### Run UTMStack Installer Source: https://docs.utmstack.com/guides/installation/installation Execute the downloaded installer script to begin the UTMStack installation process. This script handles system checks, component downloads, configuration, and service setup. ```bash ./installer ``` -------------------------------- ### Install Dependencies and Download Installer Source: https://docs.utmstack.com/guides/installation/installation Update package lists, install wget, download the UTMStack installer script, switch to root, and set execution permissions. ```bash # Update packages list sudo apt update # Install WGET sudo apt install wget # Download the latest installer wget http://github.com/utmstack/UTMStack/releases/latest/download/installer # Switch to root user sudo su # Set execution permissions chmod +x installer ``` -------------------------------- ### Run UTMStack setup wizard Source: https://docs.utmstack.com/guides/installation/installation-from-iso Execute this command after the main UTMStack installation to run the setup wizard, which configures additional settings like timezone. ```bash utmstack-setup ``` -------------------------------- ### View the entire installer log Source: https://docs.utmstack.com/guides/installation/installation-from-iso Displays the complete content of the UTMStack installer log file. Useful for reviewing the entire installation process. ```bash cat /var/log/utmstack/installer.log ``` -------------------------------- ### Follow the installer log in real-time Source: https://docs.utmstack.com/guides/installation/installation-from-iso Continuously displays new lines added to the UTMStack installer log. Keep this command running in a separate terminal during installation to monitor progress and catch errors as they occur. ```bash tail -f /var/log/utmstack/installer.log ``` -------------------------------- ### Access Installer Log Source: https://docs.utmstack.com/guides/installation/installation-from-iso View the main installation process log file to check for errors or status updates. ```bash sudo cat /var/log/utmstack/installer.log ``` -------------------------------- ### Check Installer Directory Source: https://docs.utmstack.com/guides/installation/installer-update-guide Ensures the script is executed from the directory containing the installer file (INSTALLER_FILE). Provides instructions on how to find and navigate to the installer directory if it's missing. ```bash check_installer_directory() { log_verbose "Checking if installer exists in current directory..." if [[ ! -f "${INSTALLER_FILE}" ]]; then echo "" echo "$(printf '=%.0s' $(seq 1 60))" log_error "INSTALLER NOT FOUND IN EXECUTION DIRECTORY" echo "$(printf '=%.0s' $(seq 1 60))" echo "" log_info "This script must be executed from the directory where the" log_info "UTMStack installer is located." echo "" log_info "To find your installer location, run:" log_info " find /root /home -name 'installer' -type f 2>/dev/null" echo "" log_info "Then navigate to that directory and run the script:" log_info " cd /path/to/installer/directory" log_info " bash update.sh" echo "" return 2 fi log_verbose "Installer file found: ${INSTALLER_FILE}" log_info "Installer found in current directory: $(pwd)" return 0 } ``` -------------------------------- ### Start UTMStack Service Source: https://docs.utmstack.com/guides/installation/installer-update-guide Starts the UTMStack service and verifies that it is running and active. Includes error handling for service not found or failure to start. ```bash start_service() { print_step 6 8 "Starting ${SERVICE_NAME} service" if [[ "${DRY_RUN}" == true ]]; then log_info "DRY RUN: Would start ${SERVICE_NAME} service" return 0 fi if ! check_service_exists; then log_error "Service not found, cannot start" return 4 fi log_info "Starting service..." if sudo systemctl start "${SERVICE_NAME}"; then log_success "Service started successfully" # Verify service is running sleep 2 if systemctl is-active --quiet "${SERVICE_NAME}"; then log_success "Service is running and active" else log_error "Service started but is not active" return 4 fi else log_error "Failed to start service" log_info "Check service status with: sudo systemctl status ${SERVICE_NAME}" return 4 fi } ``` -------------------------------- ### Run UTMStack Installer Source: https://docs.utmstack.com/guides/installation/installation-from-iso Execute the main UTMStack installer script. This is typically run automatically on first boot but can be executed manually. ```bash sudo /opt/utmstack/start.sh ``` -------------------------------- ### View the last 50 lines of the installer log Source: https://docs.utmstack.com/guides/installation/installation-from-iso Shows the last 50 lines of the UTMStack installer log. This is helpful for quickly checking the most recent installation events or the end of the log. ```bash tail -n 50 /var/log/utmstack/installer.log ``` -------------------------------- ### Run UTMStack Installer Source: https://docs.utmstack.com/guides/installation/installer-update-guide Executes the UTMStack installer script. It checks if the installer file exists and reports success or failure with the exit code. ```bash run_installer() { print_step 7 8 "Running UTMStack