LimaCharlie Cloud Quick Start¶
To access LimaCharlie.io, you will first need to create an account. This account can be attached to a specific email address (which will require you to verify the email), or through a Google account (easiest by far).
From the bottom of https://limacharlie.io follow the login instructions. If an email verification is required you will be prompted to do so.
Create an Organization¶
The first thing to do with your new access is to go create an organization. Everything under limacharlie.io is structured under organizations. Sensors belong to organizations and billing is tied to them as well.
On the right side of the Member Organizations section of the dashboard, click on "Create".
Select a datacenter. This will decide where your sensors will connect to in the world. Many contries are available. Note that since LCC does not do any retention, this is mainly a factor to decide the geolocation of where the data from the sensors will be processed, not stored (this last one is up to you).
Enter an organization name. This name must be unique. The "Name Available" indicator should indicate a green checkbox a few seconds after you've entered a valid name.
LCC comes with a free tier of two sensors. You do not need a credit card to get this free tier, but if you decide to upgrade your quota, you will have to enter your credit card information.
Click "Create". Within a few seconds you should see an indication that your organization is ready.
Click on the top left link to "Dashboard".
The dashboard shows you a list of all the organizations you have access to. You should see the organization you just created.
On the left-most side of the organization record, you should see a dot that is either green or red. If you hover over it it will show you the details of the current organization status. In less than 30 seconds, the dot should turn green with a status of "NORMAL".
Click on the name of the organization to go see its details.
This view is centered around the particular organization you just created. It contains a few different sections:
Here you can manage all your installation keys. These are the keys that allow you enroll sensors into this organization.
Outputs decide how and where the data and detections from your sensors should go to.
This is a list of all the sensors enrolled into your organization.
These are simply reference links to download the sensor installers. Quick tip, here is the pattern you can use to download the installers directly to your computers: https://limacharlie.io/get/windows/32 for the Windows 32 bit installer https://limacharlie.io/get/windows/64 for the Windows 64 bit installer https://limacharlie.io/get/linux/64 for the Linux 64 bit installer https://limacharlie.io/get/mac/64 for the MacOS 64 bit installer
The details of your current plan as well as how to change it is displayed here. If you decide you want to increase your sensor quota to, say 20, you would simply enter "20" in the line beside the "REQUEST QUOTA" button. A quick reflection of the new price you will be paying monthly will appear to the right. If you then click on the "REQUEST QUOTA" button, you should get an indication of the new quota getting reflected within a few seconds.
This is a central location where you can find all the relevant logs. The management logs are generated by limacharlie.io and report activity at an account and organization level. Who requested quota, gained access to the organization, billing etc.
The error log reports errors generated by various components of LimaCharlie, like Outputs failing to send data for example.
Finally the audit logs are LimaCharlie internal logs about things like creation of new installation keys, deletion of sensors or commands sent to sensors.
Described in more details here.
This is where you can subscribe to optional capabilities from the marketplace and view currently active add-on subscriptions.
Here you can manage which users have access to your organization in limacharlie.io.
Create an Installation Key¶
Now that we got our bearings, let's move ahead. Click on the "+" for Installation Keys. The popup will ask you to give the new key a description (this is purely for your benefit) and a list of comma separated tags.
The tags you specify will automatically get applied to the sensors who enroll using this key. They can be added/removed from sensors in the future, but this provides a convenient mechanism to manage the sensors you install by creating keys for logical groups like "server", "workstation", "executive" or "sales".
Click "Create". The new key should appear in the Installation Keys section.
Now click the copy icon (two superimposed squares) of the new key. This will copy the key (a long encoded string) into your clipboard.
Install a Sensor¶
On the computer where you want to install the sensor, download the installer. For example on Linux we might do:
wget --content-disposition https://limacharlie.io/get/linux/64
Each platform may have small subtleties, you should have a look at the detailed instructions.
For the purpose of this quick-start, we will simply install the sensor on a Linux server without persistence (the sensor will not install permanently on the computer).
Once you've downloaded the sensor via
wget, you need to make it executable:
chmod +x ./lc_linux_64.
Then we run the installer as
root with the
-d <installation key> argument (where
<installation key> is the key copied from clipboard
in the last step above). It should look like this:
sudo ./lc_linux_64 -d AAAABgAAAQ4HAAABJjCCASIwDQYJ........ Press enter, you
should see some output to standard out on the command line.
That's it, your sensor is running. Although other platforms can be slightly different, they're all equally easy.
Back on the limacharlie.io website. If you refresh the organization view page you were on, you should now see your sensor's
hostname in the Sensors sections and a quota of
1 / 2 in the Billing section. This page refreshes the details of your
organization automatically but it does so at a slow frequency. So to check quick changes you may need to refresh it.
If you click on the "Details" link of the Sensors section, you will get a popup of the details of this new sensor. There you can add and remove tags as well as delete the sensor. Deleting the sensor will prevent it from connecting to your organization. This is a useful feature if you somehow lose control over an Installation Key and unknown people start registering sensors.
Create an Output¶
Now this is all great, but we'd like to see the data. That is the job of the Outputs. Click on the "+" of the Outputs section. The popup will let you define:
A name (a unique name to the output within your organization, purely for your benefit).
A module, this is the method used to export the data from limacharlie.io to your data storage.
A stream, this is the type of data to export. Events is a raw stream of all events from sensors. Detections is a stream of all the alerts, or things detected. * Audit is a stream of the auditing events, to be used for compliance mainly.
Depending on the module you chose, different options will be available. The outputs are quite simple to configure, which one is the best depends on your organization. Modules include Syslog, SFTP and Amazon S3 Buckets, which covers the most common use cases.
A good, safe recommendation for output would be using SFTP.
For a basic setup, creating a Ubuntu server with SFTP in a cloud provider such as Google Cloud or Digital Ocean, along with a Splunk Free version does a great job.
Some more documentation on Output can be found here. More tutorials and apps for Splunk and ELK will become available shortly.
For the purpose of this quick start, we recommend you use the installation script that
will install a free Splunk instance on a Ubuntu LTS box and configure it to
receive LimaCharlie data through SFTP. It's the quickest way of getting started.
Simply create a Ubuntu LTS box somewhere (we use Digital Ocean) with abour 2 GB of RAM minimum
then copy the installation script over, make it executable (
chmod +x ./install_simple_splunk.sh)
and execute is as
root. Once installed (takes about 2 minutes) all the relevant
configuration information you need for the LimaCharlie Output.
Data should start flowing to your Output fairly quickly, depending on how much data your sensor is generating. If an error is encountered by the output, details will be given in the Error Log section and the output will be retried after a few minutes.
That's it, you're now ready to start adding more sensors!
You can also have a look at the REST Documentation including the various commands you can send to a sensor. Some commands may not yet be available in LimaCharlie Cloud (although they are in LimaCharlie Enterprise).