.
IMPORTANT: After installing and logging in to your NetMon software, do not update the CentOS
operating system using yum or any other method. An update could leave your NetMon
system in an unusable state.
NOTE: The default time zone for NetMon is Americas/Denver. To change this setting, open a command
line and enter sudo timedatectl set-timezone <time zone>. To find the string that
corresponds to your time zone, use the command sudo tzselect.
Configure NetMon
This section describes how to determine an IP address for NetMon, launch the NetMon Web Management
interface, and configure NetMon to begin capturing data.
NOTE: Interface names will vary depending on motherboard vendors and the PCI slot in which the
network interface card is installed (for example, em1, eno1, enp2s0).
If your network uses DHCP, an administrator in your organization can provide the NetMon’s IP address after
installation. If you need to assign a static IP to the NetMon appliance, you must perform some extra steps, as
described in the Static IP Configuration section of this guide.
To launch NetMon for the first time, be sure to follow the correct instructions for DHCP or Static IP.
PAGE 4
– NetMon Software Installation and Configuration Guide
By default, the installation assigns the Management Interface. To select a different management or recovery
network interface, see Change the Management or Recovery Network Interface.
DHCP Configuration
If your network uses DHCP, obtain the NetMon’s IP address from your network administrator.
Static IP Configuration
Follow the instructions in this section if you are assigning a static IP to the NetMon appliance.
Windows
1. From a laptop running Windows, click Start, and then search for “View Network Connections.”
2. Right-click Local Area Connection, and then click Properties.
3. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. In the Properties window:
• Select the Use the following IP address button.
• Enter the IP address: 192.168.0.11
NOTE: If your management interface is on the 192.168.x.x subnet, then set this value to
172.16.0.11. For more information, see Change the Management or Recovery
Network Interface.
PAGE 5
– NetMon Software Installation and Configuration Guide
8. Open the command prompt and run ipconfig to verify that the IP address is 192.168.0.11.
OS X
1. From a laptop running OS X, click the Apple menu at the upper-left corner of the page, click the
System Preferences application, and then click Network.
2. On the left side of the Network page, select your Thunderbolt Ethernet connection.
3. Specify the following Thunderbolt Ethernet connection settings:
• Configure IPv4: Manually
• IP Address: 192.168.0.11
NOTE: If your management interface is on the 192.168.x.x subnet, then set this value to
172.16.0.11. For more information, see Change the Management or Recovery
Network Interface.
Launch NetMon
1. Open a browser (Internet Explorer 11 or the latest version of Chrome or Firefox).
NOTE: If NetMon requires a license file and you have not already uploaded one, you are prompted
to choose your version of the software. For more information, see License NetMon.
PAGE 6
– NetMon Software Installation and Configuration Guide
4. Enter your IP Address, Netmask, and Gateway (and optionally, a DNS Server and Search Domain).
NOTE: From now on, you can use this IP address to access the Web Management interface for
NetMon on the data management interface.
PAGE 7
– NetMon Software Installation and Configuration Guide
1. On the top navigation bar, click Configuration, and then click the Network tab.
2. Select an interface from the Management Interface and Recovery Interface lists, as needed.
3. Click Apply Changes.
Changing the Management and Recovery Network Interfaces could log you out. If it does, you need to
reconnect via the correct interface.
IMPORTANT: Choosing a different Management or Recovery Interface changes which network port is
used for communicating with your appliance. If you make a change to either interface, you
will not have access unless you connect via the correct network. Changing either interface
may require you to change network cabling and your corporate network management
before you can access NetMon.
NOTE: If your management interface is on the 192.168.x.x subnet, the recovery interface is set to the
172.16.x.x subnet to avoid IP address conflicts.
With Manual Network Configuration enabled, you are prompted for the name of the interface from which
NetMon should process packets, and NetMon does not modify any network interface configuration files or
network settings upon startup. After the NetMon services start, the system waits for the specified capture
interface to exist in an "up" state. You are responsible for configuring your Management Interface, Recovery
Interface, and Capture Interface.
IMPORTANT: Network Manual Configuration is an advanced setting that should be enabled only by users
with deep proficiency in Linux. A manual configuration could cause serious issues in your
NetMon that LogRhythm Support cannot resolve and could ultimately require a full reboot
or fresh install of NetMon. Proceed with extreme caution.
NOTE: Before enabling Manual Network Configuration, save the network config with “Use High
Throughput” disabled. Alternatively, modify the value of “enableHighThroughput” to “false” in
/usr/local/probe/conf/nm.yaml and restart the NetMon services.
PAGE 8
– NetMon Software Installation and Configuration Guide
1. On the top navigation bar, click Configuration, and then click the Network tab.
2. On the Interface Selection panel, click Enable Manual Configuration.
PAGE 9
– NetMon Software Installation and Configuration Guide
License NetMon
When accessing NetMon for the first time, the license selection page appears. This page displays system
details and provides two licensing options: Network Monitor Freemium and Network Monitor.
