Installation & Debugging
Site preparation requirements, installation procedures, commissioning checklists, and debugging guidelines for deploying the network security audit and digital forensics platform.
11.1 Installation Requirements
Successful installation of the audit and forensics platform requires careful site preparation and adherence to physical and environmental requirements. The installation scene below illustrates a properly executed rack installation with color-coded fiber cabling, labeled equipment, and proper cable management — the standard that all installations must meet. Deviations from these requirements must be documented and approved before installation proceeds.
11.2 Site Preparation Requirements
Before any equipment is delivered to site, the installation environment must be verified against the following requirements. Site readiness sign-off is required before installation begins. Any deficiencies identified during site survey must be remediated by the customer before the installation team arrives on site.
| Requirement Category | Specification | Minimum | Recommended | Verification Method |
|---|---|---|---|---|
| Rack Space | Available rack units (U) in standard 42U rack | 12U (small) | 24U (medium), 42U (large) | Physical rack survey; document available U positions |
| Power — Primary | Dedicated 20A 208V circuit per rack | 1 × 20A circuit | 2 × 20A circuits (A+B feed) | Electrician verification; PDU load test |
| Power — UPS | UPS capacity and runtime | 3kVA, 15-min runtime | 6kVA, 30-min runtime | UPS load test at rated capacity |
| Cooling | Datacenter temperature range | 18–27°C (64–81°F) | 18–22°C with hot/cold aisle containment | Temperature sensor verification; CRAC capacity check |
| Network — Management | Dedicated OOB management VLAN | 1G copper to each appliance | 1G copper + OOB console server | VLAN configuration verification; ping test |
| Network — Data | Production network connectivity | 1G copper or fiber | 10G SFP+ fiber per collector node | Link speed and duplex verification; BERT test for fiber |
| Network — TAP | Passive TAP or SPAN port availability | 1 SPAN port per monitored segment | Passive TAP per monitored segment | TAP/SPAN configuration verification; traffic capture test |
| Physical Security | Access control to installation area | Locked rack or locked room | Biometric access + CCTV + audit log | Physical access test; CCTV coverage verification |
11.3 Installation Sequence
The installation must follow a defined sequence to ensure dependencies are met and to minimize the risk of configuration errors. The following sequence applies to a standard medium deployment; large deployments with multiple sites should follow the same sequence at each site, with the central SIEM cluster installed first before remote collector nodes are commissioned.
| Step | Activity | Duration | Prerequisites | Verification |
|---|---|---|---|---|
| 1 | Site survey and readiness sign-off | 1 day | Site preparation complete | Site readiness checklist signed |
| 2 | Rack mounting and cable management | 1 day | Equipment delivered; rack space available | All equipment mounted; cables dressed and labeled |
| 3 | Power and network connectivity | 0.5 day | Rack mounting complete | All power on; all network links up at rated speed |
| 4 | OS and base software installation | 1 day | Network connectivity verified | OS installed; base packages deployed; NTP sync confirmed |
| 5 | SIEM cluster deployment and configuration | 2 days | OS installation complete | SIEM cluster healthy; index created; search functional |
| 6 | Log collector deployment and configuration | 1 day | SIEM cluster operational | Collectors forwarding to SIEM; test events received |
| 7 | Network TAP / SPAN configuration | 0.5 day | Collector nodes operational | Traffic visible on collector; PCAP capture functional |
| 8 | Evidence vault and bastion host configuration | 1 day | Collector nodes operational | Evidence vault write/read functional; bastion session recording active |
| 9 | Supporting system integrations (NTP, LDAP, TI) | 1 day | All platform components operational | All integrations verified per Chapter 7 test cases |
| 10 | Initial detection rule deployment and tuning | 2 days | Log collection operational | Detection rules active; alert volume within expected range |
| 11 | Commissioning sign-off and handover to acceptance | 0.5 day | All previous steps complete | Commissioning checklist signed; acceptance test plan initiated |
11.4 Common Debugging Issues
The following table documents the most frequently encountered issues during installation and commissioning, along with their root causes and resolution procedures. This troubleshooting guide should be reviewed by the installation team before on-site work begins and used as a reference during commissioning.
| Symptom | Likely Root Cause | Diagnostic Steps | Resolution |
|---|---|---|---|
| Log events not appearing in SIEM | Collector-to-SIEM TLS certificate mismatch; firewall blocking port 9200/9300 | Check collector logs for TLS errors; verify firewall rules; test connectivity with curl | Re-issue collector certificate from internal CA; open required firewall ports |
| NTP time skew >1 second | NTP server unreachable; incorrect NTP server configured; firewall blocking UDP 123 | Run ntpq -p on all nodes; verify NTP server reachability; check firewall rules | Correct NTP server configuration; open UDP 123; verify NTS authentication |
| LDAP authentication failing | LDAPS certificate not trusted; service account locked; incorrect base DN | Test LDAP bind with ldapsearch; check service account status; verify certificate chain | Import LDAPS CA certificate; unlock service account; correct base DN configuration |
| PCAP capture missing packets | TAP/SPAN oversubscription; capture interface buffer overflow; insufficient disk I/O | Check interface drop counters; monitor disk I/O utilization; verify TAP configuration | Reduce capture scope; upgrade to passive TAP; add NVMe storage for capture buffer |
| Evidence vault write failures | Storage capacity exceeded; WORM policy preventing overwrites; NFS mount issue | Check storage utilization; verify WORM policy settings; check NFS mount status | Expand storage; adjust WORM policy for test data; remount NFS share |
| SIEM search latency >60 seconds | Index fragmentation; insufficient heap memory; hot index too large | Check index health; monitor JVM heap usage; review index size vs. retention policy | Force merge index segments; increase JVM heap; adjust hot index retention period |