Skip to main content
Version: 2.8.2

Installation

Qumulo Installation and Configuration

Deploy the most recent Eyeglass and ECA OVF. Download and install the Qumulo installer for each, and run the installation. The current supported versions and links to the support portal for download are below:

PackageLink
Eyeglass OVFUse Support Portal for download
ECA OVFUse Support Portal for download
Eyeglass InstallerUse Support Portal for download
ECA InstallerUse Support Portal for download

Prerequisites - Qumulo

The Security Guard appliance requires a dedicated AD user account, and a network share where that AD user has access permissions.

Eyeglass must be operational on the cluster.

Eyeglass Configuration

Licensing

Log in to Superna Eyeglass and open License Management.

Alt text

Where Qumulo type licenses are displayed.

Add a Qumulo type license to the system

In order for the UI functionality to be displayed, a Qumulo license must be added via the eyeglass UI. The License Devices tab displays all added devices to the system.

Alt text

Add a Qumulo cluster via the eyeglass UI

Alt text

When the cluster is successfully added, the confirmation window will appear.

Open the Jobs menu to check Running Jobs. Wait until the add job is complete, and validate that the cluster can be browsed in the inventory view:

Alt text

ECA Configuration

Configure Active Directory on Eyeglass

See here for a guide on Eyeglass CLI Commands

Enable Qumulo functionality on ECA

Add the following parameter to /opt/superna/eca/eca-env-common.conf before cluster up:

export TURBOAUDIT_QM_SERVER_ENABLED=true

Configure the following setting in /opt/superna/eca/eca-env-common.conf to start in Ransomware Only mode:

export RSW_ONLY_CFG=true

Configure as false to continue cluster up even if no NFS mount (expected because Qumulo uses Syslog):

export STOP_ON_AUTOMOUNT_FAIL=false

Add Eyeglass IP and API token:

export EYEGLASS_LOCATION=
export EYEGLASS_API_TOKEN=

Kafka Additional Memory

Additional memory needs to be allocated to the kafka docker container.

Do the following:

  • SSH to ECA1 (user: ecaadmin, password: 3y3gl4ss).

  • vim /opt/superna/eca/docker-compose.overrides.yml

  • Add the following lines. IMPORTANT: Maintain the spacing at the start of each line.

services: kafka:

  mem_limit: 2048MB
mem_reservation: 2048MB
memswap_limit: 2048MB

Save changes with: ESC + wq!

Zookeeper Retention

We will be implementing the following changes to prevent zk-ramdisk exhaustion from occurring. When zk-ramdisk reaches 100% utilization, this causes event processing to halt.

Do the following:

  • SSH to ECA1 (user: ecaadmin, password: 3y3gl4ss).
  • vim /opt/superna/eca/conf/zookeeper/conf/zoo.cfg.template
  • Add the following configurations to the bottom of the file:
snapCount=1000
preAllocSize=1000
  • Save changes with: ESC + wq!

Cron Jobs

Cron job needs to be created to restart the fastanalysis docker container on a schedule. Do the following:

  • SSH to ECA1 (user: ecaadmin, password: 3y3gl4ss).
 ecactl cluster exec "sudo -E USER=ecaadmin ecactl components restart-cron set fastanalysis 0 0,6,12,18 \'*\' \'*\' \'*\'"
  • Validate cron job added:
  ecactl cluster exec 'cat /etc/cron.d/eca-*'

Cluster up from ECA1 (must be done before configuring auditing):

  • ecactl cluster up

Qumulo Configuration

To launch Qumulo, use the IP address or open it from the Inventory View.

Alt text

Add ECA node 2 as syslog consumer

On the Qumulo interface, go to Cluster -> Audit.

Alt text

Enter the IP address of ECA node 2, and save

Alt text

info

We are in the process of rebuilding our documentation.

For now, see the table below for links to Data Security feature guides from our legacy documentation.

FeatureFeature description
Security Guard (Automated self-test set up)Security Guard Support
Ransomware detectionDetection of ransomware is supported. This includes:
- Behavioral analysis
- File-extension based analysis
- Honeypot file monitoring
Protection levelsDetermine threat response settings to meet your Company’s Risk Profile
Ignored and Monitored ListIgnored or Monitored Paths
- Ignored or Monitored Users
- Ignored or Monitored Client IPs
Snapshots takingSupport for snapshots taking (NFS exports and SMB shares) and critical path snapshots
User lockoutsThe lockout process identifies all shares the user has access permissions.
Recovery ManagerRecovery Manager support
Webhooks and Zero Trust APIOutbound webhooks for third-party integrations