I’ve been using Connectwise SIEM since way back before Connectwise owned it and it was Perch Security. Recently I’ve been in a transition period where I’ve been moving from VMware to Proxmox since Broadcom has always been clear that they don’t care about their smaller customers, and I’ve always been a fan of supporting open-source projects over the commercial ones anyway. It’s been going great – except for the fact that Connectwise doesn’t have an appliance for Proxmox.
I decided to figure it out myself! Turns out, it was actually fairly easy thanks to the help of a few online resources that had already figured out a few of the pieces for me. I figured I would publish a step by step guide in the hopes that it would help someone else as well.
- If you haven’t already, log into https://app.perchsecurity.com and select the customer you wish to install the sensor for.
- Navigate to Settings -> Network -> Sensors
- Download the image for VMWare from the top links.
- While this is downloading, log into Proxmox.
- Navigate to the node’s Shell and as root run “apt-get install openvswitch-switch” (If you haven’t already installed openvswitch)
- Confirm the request if necessary
- Navigate to System->Network under your node.
- Setup your normal networking if you haven’t already.
- Identify the network interface you will be using for you span port… note that this interface must be dedicated to this purpose and connected to a switchport in mirroring/span mode.
- Create a new OVS Bridge. I named mine “span”, but you can name it whatever you like.
- Leave all fields blank, except check “Autostart” and under “Bridge ports” enter the name of the network interface you are using for the spanning.
- Add an optional comment if you want
- Click “Create.
- Identify the vm ID you plan to use (it must be a unique number not running anywhere else in your cluster – if you aren’t sure, click “Create VM” in the web interface, note the VM ID, and cancel out of that dialog)
- Also identify the name of the datastore you plan to use for the disk storage
- Check if your .ova download has finished, otherwise wait for that.
- Behind the scenes an .ova is a compressed file containing the relevant files from a VMWare machine. Use 7-Zip or another applicable tool to extract the archive to a new folder looking for these 3 files.
- Use SCP or SFTP (ie. WinSCP) to transfer these extracted files to your Proxmox server via SSH.
- Using the shell web interface (or preferrably by logging into your node via SSH since some of these steps may take a few minutes, and navigating away from your shell in the web interface will lose your progress – it is just for quick tasks), navigate to the directory you uploaded the extracted files.
- From this directory, run the command “qm importovf [VM ID] [.ovf name – mine was vm-v3.0.7-240611.ovf] [name of disk store]”
- Wait for this process to complete, it may take a minute. Once it does, you should see the VM ID you specified running on your node. Mine also had “ConnectWiseSensor” as the name, but this is subject to change. (You can change it in the VM options if you want.)
- Select the VM, go to the “Hardware” tab.
- Click “Add”->”Network Device”
- Select your regular networking bridge, not the span networking bridge.
- Change the “Model” to “VMWare vmxnet3”, and if desired, set the VLAN, MAC Address, and Firewall settings you want to use for the management interface of the sensor.
- Click “Add”
- Again we are going to click “Add”->”Network Device”
- This time we will select the span bridge (or whatever you named it).
- Change the “Model” to “VMWare vmxnet3”. You will need to leave the VLAN blank, should probably leave MAC address blank, and should uncheck “Firewall”.
- Click “Add”
- Now go into the “Console” tab and start the VM up.
- While the VM is booting up, return to your node’s shell or SSH window (I really suggest using SSH for this next part – credit to this part goes to vext and his blog post here).
- From your node’s CLI run “ovs-vsctl — –id@p get port tap[VM ID]i1 \
— –id=@m create mirror name=span1 select-all=true output-port=@p
— set bridge [span bridge name – mine was just “span”] mirrors=@m” - Go back to the console and log in with the information provided in Connectwise’s documentation.
- During the configuration, it will ask which network interface is used for cloud connection. It should be the lowest numbered interface. The other higher numbered interface should be used for the span port. (It said 0 packets for me, don’t worry about it at that point.)
- Once configuration is complete, log into the prairiefire user (to change the default password per best practices)
- Unofficially you can install ifstat using “sudo apt-get install ifstat” and run it to check the packet counts coming in to confirm the interfaces are working as expected and you selected the right one during configuration.
- Go to Perchybana, select an index related to the sensor (I recommend TLS records), and make sure you are seeing traffic from the sensor within a few minutes of running it.
- There is one catch, the command we used to ensure the port was passing through the span traffic does not survive a reboot as pointed out by vext. To solve this, we’ll use a modified version of the script he created.
- On your node’s CLI, navigate to /root
- Use your favorite text editor (real IT people us vim BTW) to create the following script “/root/mirror_config.sh”:
“#!/bin/bash
ovs-vsctl clear bridge [span] mirrors
ovs-vsctl — –id@p get port tap[VM ID]i1 \
— –id=@m create mirror name=span1 select-all=true output-port=@p
— set bridge [span bridge name – mine was just “span”] mirrors=@m” - Run “chmod +x mirror_config.sh”
- Run crontab -e and add the following line:
@reboot sleep 60 && /root/mirror_config.sh - Edit your VM options to ensure “Start at boot” is checked, and that the machine starts fairly early on in the startup sequence as it must be running for this to work properly.