installer" if [[ "${DRY_RUN}" == true ]]; then log_info "DRY RUN: Would run installer" return 0 fi if [[ ! -f "${INSTALLER_FILE}" ]]; then log_error "Installer file not found: ${INSTALLER_FILE}" return 1 fi log_info "Executing installer..." echo "$(printf '=%.0s' $(seq 1 60))" if sudo ./${INSTALLER_FILE}; then echo "$(printf '=%.0s' $(seq 1 60))" log_success "Installer completed successfully" else local exit_code=$? echo "$(printf '=%.0s' $(seq 1 60))" log_error "Installer failed with exit code: ${exit_code}" return 1 fi } ``` -------------------------------- ### Install UTMStack on Red Hat Systems Source: https://docs.utmstack.com/guides/installation/installation Install UTMStack on Red Hat-based systems using `dnf` for package management. This includes updating packages and installing `wget` before proceeding with standard installation steps. ```bash # Update packages sudo dnf update # Install WGET sudo dnf install wget # Continue with standard installation steps ``` -------------------------------- ### Test cURL Installation Source: https://docs.utmstack.com/integrations/configurations/config-curl Run this command in your console to verify if cURL is installed correctly. It should display version information. ```bash curl -V ``` -------------------------------- ### Navigate to Installer Directory Source: https://docs.utmstack.com/guides/installation/installer-update-guide Change the current directory to the location of your UTMStack installer. Replace '/path/to/installer/directory' with the actual path found. ```bash cd /path/to/installer/directory ``` -------------------------------- ### Restart UTMStack Services after Let's Encrypt Setup Source: https://docs.utmstack.com/guides/installation/ssl-certificate Scale the frontend service back up, verify it's running, stop the temporary Nginx instance, and restart Docker to apply the new Let's Encrypt certificate. ```bash # Scale frontend back up docker service scale utmstack_frontend=1 # Verify frontend is running docker ps | grep frontend # Stop temporary Nginx sudo systemctl stop nginx # Restart Docker to apply changes sudo systemctl restart docker ``` -------------------------------- ### Set Installer Executable Permissions Source: https://docs.utmstack.com/guides/installation/installer-update-guide Grants execute permissions to the downloaded installer file. Includes a DRY_RUN check. ```bash set_executable_permissions() { print_step 3 8 "Setting executable permissions" if [[ "${DRY_RUN}" == true ]]; then log_info "DRY RUN: Would set executable permissions on ${INSTALLER_FILE}" return 0 fi log_info "Making installer executable..." chmod +x "${INSTALLER_FILE}" log_success "Permissions set successfully" log_verbose "File permissions: $(ls -lh ${INSTALLER_FILE})" } ``` -------------------------------- ### Certbot with Cloudflare DNS Challenge Source: https://docs.utmstack.com/guides/installation/ssl-certificate Use Certbot with a DNS plugin for environments where port 80 is inaccessible. This example uses the Cloudflare plugin and requires a credentials file with an API token. Ensure the DNS plugin is installed. ```bash # Install DNS plugin (example for Cloudflare) sudo apt install python3-certbot-dns-cloudflare # Create credentials file echo "dns_cloudflare_api_token = YOUR_API_TOKEN" > ~/.secrets/cloudflare.ini chmod 600 ~/.secrets/cloudflare.ini # Generate certificate sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d siem.yourdomain.com ``` -------------------------------- ### Annotated Firewall Log Processing Example Source: https://docs.utmstack.com/guides/configuration-implementation/implementing-filters An example demonstrating a full pipeline for processing firewall logs, including KV extraction, normalization, type casting, logical enrichment, and cleanup. ```yaml pipeline: - dataTypes: [firewall-fortigate-traffic] steps: # 1. Extract KV pairs (automatically goes into log.*) - kv: source: raw fieldSplit: " " valueSplit: "=" # 2. Normalize to standard schema - rename: from: [log.src, log.s_ip] to: origin.ip - rename: from: [log.dst, log.d_ip] to: target.ip # 3. Handle data types for better indexing - cast: fields: [origin.port, target.port] to: int # 4. Logical enrichment: Determine action - add: function: string params: { key: action, value: denied } where: 'equals("log.policy", "block")' # 5. Cleanup temporary metadata - delete: fields: [log.policy] ``` -------------------------------- ### Create UTMStack Update Script Source: https://docs.utmstack.com/guides/installation/installer-update-guide Create a new file named 'update.sh' in the installer directory using 'nano' and paste the provided script content into it. ```bash nano update.sh ``` -------------------------------- ### Monitor installer log for errors Source: https://docs.utmstack.com/guides/installation/installation-from-iso This command searches the UTMStack installer log for any lines containing the word 'error', which can help in diagnosing installation issues. ```bash grep -i error /var/log/utmstack/installer.log ``` -------------------------------- ### Download Latest Installer Source: https://docs.utmstack.com/guides/installation/installer-update-guide Fetches the latest UTMStack installer from the specified URL (INSTALLER_URL) and saves it as INSTALLER_FILE. Includes error handling for download failures and checks if the downloaded file is empty. Supports DRY_RUN. ```bash download_installer() { print_step 2 8 "Downloading latest installer" if [[ "${DRY_RUN}" == true ]]; then log_info "DRY RUN: Would download from ${INSTALLER_URL}" return 0 fi log_info "Fetching installer from: ${INSTALLER_URL}" if wget --timeout=300 --tries=3 --progress=bar:force "${INSTALLER_URL}" -O "${INSTALLER_FILE}" 2>&1; then log_success "Installer downloaded successfully" # Verify the downloaded file if [[ ! -s "${INSTALLER_FILE}" ]]; then log_error "Downloaded file is empty" return 3 fi else log_error "Failed to download installer" log_info "Please check your internet connection and try again" return 3 fi } ``` -------------------------------- ### Verify SSL Certificate Installation Source: https://docs.utmstack.com/guides/installation/ssl-certificate Check the installed certificate details using OpenSSL and verify web interface accessibility via HTTPS using curl. ```bash # Check certificate openssl x509 -in /utmstack/cert/utm.crt -text -noout # Verify web interface curl -I https://your-domain.com ``` -------------------------------- ### Find UTMStack Installer Directory Source: https://docs.utmstack.com/guides/installation/installer-update-guide Use this command to locate the UTMStack installer if its directory is unknown. It searches common user directories for the 'installer' file. ```bash find /root /home -name 'installer' -type f 2>/dev/null ``` -------------------------------- ### Install Certbot for Let's Encrypt Source: https://docs.utmstack.com/guides/installation/ssl-certificate Install Certbot and the Nginx plugin on your server to manage Let's Encrypt SSL certificates. This requires updating the package list first. ```bash # Update package list sudo apt update # Install Certbot with Nginx plugin sudo apt install certbot python3-certbot-nginx -y ``` -------------------------------- ### Install Let's Encrypt Certificates in UTMStack Source: https://docs.utmstack.com/guides/installation/ssl-certificate Copy the generated `fullchain.pem` and `privkey.pem` from Certbot's Let's Encrypt directory to the UTMStack certificate location and set correct file permissions. ```bash # Copy certificate files to UTMStack directory sudo cp /etc/letsencrypt/live/*/fullchain.pem /utmstack/cert/utm.crt sudo cp /etc/letsencrypt/live/*/privkey.pem /utmstack/cert/utm.key # Set proper permissions sudo chmod 600 /utmstack/cert/utm.key sudo chmod 644 /utmstack/cert/utm.crt ``` -------------------------------- ### Verify Ubuntu version Source: https://docs.utmstack.com/guides/installation/installation-from-iso Checks the installed Ubuntu version. Expected output is 'Ubuntu 24.04.3 LTS'. ```bash lsb_release -a Expected: Ubuntu 24.04.3 LTS ``` -------------------------------- ### Multi-Condition Detection Example Source: https://docs.utmstack.com/guides/configuration-implementation/cel-overloads Demonstrates combining multiple CEL overloads to create a complex detection rule. This example checks for the existence of a field, ensures it's not within a specific CIDR range, and verifies a user field against multiple conditions. ```yaml where: > exists("origin.ip") && !inCIDR("origin.ip", "10.0.0.0/8") && (startsWith("origin.user", "admin_") || equals("origin.user", "root")) ``` -------------------------------- ### Prepare Services for Certbot Source: https://docs.utmstack.com/guides/installation/ssl-certificate Temporarily stop the UTMStack frontend service and start Nginx to allow Certbot to use port 80 for domain validation during certificate generation. ```bash # Scale down frontend service docker service scale utmstack_frontend=0 # Verify frontend is stopped docker ps | grep frontend # Start Nginx temporarily sudo systemctl start nginx ``` -------------------------------- ### Remove Old Installer Source: https://docs.utmstack.com/guides/installation/installer-update-guide Removes the existing installer file if it exists. Includes a DRY_RUN check to simulate the action without actually deleting the file. ```bash remove_old_installer() { print_step 1 8 "Cleaning up old installer" if [[ "${DRY_RUN}" == true ]]; then log_info "DRY RUN: Would remove ${INSTALLER_FILE}" return 0 fi if [[ -f "${INSTALLER_FILE}" ]]; then log_info "Removing existing installer file..." rm -f "${INSTALLER_FILE}" log_success "Old installer removed successfully" else log_info "No existing installer found (clean state)" fi } ``` -------------------------------- ### Check UTMStack Process Source: https://docs.utmstack.com/guides/installation/installation-from-iso Verify if the UTMStack installer process is currently running on the system. ```bash ps aux | grep utmstack ``` -------------------------------- ### Install or Uninstall macOS Agent Source: https://docs.utmstack.com/integrations/agents-and-syslog/macos Use these commands to install or uninstall the UTMStack agent on your macOS device. Ensure you copy the exact command from your UTMStack instance under the Integrations section. ```bash # Example (replace with actual command from instance) sudo ./utmstack-macos-installer install ``` ```bash # or sudo ./utmstack-macos-installer