Traditional Installer

Installation Prerequisites

Event forwarder can be configured in an environment that is monitored by Spyderbat Nano Agents. Red flag events and/or spydertraces will only be exported via event forwarder integration for those hosts where a Spyderbat Nano Agent is installed and in good health.

Event forwarder installer is extremely lightweight and not demanding in terms of required resources. If the event forwarder instance is installed on a dedicated EC2, then we would need the dedicated EC2 instance to be at least a t4g.micro (arm64) or a t3.micro (x64). Of course, anything larger than that would be acceptable as well. If the EC2 instance has other services and applications on it, then we would expect to have at least 512 MB of memory and at least 1 CPU core to be available to support event forwarder operation.

Only one instance of the event forwarder needs to be configured for each environment as it is associated with a unique organization ID. Having multiple instances of the event forwarder in the same environment can result in duplicate ingestion of security events (red flags or spydertraces).

Please check out this section of our portal to learn more about the Spyderbat Nano Agent and the installation details.

Install Event Forwarder via Traditional Installer

Before attempting the install, please, make sure you have downloaded the latest version of the event forwarder (latest release).

  • Unpack the tarball:

The release package filename will differ from the example below.

mkdir /tmp/sef
tar xfz spyderbat-event-forwarder.5b41e00.tgz -C /tmp/sef
  • Run the installer:

cd /tmp/sef
sudo ./

You should see output like this:

spyderbat-event-forwarder is installed!

Please edit the config file now:

To start the service, run:
    sudo systemctl start spyderbat-event-forwarder.service

To view the service status, run:
    sudo journalctl -fu spyderbat-event-forwarder.service
  • Edit the config file:

sudo vi /opt/spyderbat-events/etc/config.yaml
  • Start the service:

sudo systemctl start spyderbat-event-forwarder.service
  • Check the service:

sudo journalctl -fu spyderbat-event-forwarder.service

Use ^C to interrupt the log. If you see errors, check the configuration, restart the service, and check again.

  • Enable the service to run at boot time:

sudo systemctl enable spyderbat-event-forwarder.service
  • If desired, integrate with the Splunk universal forwarder:

$ sudo splunk add monitor /opt/spyderbat-events/var/log/spyderbat_events.log
Your session is invalid. Please login.
Splunk username: <your splunk username>
Password: <your splunk password>
Added monitor of '/opt/spyderbat-events/var/log/spyderbat_events.log'.

Next Steps

To learn more about the event forwarder and how you can use it to integrate Spyderbat with your other solutions, see this page.

Last updated

© SPYDERBAT, Inc., All Rights Reserved