1. Under the appropriate NetMon option, click Select. For commercial customers or customers evaluating
the full edition of NetMon, select the Network Monitor option.
NOTE: NetMon Freemium is a limited version of NetMon and could result in data loss.
NOTE: You can configure NetMon to capture all packets or only specific applications, including
unknown traffic. For more information, see Select Applications for Packet Capture.
PAGE 10
– NetMon Software Installation and Configuration Guide
NOTE: NetMon restarts the application with the new settings. This might take a few minutes.
PAGE 11
– NetMon Software Installation and Configuration Guide
IMPORTANT: If you do not define an NTP Server, the displayed time values could be out of sync with
your web browser. Events and log data could appear to have occurred in the past or even
the future, and it would be difficult to ascertain the exact time a network event occurred.
1. On the top navigation bar, click Configuration, and then click the Time tab.
2. In the Primary NTP Server field, type the IP address of the main NTP server used in your network. The
default is the address for the CentOS NTP server. If you do not establish an internet connection for the
NetMon appliance and want to use a local NTP server, type the address for that local server in this
field.
3. In the Backup NTP Server field, type the IP address for the backup NTP server (if used).
4. Click Apply Changes.
NOTE: After defining and syncing with an NTP server, it could take several minutes for data to
appear on NetMon dashboards.
1. Ensure that your new, trusted server cert and key files are named “server.crt” and “server.key.”
NOTE: If your cert and key files have unique names, such as “NetMon.crt” or “NetMon.key,”
NetMon does not recognize your certificate.
PAGE 12
– NetMon Software Installation and Configuration Guide
NOTE: To view a list of applications that NetMon currently supports, see the NetMon Supported
Applications document on the LogRhythm Community. Be sure to check for updates to this list with
each new release, as supported applications are added regularly.
1. On the top navigation bar, click Configuration, and then click the Capture tab.
NOTE: If nothing has been configured for packet capture, only “unknown” is displayed in the list.
2. Specify that NetMon captures packets for all applications, or select a limited amount of applications
from the list.
NOTE: To get started, it is recommended to add just a few protocols such as “http” and “https,”
and then more later. For more information, see the NetMon online Help.
• To select individual applications or protocols for packet capture, set Capture All to OFF, and
then type characters in the Add field. As you type, the field auto-displays matching characters
from the application list. Select the application you want, and then click Add.
• To select all applications and protocols for packet capture, click the Capture All toggle switch
from OFF to ON.
• To exclude applications from being captured while Capture All is enabled, type characters in
the Exclude field. As you type, the field auto-displays matching characters from the application
list. Select the application you want to exclude, and then click Exclude.
NOTE: If you select Capture All and your traffic volume is extremely high (for example, the
system processes more than 750 flows per second), your NetMon appliance could run low
on disk space and drop packets. If this is the case, you should not select all applications.
NOTE: Packet capture must be enabled on the Engine tab before NetMon will start to capture and
analyze selected applications.
PAGE 13
– NetMon Software Installation and Configuration Guide
For example, AI Engine rules such as “HTTP Over an Uncommon Port” create an alarm when web traffic is
seen communicating with a remote port not commonly associated with HTTP traffic. This alarm can be useful
for tracking unauthorized web application usage.
NOTE: Make sure that the NetMon server is set to the same time zone as the server
running the LogRhythm SysMon agent. The receiving SysMon agent includes its
own timestamp before sending Syslog to the LogRhythm SIEM’s Data Processor.
PAGE 14
– NetMon Software Installation and Configuration Guide
4. Make sure that log processing settings for NetMon’s log source type are set correctly:
a. Click the Log Processing Policies tab.
b. Under Log Source Type, search for Network Monitor. Double-click the row for Network
Monitor log processing policy.
c. Right-click the MPE Policy Editor, and then click Check All.
e. Verify that Disable Automatic Host Contextualization is selected, and that the Log
should be forwarded as event check box is not selected. Click OK.
PAGE 15
– NetMon Software Installation and Configuration Guide
LogRhythm Support
The LogRhythm Community has the most current help documentation, software revisions, patches, and other
important information.
If you are using a fully licensed version of NetMon and have any issues or require assistance with your
deployment, work with your Professional Services engineer or contact LogRhythm directly at:
PAGE 16
– NetMon Software Installation and Configuration Guide
NOTE: In the steps that follow, $ represents a Linux shell prompt. You do not need to type the $, only the
command that follows.
NOTE: With the exception of especially large systems, this is usually only /pcap0. Look for drives
“mounted on” /pcapN, such as /pcap0, /pcap1, etc.
PAGE 17
– NetMon Software Installation and Configuration Guide
WARNING: Before running this command, make absolutely certain that you changed directories (cd) to a
PCAP partition such as pcap0. If you do not, you could irreparably damage your installation.
Restart NetMon
Restart the NetMon services:
PAGE 18