uninstall ``` -------------------------------- ### Get VMware Syslog Configuration Source: https://docs.utmstack.com/integrations/hypervisors/vmware-esxi Displays the current syslog configuration on the ESXi host. This command helps in understanding the existing settings before making changes. ```bash esxcli system syslog config get ``` -------------------------------- ### Check System Resource Usage Source: https://docs.utmstack.com/guides/installation/installation Monitor system resources like RAM, CPU, and disk space to ensure they meet UTMStack's minimum requirements. This is crucial for troubleshooting installation failures due to insufficient resources. ```bash free -h lscpu df -h ``` -------------------------------- ### Update System Packages Source: https://docs.utmstack.com/guides/installation/installation-from-iso Update the package list and upgrade installed packages to their latest versions, including security patches. ```bash sudo apt update && sudo apt upgrade -y ``` -------------------------------- ### UTMStack Automated Update Script Source: https://docs.utmstack.com/guides/installation/installer-update-guide This bash script automates the UTMStack infrastructure update process. It handles downloading the latest installer, managing services, and monitoring progress. Ensure it's executed in the installer directory with root/sudo privileges and an active internet connection. ```bash #!/bin/bash # ============================================================================ # UTMStack Update Script # ============================================================================ # Description: # Automated update script for UTMStack infrastructure. This script handles # the complete update process including downloading the latest installer, # managing services, and monitoring the update progress. # # Prerequisites: # - Must be executed in the directory containing the previous UTMStack installer # - Root/sudo privileges required # - Active internet connection # - systemd-based Linux distribution # # Usage: # bash update.sh [OPTIONS] # # Options: # -h, --help Display this help message # -v, --verbose Enable verbose output # -d, --dry-run Perform a dry run without making changes # # Exit Codes: # 0 - Success # 1 - General error # 2 - Missing prerequisites # 3 - Download failure # 4 - Service management failure # ============================================================================ set -euo pipefail # Exit on error, undefined variables, and pipe failures IFS=$'\n\t' # Set Internal Field Separator for better word splitting # ============================================================================ # Global Variables # ============================================================================ readonly SCRIPT_VERSION="1.0.0" readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" readonly INSTALLER_URL="https://github.com/utmstack/UTMStack/releases/latest/download/installer" readonly INSTALLER_FILE="installer" readonly LOG_FILE="/utmstack/updates/logs/utmstack-updater.log" readonly LOG_DIR="/utmstack/updates/logs" readonly SERVICE_NAME="UTMStackComponentsUpdater" readonly TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')" # Script options VERBOSE=false DRY_RUN=false # Color codes for output readonly RED='\033[0;31m' readonly GREEN='\033[0;32m' readonly YELLOW='\033[1;33m' readonly BLUE='\033[0;34m' readonly NC='\033[0m' # No Color # ============================================================================ # Utility Functions # ============================================================================ # Print formatted messages with timestamp log_info() { echo -e "${BLUE}[INFO]${NC} [$(date '+%Y-%m-%d %H:%M:%S')] $*" } log_success() { echo -e "${GREEN}[SUCCESS]${NC} [$(date '+%Y-%m-%d %H:%M:%S')] $*" } log_warning() { echo -e "${YELLOW}[WARNING]${NC} [$(date '+%Y-%m-%d %H:%M:%S')] $*" } log_error() { echo -e "${RED}[ERROR]${NC} [$(date '+%Y-%m-%d %H:%M:%S')] $*" >&2 } log_verbose() { if [[ "${VERBOSE}" == true ]]; then echo -e "${BLUE}[VERBOSE]${NC} [$(date '+%Y-%m-%d %H:%M:%S')] $*" fi } # Display help message show_help() { sed -n '/^# ===.*UTMStack Update Script/,/^# ===.*$/p' "$0" | sed 's/^# \?//' | sed "s/SCRIPT_VERSION/${SCRIPT_VERSION}/" } # Print section header print_header() { local message="$1" local width=60 echo "" echo "$(printf '=%.0s' $(seq 1 $width))" echo " $message" echo "$(printf '=%.0s' $(seq 1 $width))" echo "" } # Print step information print_step() { local current="$1" local total="$2" local description="$3" echo "" log_info "Step [$current/$total]: $description" echo "$(printf -- '-%.0s' $(seq 1 60))" } # ============================================================================ # Validation Functions # ============================================================================ ``` -------------------------------- ### Log in via SSH Source: https://docs.utmstack.com/guides/installation/installation-from-iso Use this command to log in to your UTMStack server remotely via SSH after installation. Replace 'username' and 'your-server-ip' with your actual credentials and server IP address. ```bash # Login via console or SSH ssh username@your-server-ip ``` -------------------------------- ### UTMStack