Você está na página 1de 47

Plixer International Guide

Scrutinizer Virtual Appliance Deployment

1
Table of Contents
What you need to know about deploying a Scrutinizer virtual appliance.................................................... 3
System Requirements ................................................................................................................................... 4
Scrutinizer OVF Deployment on ESX ............................................................................................................. 5
Upgrading the Virtual Machine Hardware Version for ESXi ....................................................................... 20
Installing VMware Tools for ESXi ................................................................................................................ 21
Expanding the database size for ESXi ......................................................................................................... 22
Scrutinizer Deployment on Hyper-V ........................................................................................................... 32
Expanding the database size for Hyper-V ................................................................................................... 38
Optimizing Scrutinizer datastores ............................................................................................................... 46
FAQ.............................................................................................................................................................. 47

2
Plixer International Guide
Scrutinizer Virtual Appliance Deployment

What you need to know about deploying a Scrutinizer virtual appliance

To help improve the deployment process, this section will outline the Scrutinizer Virtual Appliance (VA)
deployment process and give you the understanding of what is required to successfully complete this
deployment.

The Scrutinizer Virtual Appliance can be obtained from Plixer International or your local reseller;
and is downloaded as an all-in-one virtual appliance which can be deployed on an ESXi or Hyper-
V 2012 hypervisor.
You will need to obtain an appliance license or evaluation license from Plixer International or
your local reseller in order for the Scrutinizer Virtual Appliance to function properly.
It is recommended to give the Scrutinizer virtual machine NIC a static MAC address to prevent
the machine ID from changing. This is especially important in clustered virtual environments
where the VM can change hosts and MAC addresses. If the MAC address changes, the VM will
need a new license key.
The Scrutinizer Virtual Appliance is deployed on a hypervisor server; it will use 100GB of disk
space, 16GB of RAM, and 1 CPU with 4 cores.
The performance you get out of a Scrutinizer Virtual Appliance will be directly dependent on the
hardware in which its deployed on. Its recommended to dedicate, not share all the resources
that are allocated to the Scrutinizer virtual machine. This is especially important for the
Scrutinizer datastores. In environments with high volumes of NetFlow data, Scrutinizer will
require dedicated datastores which are discussed in further detail later in this document.
Scrutinizer hardware appliances are recommended for deployments of exceedingly high volume
of flow as they are designed to handle the highest flow rates.
With the default of 100GB of disk space, you can store up to 1 month of NetFlow v5 data from
25 devices at 1,500 flows a second. If youre planning on exceeding this volume of flow data, or
if you need to store data for longer than 30 days, there are detailed steps indicated below that
will show you how to expand the amount of disk space allocated to the appliance.
To enable the ability to shut down the Scrutinizer Virtual Appliance through vSphere, install
VMware Tools using the instructions in this document. Using the Power -> Off method will
result in database corruption.

Here at Plixer, we dont like our customers to encounter difficulty, so if you have any questions please
do not hesitate to contact our support team.

3
System Requirements
The Scrutinizer Virtual Appliance has the following requirements:

Minimum Specifications Recommended Specifications


Component
(for trial installations) (for production environments)

RAM 16GB 64GB

Disks 100GB 1+ TB 15K RAID 0 or 10 configuration

Processor 1 CPU 4 cores 2GHz+ 2 CPUs 8 Cores 2GHz+

Operating System ESX4, ESXi4, ESXi5, Hyper-V 2012 ESXi5, Hyper-V 2012

4
Scrutinizer OVF Deployment on ESX
1) Download the latest Scrutinizer Virtual Appliance
2) Using VMware vSphere, or vCenter, connect to the ESX host where you will deploy the
Scrutinizer Virtual Appliance

5
3) Go to File -> Deploy OVF Template

6
4) Select Deploy from file and browse to the downloaded Srutinizer.ovf file and then press
Next.

7
5) This step will show you the OVF template details, press Next.

8
6) Give your Scrutinizer VA a name and press Next.

9
7) Select your datastore and press Next.
NOTE: Be sure to read the Optimizing Scrutinizer Datastores section to obtain the best
performance and collection rates.

10
8) Select the network to be used by the Scrutinizer Virtual Appliance.

11
9) A summary of the options you chose will appear. Click Finish and it will import the Scrutinizer
Virtual Appliance. This can take a few moments.

12
10) Before powering on the Scrutinizer virtual machine, its important to set a static MAC address
for licensing purposes. Right click on the Scrutinizer VM and select, Edit Settings.

13
11) Select the Network adapter, set the MAC Address to Manual, enter in a unique MAC Address,
and then proceed to step 12.

14
12) The next step is to allocate and dedicate resources to the Scrutinizer virtual machine. For
evaluation purposes, the Scrutinizer OVF grabs 1CPU with 4 cores, 16GB of RAM, and 100GB of
disk space.

When deploying the Scrutinizer Virtual Appliance its recommended to increase the resources to
meet the recommend system requirements listed earlier in this document. Since all installs will
vary more resources may be required.

Start on the Hardware tab and increase the Memory, CPUs, and Hard disk as necessary (see
system requirements section for more detail).

