Installation
Network Probe Service Installation
Energy Logserver Network Probe is installed as part of the main installation package. The service is managed via systemd.
Service Management
Note
The Network Probe service requires license-service to be running. If license-service is not active, the Network Probe will fail to start.
Start Network Probe service:
systemctl start logserver-probe
Enable Network Probe to start on boot:
systemctl enable logserver-probe
Check service status:
systemctl status logserver-probe
Bundled Services
The Network Probe installation includes the following components, each running as a separate systemd service:
Component |
Service |
Description |
|---|---|---|
Network Probe |
|
Pipeline engine for log ingestion and processing |
Kafka |
|
Message queue for data transport between probe and Data Node |
Zookeeper |
|
Coordination service required by Kafka |
Zeek |
|
Network traffic analyzer (NDR) |
Suricata |
|
Network IDS/IPS engine |
pmacct (NetFlow) |
|
NetFlow/IPFIX collector |
pmacct (sFlow) |
|
sFlow collector |
Note
Not all services are required in every deployment. Enable only the components relevant to your use case. Services can be managed from the GUI via the Management Interface.
Warning
Zeek, Suricata, and pmacct require a dedicated network interface for traffic capture. Configure the listening interface before starting these services:
Zeek:
/opt/zeek/etc/node.cfgSuricata:
/etc/suricata/suricata.yamlpmacct (NetFlow):
/etc/pmacct/nfacctd-instance1.confpmacct (sFlow):
/etc/pmacct/sfacctd-instance1.conf
Configuration Files
Network Probe configuration files are located in:
Main configuration:
/etc/logserver-probe/logserver-probe.ymlPipeline configurations:
/etc/logserver-probe/pipelines.ymland/etc/logserver-probe/pipelines.d/Input/Filter/Output configs:
/etc/logserver-probe/conf.d/JVM options:
/etc/logserver-probe/jvm.options
TLS Configuration
Default Configuration (7.6.1 and later)
Since version 7.6.1, there is a default configuration for enabled algorithms at /etc/logserver-probe/java.properties.
Make sure there is the following definition in /etc/logserver-probe/jvm.options:
-Djava.security.properties=/etc/logserver-probe/java.properties
You can edit this file and after restarting Network Probe, changes will be applied.
Manual Configuration (7.6.0 and before)
For versions 7.6.0 and earlier, follow these steps:
Create file
/etc/logserver-probe/java.propertieswith content:
security.useSystemPropertiesFile=false
jdk.tls.ephemeralDHKeySize=2048
jdk.certpath.disabledAlgorithms=MD2, SHA1, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=DH keySize < 2048, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacMD5, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
jdk.tls.legacyAlgorithms=
Add to
/etc/logserver-probe/jvm.options:
-Djava.security.properties=/etc/logserver-probe/java.properties
After restarting Network Probe service, changes will be applied.
MasterAgent TLS
Since version 7.6.1, MasterAgent has predefined strong ciphers already set. Updating is recommended.
For MasterAgent configuration, see Agents and Language Settings.
Post-installation Verification
Verify Network Probe is running:
systemctl status logserver-probe
Check Network Probe logs:
journalctl -u logserver-probe -f
Verify Network Probe is listening on configured ports:
netstat -tuln | grep java
Test pipeline configuration:
/usr/share/logserver-probe/bin/logstash --config.test_and_exit