This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Samurai Local Collector

    If you have determined that you require a local collector then follow the steps below to learn what you need to get started, create, configure and download a local collector from the Samurai MDR portal and ensure it is working as expected.

    1. Take a moment to understand what you need to get started
    2. Create, configure and download a Collector
    3. Install a Collector
    4. Validate Collector Status
    5. Collector Status Notifications
    6. What’s next?
    7. Deleting a Collector

    What you need to get started

    • Access to the Samurai MDR portal and your specific tenant.

    • A hypervisor to run the virtual machine, for example VMware vSphere, Microsoft Hyper-V, Amazon EC2 or Azure Virtual Machine

    • Ensure to make any necessary updates to comply with the collectors connectivity requirements.

    • A static IP address for the collector and DNS server IP addresses unless you decide to use DHCP.

    • Access to your products to make necessary changes outlined within the relevant integration guide.

    Minimum Virtual Machine Requirements

    CPU2 vCPU
    Disk500GB disk
    Memory4 GB

    Connectivity required for the Collector

    The collector requires connectivity to resources outlined within the table below, you may need to update your security controls e.g firewall to allow this connectivity.

    FunctionProtocolPortSourceDestinationDetails
    Enrolment, TelemetryTCP443Collector*.*.security.ntt

    nttsecurity.io
    .nttsecurity.io
    .*.nttsecurity.io

    samurai-xdr-prod-westeurope-xgliuoit.azure-api.net
    All regular backend communication, telemetry
    Remote ManagementTCP443Collectorra.cto.nttsecurity.io

    deb.releases.teleport.dev

    apt.releases.teleport.dev
    Used for remote administration of collector (this is not mandatory and used when troubleshooting)
    NTPUDP123CollectorClient infrastructure (NTP server(s)) if configured in Samurai app

    OR

    0.ubuntu.pool.ntp.org

    1.ubuntu.pool.ntp.org

    2.ubuntu.pool.ntp.org

    3.ubuntu.pool.ntp.org
    Time synchronization
    DNSUDP53CollectorClient infrastructure (DNS server(s)) or external DNS servers (based on your collector configuration)Domain name resolution
    Ubuntu updatesTCP80, 443Collector*.ubuntu.com

    api.snapcraft.io
    Ubuntu software repository
    Container ManagementTCP443Collectordocker.com

    *.docker.com (private container registry)

    docker.io (private container registry)

    *.docker.io (private container registry)
    Private container registry
    Amazon Cloud dependenciesTCP443Collector*.cloudfront.netAmazon CDN used by Collector API
    Log storageTCP443Collector*.s3.*.amazonaws.comAmazon Cloud storage (this is not mandatory and used when troubleshooting)
    Telemetry data(based on product - see Integration guide)Client ProductCollectorFrequent data transfer (based on product)

    Create, Configure and Download a Collector

    1. From your Samurai MDR portal tenant, click Telemetry and select Collectors from the main menu

    2. Select Create Collector

    3. Select Local collector

    4. Complete the fields as required.

    Collector nameA nickname for the collector
    Description (Optional)A description of your collector, this could be the property name where installed
    Location (Optional)Useful if you have collectors in multiple locations
    HostnameA hostname for your collector
    Proxy Server IP (Optional)Optional HTTP proxy IP address
    NTP Servers (Optional)Input your own NTP server IP addresses
    DHCP or StaticDetermine whether the collector will use DHCP or specify your own static IP address and network information
    1. Select Create Collector once you have completed all relevant fields

    2. Select the Collector you created by clicking the Name used in Step 2

    3. Select Download

    • The files you need to download are based on your Hypervisor. The options available for download are:

      • Configuration
        • iso - configuration file for your collector, this file is always required
      • Cloud init
        • AWS - used to provide cloud-init data to AWS instance
        • Azure - used to provide cloud-init data to Azure instance
      • Virtual machine
        • vmdk - disk image (not needed if using the ova)
        • vhdx - virtual hard disk format used for Hyper-V
        • ova - virtual machine that the collector will run (includes disk image) for VMware
    1. Download the iso configuration file and also the relevant file needed for your hypervisor.

    Install a Collector

    Based on your hypervisor follow the relevant section:

    VMware vSphere

    Follow the documentation from VMware:

    1. When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
    2. Be sure to select the .ova file you downloaded when asked for the file to deploy your virtual machine from.

    Once complete follow the VMware article to configure a datastore ISO file

    1. Be sure to select the .iso file you downloaded when asked to select file

    The VM is now ready to be powered on.