15
Next, navigate to the Resources tab. Under CPU and Memory, set the Shares value to High and set
the Reservation value to the amount of resources dedicated to the virtual machine. Now press OK.

NOTE: The amount of RAM in the screenshot below is on a small test ESX server so it wont match a
production install.

16
13) Right click on the Scrutinizer virtual machine and power it on.

17
14) Navigate to the Console tab and login to the Scrutinizer Virtual Appliance using
root/scrutinizer. The server will perform a quick setup and immediately reboot.

18
15) Login to the server again and answer the provided questions. You will see the server download
and install the PDF converter. Press Enter and the server will reboot to apply the necessary
settings.

16) Now login to the Scrutinizer web interface in your web browser and apply the necessary
evaluation license keys.

19
Upgrading the Virtual Machine Hardware Version for ESXi
The Scrutinizer Virtual Appliance is built on Virtual Machine Hardware Version 7 to maintain backwards
compatibility with ESX 4.1 hypervisors. If youre running vSphere 5.0 or 5.1 you can take advantage of
the newer feature sets by upgrading the Virtual Machine Hardware Version as indicated below.

1) While the virtual machine is powered off, in vSphere (or vCenter), right click on the virtual
machine and select Upgrade Virtual Hardware.

2) Next, power on the virtual machine

20
Installing VMware Tools for ESXi
After you have powered on and gone through the initial Scrutinizer configuration, optionally, you can
install VMware Tools on the appliance. VMware Tools doesnt come installed by default because each
version of ESX installs a different VMware Tools package. Instead, theres a script located on the
appliance to install VMware Tools for you by following the procedure below:

1) In vSphere, right click on the Scrutinizer virtual machine and go to Guest -> Install/Upgrade
VMware Tools

2) On the console of the Scrutinizer Virtual Appliance, run /root/vmwareToolsInstall.sh

NOTE: Installing VMware Tools will allow you to properly shutdown the Scrutinizer virtual machine from
within vSphere by going to Power -> Shut Down Guest.

When shutting down the Scrutinizer virtual machine DO NOT select Power -> Power Off as it will result
in database corruption. Powering off a virtual machine is equivalent to unplugging a physical computer.

21
Expanding the database size for ESXi
Depending on the volume of NetFlow data that will be sent to the Scrutinizer appliance, you may need
to expand the size of the database. Expanding the size of the database is a multi-stage process, if you
have any questions please contact your support representative.

1) Power off the Scrutinizer virtual machine by logging in and issuing the shutdown -h now
command.

2) Add an additional hard drive to your Scrutinizer Virtual Appliance in vSphere by right clicking on
the Scrutinizer virtual machine and going to Edit Settings .

22
3) On the Hardware tab, click Add select Hard Disk and then click Next.

4) Select, Create a new virtual disk and then click Next.

23
5) Choose the type of Disk Provisioning and alter the Capacity of the disk size. Click Next.

6) The screenshot below is the default; be sure to specify any Advanced Options you require and
then click Next.

24
7) Review your changes and then click Finish.

8) Power on the virtual machine by right clicking on the Scrutinizer virtual machine in vSphere.
Mouse over to Power -> Power On.

25
9) Now that the new hard drive is added, we have to resize the volume group, the partition
volume, and the file system so that Scrutinizer can use the newly allocated space. Start by
logging into the Scrutinizer Virtual Appliance and running df -h" to view the current size of the
database, which is mounted on /var/db.

10) Start by increasing the size of the vg_scrut volume group. You can check the current size of the
vg_scrut volume group by running vgs vg_scrut

26
11) Now we need to determine the name of the newly added hard drive that will be added to the
vg_scrut volume group. You can find out the current drive schema by running fdisk -l". The
disk /dev/sda is the default 100GB of disk space. If this is the first time you are increasing disk
space, the disk will be named /dev/sdb. The last letter will increment with each new drive
that is added. For example, a 3rd drive will be called /dev/sdc.

27
12) Extend the vg_scrut group to include the newly added drive, /dev/sdb, by running:
vgextend vg_scrut /dev/sdb

13) Verify the above command was executed successfully and examine the new size of your
vg_scrut volume group by running: vgs vg_scrut

lv

14) Extend the Scrutinizer database volume with the new space that was added by running the
following command: lvextend --size +399.99g /dev/mapper/vg_scrut-lv_db. Be sure the size
you are increasing to is modified to accommodate the space you are adding. The above is for
400GB. Due to being 1 block short, the value had to be decreased to 399.99 from 400.

28
15) Inspect the new size of your logical volume to verify that the size has increased appropriately by
running: lvdisplay /dev/mapper/vg_scrut-lv_db and looking at the LV Size value.

16) Now we have to resize the file system to use the newly allocated space. First, we need to stop
the Scrutinizer services by running the following commands:

service plixer_flow_collector stop


service plixer_syslogd stop
service httpd stopfsc
service mysqld stop

17) Next, we need to un-mount the Scrutinizer database volume by running:


umount /dev/mapper/vg_scrut-lv_db

29
Df -

18) Before we can resize the file system, we have to check it for any errors by running:
fsck f /dev/mapper/vg_scrut-lv_db

19) Increase the file system to use all of the available space by running:
resize2fs /dev/mapper/vg_scrut-lv_db.

