Data LakeData Lake Administration Guide

Cluster Operations

Hardware and Virtual Deployments Only

Configuring Exabeam Data Services Data Retention in Exabeam Data Lake

Hardware and Virtual Deployments Only

Note

To configure this feature, please contact your Exabeam technical representative.

By default, the retention policy for Exabeam Data Services (EDS) data is 30 days. Therefore, LDIF (LDAP Data Interchange Format) files collected daily from the LDAP (Lightweight Directory Access Protocol) server(s) are retained for 30 days.

In general, the 30-day default period is suitable for the average customer and does not affect product behavior performance. However, some customers may need to reprocess older events, which may include events related to users or assets that are no longer active, and won’t be found in the current context tables. In this specific case, the events will be reprocessed but might not be able to leverage the historical contextual information.

To configure the EDS data retention period:

  1. Access the EDS custom application.conf file: /opt/exabeam/config/common/eds/custom/application.conf

  2. Add the value here, where N is the total number of retention days:

    EDS.Defaults.RetentionPeriod = N days
  3. Stop, and then start EDS again:

    eds-stop 
    eds-start

Re-Assign to a New IP (Appliance Only)

Hardware Deployments Only

Note

These instructions apply to Exabeam appliances only. For instructions on re-assigning IPs in virtual deployments, please contact Exabeam Customer Success by opening a case at Exabeam Community.

  1. Set up a named session to connect to the host. This will allow the process to continue in the event you lose connection to the host.

    screen -LS [session_name]
  2. Enter the cluster configuration menu.

    source /opt/exabeam_installer/init/exabeam-multinode-deployment.sh
  3. From the list of options, choose Change network settings.

  4. Choose Change IP of cluster hosts.

  5. Choose Change IP(s) of the cluster - Part I (Before changing IP).

  6. You will go through a clean up of any previous Exabeam installations.

    Do you want to continue with uninstalling the product? [y/n] y
  7. Acknowledge the Exabeam requisites.

    **********************************************************************
    Part I completed. Nuke successful. Product has been uninstalled.
    ***Important***
    Before running Part II, please perform these next steps below (Not optional!):
    - Step 1 (Manual): Update the IPs (using nmtui or tool of choice)
    - Step 2 (Manual): Restart network (e.g., systemctl restart network)
    **********************************************************************
    Please enter 'y' if you have read and understood the next steps: [y/n] y
  8. Open the nmtui to change IP addresses of each host in the cluster where the IP address will be changed.

    sudo nmtui
  9. Go to Edit Connection and then select the network interface.

  10. The example below shows the menu for the network hardware device eno1. Go to ETHERNET > IPv4 CONFIGURATION.

    The menu for the network hardware device ​eno1​​, with the ​Ethernet and ​IPv4 Configuration sections highlighted with a red rectangle.

    Warning

    Please apply the correct subnet CIDR block when entering [ip]/[subnet]. Otherwise, network routing will fail or produce unforeseen circumstances.

  11. Set the configuration to MANUAL, and then modify the IP address in Addresses.

  12. Click OK to save changes and exit the menu.

  13. Restart the network services.

    sudo systemctl restart network
  14. Enter the cluster configuration menu again.

    /opt/exabeam_installer/init/exabeam-multinode-deployment.sh
  15. Choose Change network settings.

  16. Choose Change IP of cluster hosts.

  17. Choose Change IP(s) of the cluster - Part II (Before changing IP)

  18. Acknowledge the Exabeam requisites.

    **********************************************************************
    Please make sure you have completed all the items listed below:
    - Complete Part I successfully (nuke/uninstall product)
    - (Manual) Update the IPs (using nmtui or tool of choice)
    - (Manual) Restart network (e.g., systemctl restart network)
    **********************************************************************
    Do you want to continue with Part II? [y/n] y
    
  19. Provide the new IP of the host.

    What is the new IP address of [hostname]? (Previous address was 10.70.0.14)[new_host_ip]
  20. Update your DNS and NTP server information, if they have changed. Otherwise, answer n.

    Do you want to update your DNS server(s)? [y/n] n
    Do you want to update your NTP server? [y/n] n

Display a Custom Login Message

You can create and display a custom login message for your users. The message is displayed to all users before they can proceed to login.

To display a custom login message:

  1. On a web browser, log in to your Exabeam web console using an account with administrator privileges.

  2. Navigate to Settings > Admin Operations > Login Message.

    Login Message in Admin Operations to set the custom login message.
  3. Click EDIT.

    Admin Operations settings, under the Login Message tab, with the Edit button highlighted with a red circle.
  4. Enter a login message in Message Content.

    Note

    The message content has no character limit and must follow UTF-8 format. It supports empty lines between text. However, it does not support special print types, links, or images.

    Admin Operation settings, under the Login Message tab, with the Message Content header highlighted with a red circle.

    A common type of message is a warning message. The following example is a sample message:

    Usage Warning

    This computer system is for authorized use only. Users have no explicit or implicit expectation of privacy.

    Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to an authorized site. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of the authorized site.

    Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.

    Note

    This sample warning message is intended to be used only as an example. Do not use this message in your deployment.

  5. Click SAVE.

    Admin Operations settings, under the Login Message tab, with the Save button highlighted with a red circle.
  6. Click the Display Login Message toggle to enable the message.

    Note

    You can hide your message at any time without deleting it by disabling the message content.

    Display Login Message tab switched off.

Your custom login message is now shared with all users before they proceed to the login screen.

PLT_Custom_Login_Message.jpg

Exabeam Cluster Authentication Token

Hardware and Virtual Deployments Only

The cluster authentication token is used to verify identities between clusters that have been deployed in phases as well as HTTP-based log collectors. Each peer cluster in a query pool must have its own token. You can set expiration dates during token creation or manually revoke tokens at any time.

To generate a token:

  1. Navigate to Settings > Admin Operations > Cluster Authentication Token.

    admin operations cluster authentication token selection
  2. At the Cluster Authentication Token menu:

    cluster authentication token menu
    1. To configure a new token, click A blue circle with a white plus sign..

    2. Or to edit an existing configuration, click A pen shaped edit icon..

  3. In the Setup Token menu, fill in the Token Name, Expiry Date, and select the Permission Level(s).

    setup token menu

    Note

    Token names may contain letters, numbers, and spaces only.

  4. Click ADD TOKEN or SAVE to apply the configuration.

Use this generated file to allow your API(s) to authenticated by token. Ensure that your API uses ExaAuthToken in its requests. For curl clients, the request structure resembles:

curl -H "ExaAuthToken:<generated_token>" https://<external_host>:<api_port>/<api_request_path>