Installing the product as a Windows or Linux service

Installing Elasticsearch and Siren Investigate as a service is required only if you want Siren Investigate to start automatically at startup.

Installing Siren Platform as a Windows service

Elasticsearch

  1. Copy the elasticsearch folder and its contents from the ZIP archive you downloaded to your Program Files folder.

  2. Edit the elasticsearch.yml file in the %ProgramFiles%\elasticsearch\config folder.

  3. In the Path section, enter the data and log paths, for example:

    path.data: C:\Program Files\elasticsearch\data
    path.logs: C:\Program Files\elasticsearch\logs
  4. In the Network section, change the network.host to 127.0.0.1 and save the file.

  5. From the command prompt, enter:

    cd %ProgramFiles%\elasticsearch
    bin\elasticsearch-service install
  6. Open the Services management console (you can enter services.msc at the command prompt).

  7. Locate the  Elasticsearch service and change Startup Type to Automatic.

  8. Right-click the service and select Start.

Siren Investigate

Installing Siren Investigate as a service with Windows requires use of the third-party tool NSSM (https://nssm.cc/download). Because it configures services, anti-virus software may identify it as "riskware". However, an SHA checksum and source code are provided. You can verify the checksum using the Microsoft File Checksum Integrity Verifier (https://www.microsoft.com/en-us/download/details.aspx?id=11533).

  1. Copy the siren-investigate folder and its contents from the Siren platform ZIP archive you downloaded to your %ProgramFiles% folder.

  2. Copy the nssm.exe program from the win64 folder in the NSSM ZIP archive you downloaded to the %ProgramFiles%\siren-investigate\bin folder.

  3. Set the INVESTIGATE_HOME environment variable to %ProgramFiles%\siren-investigate.

  4. From the command prompt, enter %ProgramFiles%\siren-investigate\bin\nssm install "Siren Investigate".

  5. In the Application Path box, enter %ProgramFiles%\siren-investigate\bin\investigate.bat.

  6. In the Startup directory box, enter %ProgramFiles%\siren-investigate.

  7. On the Details tab, in the Display name box, enter Siren Investigate.

  8. On the Dependencies tab, in the box enter elasticsearch-service-x64.

  9. Click Install service.

  10. Open the Services management console (you can enter services.msc at the command prompt).

  11. Locate the Siren Investigate  service, right-click it and select Start .

Installing Siren Platform as a Linux service

Elasticsearch

  1. Create a system user for the service, for example adduser --system elasticsearch.

  2. Copy the elasticsearch folder and its contents from the ZIP archive you downloaded to the /opt folder and then set the permissions for the system user, for example sudo chown -R elasticsearch /opt/elasticsearch.

  3. Edit the elasticsearch.yml file in the /opt/elasticsearch/config folder.

  4. In the Path section, enter the data and log paths, for example:

    path.data: /opt/elasticsearch/data
    path.logs: /opt/elasticsearch/logs
  5. In the Network section, change the network.host to 127.0.0.1 and save the file.

  6. From the command prompt, as root enter:

    cat <<EOF >/opt/elasticsearch.environment
    ES_JAVA_OPTS="-Xms4g -Xmx4g"
    EOF
    
    cat <<EOF >/etc/systemd/system/elasticsearch.service
    [Unit]
    Description=Elasticsearch (Siren)
    After=network.target auditd.service
    
    [Service]
    WorkingDirectory=/opt/elasticsearch
    EnvironmentFile=-/opt/elasticsearch.environment
    ExecStart=/opt/elasticsearch/bin/elasticsearch
    KillMode=process
    Restart=on-failure
    RestartPreventExitStatus=255
    Type=simple
    User=elasticsearch
    LimitMEMLOCK=infinity
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target
    Alias=elasticsearch.service
    EOF
    
    echo "vm.max_map_count = 262144" > /etc/sysctl.d/99-elasticsearch.conf
    sysctl -p /etc/sysctl.d/99-elasticsearch.conf
    ln -s ../elasticsearch.service /etc/systemd/system/multi-user.target.wants/
    systemctl daemon-reload
    systemctl start elasticsearch

Siren Investigate

  1. Create a system user for the service, for example adduser --system siren.

  2. Copy the siren-investigate folder and its contents from the ZIP archive you downloaded to the /opt folder and then set the permissions for the system user, for example sudo chown -R siren /opt/siren-investigate.

  3. From the command prompt, as root enter:

    cat <<EOF >/etc/systemd/system/siren.service
    [Unit]
    Description=Siren Investigate
    After=network.target auditd.service
    
    [Service]
    WorkingDirectory=/opt/siren-investigate
    EnvironmentFile=-/opt/siren.environment
    ExecStart=/opt/siren-investigate/bin/investigate
    KillMode=process
    Restart=on-failure
    RestartPreventExitStatus=255
    Type=simple
    User=siren
    
    [Install]
    WantedBy=multi-user.target
    Alias=siren.service
    EOF
    
    ln -s ../siren.service /etc/systemd/system/multi-user.target.wants/
    systemctl daemon-reload
    systemctl start siren

Test your connection

In your browser, navigate to http://localhost:5606/status. If both Elasticsearch and Siren Investigate services are running, the login screen is displayed.

Next steps

You can import data either by uploading a spreadsheet or by connecting to a datasource and using Logstash. For more information, see Importing data.