Update Script Logic Source: https://docs.utmstack.com/guides/installation/installer-update-guide This script orchestrates the UTMStack update process, including pre-flight checks, downloading the new installer, stopping services, running the installer, and monitoring logs. It handles command-line arguments for verbose or dry-run modes and traps errors. ```bash main() { local exit_code=0 print_header "UTMStack Update Process v${SCRIPT_VERSION}" log_info "Started at: ${TIMESTAMP}" log_info "Working directory: ${SCRIPT_DIR}" # Run pre-flight checks log_info "Running pre-flight checks..." check_privileges || exit $? check_dependencies || exit $? check_connectivity || exit $? check_installer_directory || exit $? log_success "Pre-flight checks completed" # Execute update steps remove_old_installer || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code download_installer || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code set_executable_permissions || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code stop_service || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code cleanup_log_file || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code start_service || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code run_installer || exit_code=$? [[ $exit_code -ne 0 ]] && exit $exit_code monitor_log || exit_code=$? if [[ $exit_code -eq 0 ]]; then print_header "Update Process Completed Successfully" else print_header "Update Process Completed with Errors" fi log_info "Finished at: $(date '+%Y-%m-%d %H:%M:%S')" exit $exit_code } # ============================================================================ # Script Entry Point # ============================================================================ # Parse command line arguments while [[ $# -gt 0 ]]; do case $1 in -h|--help) show_help exit 0 ;; -v|--verbose) VERBOSE=true shift ;; -d|--dry-run) DRY_RUN=true log_info "Running in DRY RUN mode - no changes will be made" shift ;; *) log_error "Unknown option: $1" log_info "Use -h or --help for usage information" exit 1 ;; esac done # Trap errors and interrupts trap 'log_error "Script interrupted"; exit 130' INT TERM trap 'log_error "Script failed at line $LINENO with exit code $?"' ERR # Execute main function main "$@" ``` -------------------------------- ### Simple Rule Trigger Example Source: https://docs.utmstack.com/guides/configuration-implementation/implementing-rules Defines a basic rule that triggers an alert when an event matches a specific condition, such as a login from a restricted user. This is used for simple, single-event detections. ```yaml where: 'equals("origin.user", "admin_backup")' ``` -------------------------------- ### Correlation with OR Logic Source: https://docs.utmstack.com/guides/configuration-implementation/advanced-features Implement correlation rules that match either of two specified conditions using the 'or' field. This example triggers if there's 1 event in 'v11-log-*' within an hour, OR if there are 2 events in 'v11-alert-*' within 24 hours. ```yaml correlation: - indexPattern: "v11-log-*" within: "now-12h" count: 1 or: - indexPattern: "v11-alert-*" within: "now-24h" count: 2 ``` -------------------------------- ### Verify UTMStack Container Status Source: https://docs.utmstack.com/guides/installation/installation Check the status of UTMStack containers after installation. All containers should be in a 'healthy' or 'running' state. ```bash # Check container status docker ps # Check system logs docker logs utmstack_backend # Verify web interface accessibility curl -k https://localhost ``` -------------------------------- ### Enrich Data with Dynamic Plugin Source: https://docs.utmstack.com/guides/configuration-implementation/implementing-filters Use the 'dynamic' plugin to add context or transform data. This example uses a geolocation plugin to add location data based on an IP address. ```yaml - dynamic: plugin: com.utmstack.geolocation params: { source: origin.ip, destination: origin.geolocation } ``` -------------------------------- ### Manually Renew Let's Encrypt Certificate Source: https://docs.utmstack.com/guides/installation/ssl-certificate Steps to manually renew a Let's Encrypt certificate, including stopping the frontend, starting Nginx for renewal, running Certbot, stopping Nginx, and updating UTMStack certificate files. ```bash docker service scale utmstack_frontend=0 # Start Nginx for renewal sudo systemctl start nginx # Renew certificate sudo certbot renew # Stop Nginx sudo systemctl stop nginx sudo cp /etc/letsencrypt/live/siem.yourdomain.com/fullchain.pem /utmstack/cert/utm.crt sudo cp /etc/letsencrypt/live/siem.yourdomain.com/privkey.pem /utmstack/cert/utm.key docker service scale utmstack_frontend=1 docker ps | grep frontend sudo systemctl restart docker ``` -------------------------------- ### Check Required Dependencies Source: https://docs.utmstack.com/guides/installation/installer-update-guide Ensures that essential commands like wget, chmod, systemctl, and tail are available on the system. Logs an error if any are missing. ```bash check_dependencies() { log_verbose "Checking required dependencies..." local missing_deps=() for cmd in wget chmod systemctl tail; do if ! command -v "$cmd" &> /dev/null; then missing_deps+=("$cmd") fi done if [[ ${#missing_deps[@]} -gt 0 ]]; then log_error "Missing required commands: ${missing_deps[*]}" return 2 fi log_verbose "All dependencies are available" return 0 } ``` -------------------------------- ### Remove Existing UTMStack Installation Source: https://docs.utmstack.com/guides/installation/installation Use this command to remove a previous UTMStack installation before attempting to reinstall. It helps clean up Docker resources. ```bash ./installer --remove ``` -------------------------------- ### Display Network Configuration Source: https://docs.utmstack.com/guides/installation/installation-from-iso Show detailed network interface information, including IP addresses. ```bash ip addr show ``` -------------------------------- ### Install or Uninstall UTMStack Agent (Windows) Source: https://docs.utmstack.com/integrations/agents-and-syslog/windows-agent Run this command in a Windows PowerShell terminal as Administrator to install or uninstall the UTMStack agent. Ensure you have the correct command from your UTMStack instance. ```powershell Invoke-WebRequest -Uri "http://:9000/api/v1/agents/windows/download/" -OutFile "utmstack-agent.msi" Start-Process msiexec.exe -ArgumentList "/i utmstack-agent.msi /qn" -Wait ``` -------------------------------- ### Troubleshoot Web Interface Access Source: https://docs.utmstack.com/guides/installation/firewall-rules Commands to verify if port 443 is listening, check UFW status, and test web interface access from the server itself. ```bash # Verify port 443 is listening sudo netstat -tlnp | grep 443 # Check firewall rules sudo ufw status numbered # Test from server curl -k https://localhost ``` -------------------------------- ### Transfer and Set Permissions for SSL Files Source: https://docs.utmstack.com/guides/installation/ssl-certificate Copy the renamed certificate and key files to the UTMStack certificate directory and set appropriate file permissions to ensure security and accessibility. ```bash # Move certificate to UTMStack directory sudo mv utm.crt /utmstack/cert/ sudo mv utm.key /utmstack/cert/ # Set proper permissions sudo chmod 600 /utmstack/cert/utm.key sudo chmod 644 /utmstack/cert/utm.crt ``` -------------------------------- ### Basic Single-Node UTMStack Firewall Configuration Source: https://docs.utmstack.com/guides/installation/firewall-rules A comprehensive UFW configuration script for a basic single-node UTMStack v11 deployment, including default policies and specific rules for SSH, web interface, Cockpit, agent communication, and syslog. ```bash #!/bin/bash # Basic UTMStack v11 firewall configuration # Reset UFW sudo ufw --force reset # Default policies sudo ufw default deny incoming sudo ufw default allow outgoing # SSH (from admin IP only) sudo ufw allow from 192.168.1.100 to any port 22 proto tcp # Web interface (from SOC network) sudo ufw allow from 192.168.1.0/24 to any port 443 proto tcp sudo ufw allow from 192.168.1.0/24 to any port 80 proto tcp # Cockpit (admin only) sudo ufw allow from 192.168.1.100 to any port 9090 proto tcp # Agent communication (from agent network) sudo ufw allow from 10.0.0.0/8 to any port 9000 proto tcp sudo ufw allow from 10.0.0.0/8 to any port 9001 proto tcp sudo ufw allow from 10.0.0.0/8 to any port 50051 proto tcp # Syslog (from network devices) sudo ufw allow from 10.0.0.0/8 to any port 514 proto udp sudo ufw allow from 10.0.0.0/8 to any port 6514 proto tcp # Enable firewall sudo ufw enable sudo ufw status verbose ``` -------------------------------- ### Rename Certificate and Key Files Source: https://docs.utmstack.com/guides/installation/ssl-certificate Rename your existing certificate and private key files to `utm.crt` and `utm.key` respectively, before transferring them to the UTMStack server. ```bash # Example renaming mv your-certificate.crt utm.crt mv your-private-key.key utm.key ``` -------------------------------- ### Execute UTMStack Update Script Source: https://docs.utmstack.com/guides/installation/installer-update-guide Run the update script with sudo privileges to perform the update. Ensure you have the necessary permissions. ```bash sudo bash update.sh ``` -------------------------------- ### Troubleshoot Agent Connectivity Issues Source: https://docs.utmstack.com/guides/installation/firewall-rules Commands to check if agent ports are open, verify UFW rules for agent networks, and test connectivity from the agent machine. ```bash # Verify agent ports are open sudo netstat -tlnp | grep -E '9000|9001|50051' # Check firewall allows agent network sudo ufw status | grep -E '9000|9001|50051' # Test connectivity from agent telnet MANAGER_IP 9000 ``` -------------------------------- ### Uninstall UTMStack Agent (Windows) Source: https://docs.utmstack.com/integrations/agents-and-syslog/windows-agent Use this command in a Windows PowerShell terminal as Administrator to uninstall the UTMStack agent. The ProductCode should be obtained from your system's installed programs list. ```powershell msiexec.exe /x "{PRODUCT-CODE}" /qn ``` -------------------------------- ### Test Open Ports with Nmap, Telnet, and Netcat Source: https://docs.utmstack.com/guides/installation/firewall-rules Commands