The time it takes for this command to complete depends on how much disk space is being
added to the file system.

20) Next, we need to re-mount the Scrutinizer database volume by running:


mount /dev/mapper/vg_scrut-lv_db /var/db

30
21) Verify that the database volume is now the correct size by running: df -h"

22) Start the Scrutinizer services by up by running the following commands:

service mysqld start


service plixer_flow_collector start
service plixer_syslogd start
service httpd start

23) Celebrate!

31
Scrutinizer Deployment on Hyper-V
1) Download the latest Scrutinizer Virtual Appliance
2) Unzip the file on your Hyper-V server
3) Open Hyper-V Manager and select Import Virtual Machine

32
4) Specify the Scrutinizer Incident Response System Folder

5) Select the Virtual Machine

33
6) Choose import Type

7) Go to Settings

34
8) Make sure the memory is set to 16GB

35
9) Select your Network Adapter and assign it to the appropriate Virtual Switch.

10) Expand the Network Adapter section, select Advanced Features, set the MAC Address to Static,
enter in a unique MAC Address, and then press OK.

36
11) Start the Virtual Machine.

12) Right Click on the Virtual Machine and click Connect to login to the Scrutinizer Virtual Appliance
using root/scrutinizer. The server will perform a quick setup and immediately reboot.

13) Login to the server again and answer the provided questions. You will see the server download
and install the PDF converter. Press Enter and the server will reboot to apply the necessary
settings.

14) Now login to the Scrutinizer web interface in your web browser and apply the necessary
evaluation license keys.

37
Expanding the database size for Hyper-V
Depending on the volume of NetFlow data that will be sent to the Scrutinizer appliance, you may need
to expand the size of the database. Expanding the size of the database is a multi-stage process, if you
have any questions please contact your support representative.

1) Power off the Scrutinizer virtual machine by logging in and issuing the shutdown -h now
command.

2) In the Hyper-V Manager, right click the Scrutinizer virtual machine and select, Settings.

3) Next, select the IDE Controller and press, Add to a hard drive.

38
4) Under Virtual hard disk, select New.

39
5) On the New Virtual Hard Disk Wizard, select, Next.

40
6) On the Choose Disk Format page, select VHDX. Its common for Scrutinizer VMs to expand past
2TB of disk space, so VHD is not recommended.

41
7) On the Choose Disk Type page, select your preferred disk type and then press, Next.

42
8) On the Specify Name and Location page, give your vhdx a name and then select the location for
the virtual disk.

43
9) Set the size of the new virtual disk and then press, Next.

44
10) Review the new disk settings and then press, Finish.

11) Power on the Virtual Machine


12) Follow steps 9-23 on Page 25 under the Expanding the database size for ESX

45
Optimizing Scrutinizer datastores
Due to the nature of NetFlow, large deployments require a very high volume of disk I/O. For the best
performance, the Scrutinizer Virtual Appliance should be deployed on a dedicated 15,000RPM RAID 10
datastore, with the amount of disk space that is required to meet your history setting requirements; 1.8
TB of disk space in RAID 10 is the recommended datastore deployment size.

If Scrutinizer is deployed on shared drives, such as a storage area network (SAN) or network-attached
storage (NAS), then collection rates cannot be guaranteed as the collection rates will directly depend on
what other applications are also using the same disk I/O.

In high flow volume environments, if you cannot get dedicated datastores, its recommended to use a
Scrutinizer Hardware Appliance for the dedicated resources and higher collection rates.

46
FAQ

- Q: I got the following UNEXPECTED INCONSISTENCY error when trying to power on the
Scrutinizer Virtual Appliance, what do I do now?

A: This error indicates that the clock on the ESX server is not set correctly and is in the past. As a
result, the disk checks fail which does not allow the virtual machine to start. To resolve this, set
your ESX host to sync with a NTP server and then re-deploy the Scrutinizer OVF.

- Q:How do I make the collector listen on a non-standard NetFlow port?


A: This is a 4 step process
1) Login to the web interface, navigate to Admin -> Settings -> System Preferences and
update the listener port.
2) From the Scrutinizer VA CLI, edit the /etc/sysconfig/iptables file and add a line
identical to another UDP line, but with your port number.
3) Type the command service iptables restart
4) Type the command service plixer_flow_collector stop then service
plixer_flow_collector start

- Q: How do I stop/start the services?


A: Run the following commands (stop|start means type one OR the other):
service plixer_flow_collector stop|start
service plixer_syslogd stop|start
service httpd stop|start
service mysqld stop|start

- Q: I have a German QWERTZ keyboard layout, how come I keep getting password failures when
logging into the appliance for the first time?
A: On the German QWERTZ keyboard layout, the Z and Y keys are switched. Youll need to
login with the password scrutiniyer.

- Q: Is the Scrutinizer Hyper-V image backwards compatible with Hyper-V 2008?


A: The Scrutinizer Hyper-V image uses features in Hyper-V 2012 that are not backwards
compatible with Hyper-V 2008.

47