    Microsoft Hyper-V

    Follow the documentation from Microsoft:

    1. When asked to provide a virtual machine name, we suggest samurai-nttsh-collector
    2. Use the Virtual Machine Requirements when configuring memory and network
    3. When asked to Connect Virtual Hard Disk ensure to use the .vhdx file you previously downloaded
    4. For Installation Options ensure you use the .iso file you previously downloaded

    Once you have completed setup of your Collector you should ensure it is running and validate the status within the Samurai MDR portal, upon initial setup this can take a little while.

    Amazon EC2

    Prerequisitve steps:

    1. Ensure you have the AWS cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during EC2 instance deployment.

    Follow the vendor documentation from Amazon to launch a EC2 instance:

    Perform the following adjustments to the vendor documentation when launching the instance:

    1. During step 4.a, select Ubuntu as AMI.
    2. During step 4.b*,* select the latest Ubuntu AMI
    3. During step 5*,* select a suitable Instance Type based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
    4. During step 6 & 7, Set Key pair & Network Settings as per your AWS policies. Ensuring the the Network settings still fulfills the Connectivity required for the Collector.
    5. Before step 8, modify the Configure storage section with the following settings:
      1. Adjust the Root Volume to be at least 64 GiB.
      2. Add a secondary volume with at least 500 GiB according to the Minimum Virtual Machine Requirements.
    1. Before step 8, expand the section Advanced details and paste in the content of the cloud-init.yaml file into the User data section. Ensure that the check box User data has already been base64 encoded is not enabled.
    2. Proceed with step 8 and finish the rest of the installation as per the vendor documentation.

    Azure Virtual Machine

    Prerequisite steps:

    1. Ensure you have the Azure cloud-init.yaml file you downloaded from Create, Configure and Download a Collector.. This file will be used later during the Virtual Machine instance deployment.

    Follow the vendor documentation from Microsoft to launch a Virtual Machine instance:

    Perform the following adjustments to the vendor documentation when launching the instance:

    1. Under the Basic tab, select Ubuntu Server 22.04 LTS as image
    2. Under the Basic tab, select a suitable Size based on estimated performance requirements while fulfilling the Minimum Virtual Machine Requirements.
    3. Under the Disk tab, add one data disk with at least 500 GiB according to the Minimum Virtual Machine Requirements.
    1. Under the Advanced tab, paste the contents of cloud-init.yaml in the Custom datafield.

    Validate Collector Status

    1. Click Telemetry and select Collectors from the main menu

    2. Select the relevant Collector from the presented list

    3. View Status

    StatusDescription
    OfflineCollector created but not online
    UnavailableCollector has been online but no longer available
    HealthyCollector deployed and deployed add on components (including) Integrations and/or Evidence Fetchers)
    Not-HealthyComponent(s) deployed on the Collector not healthy
    ProvisioningCollector is in setup

    After you provision a Collector VM and start it, it will go through a process of installing updates and modules specified in the configuration ISO file which you downloaded. The time taken for this process is dependent on factors like the speed of the hardware you are running the Collector on and connectivity to the repositories that it downloads updates from. In some cases this process can take around 30 minutes.

    The Collector may show as “Offline” during the initial provisioning steps. This is not any cause for alarm.

    If you have any problems, please submit a ticket via the Samurai MDR portal.

    Collector Status Notifications

    Samurai will send email notifications to registered application users should your Local Collector status change from Healthy to Not-Healthy or Unavailable. Once any issues have been resolved, you will also be notified again when a Healthy status is reached.

    What’s next?

    You should now have a collector running within your environment!

    The next step is to start configuring integrations which will allow the Samurai platform to start receiving your telemetry data.

    Select Integrations Overview for more information on integrations and where to start.

    If you require high availability for your collector, this can be achieved using the capabilities of your virtualization platform.

    Deleting a Collector

    If you need to delete a local collector you can do so by following the steps below:

    1. From your Samurai MDR portal click Telemetry and select Collectors
    2. Select the relevant collector from your list
    3. On the right hand side of the relevant collector, click on mceclip1.png (more options) and select Delete Collector
    4. The following warning will appear: ‘Warning: This is a destructive action and cannot be reversed.’. To ensure you intended to delete the collector you will need to type DELETE in the field and select Delete Collector

    Replacing a Collector

    If for some reason a Local Collector VM is lost due to corruption or damage, such as in the case of a major disk storage failure, you may need to replace your Collector. If this happens, you will need to delete the old Collector in the Samurai MDR portal, discard your old Collector VM image and then create a new Collector using the process described to Install a Collector.