to test connectivity and open ports on a UTMStack server from a remote machine or to check listening ports on the server itself. ```bash # From remote machine nmap -p 22,80,443,9000,9001,50051 UTMSTACK_IP # Test specific port telnet UTMSTACK_IP 443 nc -zv UTMSTACK_IP 443 # Check listening ports on server sudo netstat -tlnp | grep LISTEN sudo ss -tlnp ``` -------------------------------- ### Troubleshoot Syslog Reception Source: https://docs.utmstack.com/guides/installation/firewall-rules Commands to verify if the syslog port is listening, test syslog reception, and check UFW rules for syslog. ```bash # Verify syslog port is listening sudo netstat -ulnp | grep 514 # Test syslog reception logger -n UTMSTACK_IP -P 514 "Test message" # Check firewall rules sudo ufw status | grep 514 ``` -------------------------------- ### Generate Let's Encrypt Certificate with Certbot Source: https://docs.utmstack.com/guides/installation/ssl-certificate Use Certbot with the Nginx plugin to automatically generate and configure an SSL certificate for your domain. You will be prompted for your email and to agree to terms. ```bash sudo certbot --nginx -d siem.yourdomain.com ``` -------------------------------- ### Restart Docker Services Source: https://docs.utmstack.com/guides/installation/ssl-certificate Restart the Docker services to apply the new SSL certificate configuration. Allow up to 10 minutes for all services to fully restart. ```bash sudo systemctl restart docker ``` -------------------------------- ### Extract Data with JSON Source: https://docs.utmstack.com/guides/configuration-implementation/implementing-filters Use the 'json' plugin to extract data from the 'raw' string. This is typically the first step in the extraction phase. ```yaml - json: source: raw ``` -------------------------------- ### Enable ESXi Firewall for Syslog Source: https://docs.utmstack.com/integrations/hypervisors/vmware-esxi Configures the ESXi firewall to allow syslog traffic. This ensures that the ESXi host can send logs to the UTMStack agent without being blocked by the firewall. ```bash esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true ``` ```bash esxcli network firewall refresh ``` -------------------------------- ### Nested Correlation with Multiple Conditions Source: https://docs.utmstack.com/guides/configuration-implementation/advanced-features Define nested correlation rules to track multiple distinct event patterns across different index patterns and time windows. This example requires 5 'failure' events within an hour and 1 'success' event within 5 minutes. ```yaml correlation: - indexPattern: "v11-log-*" count: 5 within: "now-1h" with: - { field: "action", operator: "filter_term", value: "failure" } - indexPattern: "v11-log-*" count: 1 within: "now-5m" with: - { field: "action", operator: "filter_term", value: "success" } ``` -------------------------------- ### Monitor UTMStack Update Log Source: https://docs.utmstack.com/guides/installation/installer-update-guide Follows the UTMStack log file in real-time to monitor update progress. It waits for the log file to be created and provides instructions to exit. ```bash monitor_log() { print_step 8 8 "Monitoring update progress" if [[ "${DRY_RUN}" == true ]]; then log_info "DRY RUN: Would monitor log file" return 0 fi log_info "Following log file: ${LOG_FILE}" log_info "Press Ctrl+C to exit log monitoring" echo "$(printf '=%.0s' $(seq 1 60))" # Wait for log file to be created local max_wait=10 local wait_count=0 while [[ ! -f "${LOG_FILE}" ]] && [[ $wait_count -lt $max_wait ]]; do log_verbose "Waiting for log file to be created... (${wait_count}s)" sleep 1 ((wait_count++)) done if [[ -f "${LOG_FILE}" ]]; then sudo tail -f "${LOG_FILE}" else log_error "Log file was not created after ${max_wait} seconds" log_info "Update may have failed. Check service status:" log_info " sudo systemctl status ${SERVICE_NAME}" return 1 fi } ``` -------------------------------- ### Multi-Node UTMStack Firewall Configuration Source: https://docs.utmstack.com/guides/installation/firewall-rules Extends the basic UFW configuration for multi-node UTMStack v11 deployments, adding rules for cluster communication between nodes. ```bash #!/bin/bash # Multi-node UTMStack v11 firewall configuration # Include basic rules above, then add: # Cluster communication (between all nodes) CLUSTER_NODES=("10.10.10.11" "10.10.10.12" "10.10.10.13") for NODE in "${CLUSTER_NODES[@]}"; do sudo ufw allow from $NODE to any port 2377 proto tcp sudo ufw allow from $NODE to any port 7946 sudo ufw allow from $NODE to any port 4789 proto udp sudo ufw allow from $NODE to any port 9200 proto tcp sudo ufw allow from $NODE to any port 9300 proto tcp done sudo ufw enable ``` -------------------------------- ### Call External gRPC Plugin Source: https://docs.utmstack.com/guides/configuration-implementation/filter-steps-reference Use the dynamic step to invoke an external gRPC plugin. Provide the plugin name and a key-value map of parameters. An optional 'where' condition can be added. ```yaml - dynamic: plugin: com.utmstack.geolocation params: source: origin.ip destination: origin.geolocation ``` -------------------------------- ### Configure rsyslog for Oracle Logs Source: https://docs.utmstack.com/integrations/databases/oracle Add this configuration to `/etc/rsyslog.d/oracle-utmstack.conf` to define input modules for Oracle log files and specify the destination for log forwarding. Remember to replace `BASEDIR` and `DESTINATION` with your specific paths and IP address. ```rsyslog input(type="imfile" File="BASEDIR/admin/_/adump/_.aud" Tag="oracle-audit" Severity="info" Facility="local5") input(type="imfile" File="BASEDIR/diag/tnslsnr/*/listener/trace/listener.log" Tag="oracle-listener" Severity="info" Facility="local5") input(type="imfile" File="BASEDIR/diag/rdbms/_/_ /trace/alert_*.log" Tag="oracle-alerts" Severity="info" Facility="local5") local5.