Next part will be installing the XSOAR Application server. At this stage, I think everything is straightforward to you as we have already had:
- NFS: to store XSOAR content and setting data on /var/lib/demisto shared folder
- ElasticSearch: as XSOAR’s database to store mostly incident data
So before install XSOAR application, we will need to make sure XSOAR server can access to these services.
Step 1: have yourself a clean Linux server. In this guide, I use Ubuntu 18.04
Step 2: Setup NFS client
We need to do this because XSOAR App server will be NFS client to mount and access shared folder on NFS server.
sudo apt update
sudo apt install nfs-common
Step 3: Create /var/lib/demisto folder and mount to NFS
sudo mkdir -p /var/lib/demisto
sudo mount 172.17.2.7:/var/lib/demisto /var/lib/demisto
(the 1st :/var/lib/demisto is the source path from NFS server, the 2nd /var/lib/demisto is the local folder on XSOAR server)
And check if it’s there
xsoar-app1:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 3.9G 0 3.9G 0% /dev
tmpfs 797M 784K 796M 1% /run
/dev/sda1 29G 11G 19G 37% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda15 105M 6.1M 99M 6% /boot/efi
172.17.2.7:/var/lib/demisto 29G 6.8G 23G 24% /var/lib/demisto
Make it survives boot by adding to /etc/fstab
172.17.2.7:/var/lib/demisto /var/lib/demisto nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0
Step 4: Install the XSOAR application
Now it’s good to install the XSOAR application. Just follow below simple steps with internet connection and the server will be installed in about 10-15 mins.
wget -O demisto.sh "[direct download link]"
chmod +x demisto.sh
For multi-tenancy deployment
sudo ./demisto.sh -- -y -multi-tenant -elasticsearch-url=http://172.16.4.3:9200,http://172.16.4.4:9200,http://172.16.4.5:9200
For single-tenancy deployment
sudo ./demisto.sh -- -y -elasticsearch-url=http://172.16.4.3:9200,http://172.16.4.4:9200,http://172.16.4.5:9200
(if you have another load balancer for Elasticsearch, put the LB IP address as -elasticsearch-url value)
Step 5: Verify the installation
xsoar-app1:~$ systemctl status demisto
● demisto.service - Demisto Server Service
Loaded: loaded (/etc/systemd/system/demisto.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-03-14 22:53:16 UTC; 6h ago
Main PID: 1273 (server)
Tasks: 23 (limit: 4915)
CGroup: /system.slice/demisto.service
├─1273 /usr/local/demisto/server
└─3936 docker run -i --rm --name demistoserver_pyexec-6ef6ce82-023d-4f39-8dce-e827679d5826-demistopython1.3-alpine--1 --env HTTP_PROXY= --env http_proxy= --env HTTPS_PROXY= --env https_proxy= --log-drive
If the status is Stopped (not running), most likely the problem came from permission issue of the /var/lib/demisto.
You can fix with
sudo chown -R demisto:demisto /var/lib/demisto
sytemctl start demisto
Just repeat the same step for all XSOAR app servers as you wish, but I think 2 is more than enough :)
All set, how do you feel? Do you want to discover more about multi-tenancy setup, get here.
Comentarios