* @DESTINATION:7014 ``` -------------------------------- ### Set VMware Syslog Directory and Host Source: https://docs.utmstack.com/integrations/hypervisors/vmware-esxi Configures both the local syslog directory and the remote syslog host on the ESXi server. Use this command to specify where local logs are stored and the IP address for remote forwarding. ```bash esxcli system syslog config set --logdir=/scratch/log --loghost=your_utmstack_agent_ip --logdir-unique=true ``` -------------------------------- ### Check Internet Connectivity Source: https://docs.utmstack.com/guides/installation/installer-update-guide Verifies internet connectivity by attempting to connect to GitHub. Logs an error if no connection is detected. ```bash check_connectivity() { log_verbose "Checking internet connectivity..." if ! wget --spider --quiet --timeout=10 "https://github.com" 2>/dev/null; then log_error "No internet connectivity detected" log_info "Please check your network connection and try again" return 3 fi log_verbose "Internet connectivity verified" return 0 } ``` -------------------------------- ### Federated Deployment Firewall Rules Source: https://docs.utmstack.com/guides/installation/firewall-rules Allow necessary ports for API and Federation gRPC communication with a central server in a federated deployment. ```text Port 443/TCP: API communication with central server Port 50052/TCP: Federation gRPC communication ``` ```bash # Allow to central server sudo ufw allow out to CENTRAL_SERVER_IP port 443 proto tcp sudo ufw allow out to CENTRAL_SERVER_IP port 50052 proto tcp ``` -------------------------------- ### Schedule Certificate Renewal with Cron Source: https://docs.utmstack.com/guides/installation/ssl-certificate Make the renewal script executable and add it to the crontab to run automatically on a monthly schedule. Ensure the script path is correct. ```bash # Make executable chmod +x /root/renew-utm-cert.sh # Add to crontab (runs monthly) (crontab -l 2>/dev/null; echo "0 3 1 * * /root/renew-utm-cert.sh") | crontab - ``` -------------------------------- ### Allow Manager-to-Worker Communication Source: https://docs.utmstack.com/guides/installation/firewall-rules Configure firewall rules for manager-to-worker communication in multi-node deployments, including cluster management, discovery, and overlay network traffic. ```bash # On all nodes, allow from other cluster nodes sudo ufw allow from CLUSTER_NODE_IP to any port 2377 proto tcp ``` ```bash sudo ufw allow from CLUSTER_NODE_IP to any port 7946 ``` ```bash sudo ufw allow from CLUSTER_NODE_IP to any port 4789 proto udp ``` -------------------------------- ### Check Update Logs Source: https://docs.utmstack.com/guides/installation/installer-update-guide Review the last 100 lines of the UTMStack updater log file to check for any errors or warnings during the update process. ```bash sudo tail -100 /utmstack/updates/logs/utmstack-updater.log ``` -------------------------------- ### Verify Agent Connectivity with Curl and Telnet Source: https://docs.utmstack.com/guides/installation/firewall-rules Commands to test connectivity from an agent machine to the UTMStack server on agent communication ports. ```bash # Test from agent machine curl -k https://UTMSTACK_IP:9000 telnet UTMSTACK_IP 9000 ``` -------------------------------- ### Verify Certificate Files Source: https://docs.utmstack.com/guides/installation/ssl-certificate After a certificate update, check the validity dates of the certificate and the integrity of the private key to ensure they have been updated correctly and are secure. ```bash # Check Docker logs docker service logs utmstack_frontend # Verify certificate files openssl x509 -in /UTMStack/cert/utm.crt -noout -dates openssl rsa -in /UTMStack/cert/utm.key -check ``` -------------------------------- ### Check Sudo Privileges Source: https://docs.utmstack.com/guides/installation/installer-update-guide Verifies if the script is being run with sufficient sudo privileges. Returns an error if not. ```bash check_privileges() { log_verbose "Checking for sudo privileges..." if [[ $EUID -ne 0 ]] && ! sudo -n true 2>/dev/null; then log_error "This script requires sudo privileges" log_info "Please run with: sudo bash $0" return 2 fi log_verbose "Privileges check passed" return 0 } ``` -------------------------------- ### Check Network Connectivity Source: https://docs.utmstack.com/guides/installation/installation-from-iso Verify basic network connectivity by pinging a reliable external IP address. ```bash ping -c 3 8.8.8.8 ```