Home › Chapter 11: Installation & Debugging

Chapter 11: Installation & Debugging

Site preparation, installation requirements, step-by-step deployment procedure, and common debugging scenarios

11.1 Installation Requirements

Proper installation of a log security system requires careful site preparation to ensure the hardware operates within its specified environmental parameters and that the physical security of the evidence vault is maintained. The images below illustrate the key installation requirements for a standard enterprise deployment, showing both the physical installation process and the required environmental conditions.

Installation Process — Technicians installing log security appliance
Figure 11.1: Installation Process — Two certified technicians in ESD-protected attire installing a log security appliance into a 42U rack cabinet, with cable management arms and installation guide visible. ESD wrist straps and anti-static flooring are required for all hardware installation activities.
Installation Environment Requirements
Figure 11.2: Installation Environment Requirements — Properly configured data center showing: temperature monitoring (21°C), humidity monitoring (45% RH), overhead cable trays, hot-aisle/cold-aisle separation, fire suppression system, UPS units, and organized rack spacing. All these environmental controls are mandatory for a compliant log security deployment.

Power Requirements

  • Dedicated 20A circuit per appliance pair
  • UPS with minimum 4-hour runtime at full load
  • Generator backup for extended outages
  • PDU with per-outlet monitoring and remote switching
  • Ground fault protection on all circuits

Environmental Requirements

  • Temperature: 18–27°C (64–81°F) operating range
  • Humidity: 40–60% RH, non-condensing
  • Hot-aisle/cold-aisle separation required
  • Minimum 600mm front clearance per rack
  • Raised floor or overhead cable management

Physical Security Requirements

  • Dedicated locked rack cabinet for vault hardware
  • Biometric or badge access to server room
  • CCTV coverage of all rack rows
  • Tamper-evident seals on vault appliances
  • Visitor log and escort policy enforced

Network Pre-Requisites

  • VLANs pre-configured per network design
  • Firewall rules approved and staged
  • NTP servers reachable from all VLANs
  • DNS resolution working for all hostnames
  • Management VLAN isolated from production

11.2 Step-by-Step Installation Procedure

The following procedure describes the standard installation sequence for a log security system. Each step must be completed and verified before proceeding to the next. The procedure assumes that site preparation (power, cooling, network, physical security) has been completed and verified in advance.

1

Rack Mounting and Physical Installation

Install rack rail kits for each appliance. Mount appliances in the rack in the following order from bottom to top: UPS, patch panel, managed switch, ingest gateway, HSM, vault storage array, collector pair. Attach cable management arms. Apply tamper-evident seals to all vault hardware. Photograph the completed rack for documentation.

2

Cabling and Connectivity

Connect all power cables to the PDU. Connect all data network cables according to the approved cabling diagram — use blue cables for data network and red cables for management network. Connect fiber transceivers and LC-LC cables for 10G uplinks. Label all cable ends with the approved labeling scheme. Photograph the completed cabling for documentation.

3

Initial Power-On and BIOS Configuration

Power on each appliance in sequence, starting with the managed switch, then the ingest gateway, then the collectors, then the HSM, then the vault storage. Connect console cables and verify that each appliance boots successfully. Configure BIOS settings: enable Secure Boot, disable unused ports (USB, serial), set boot order to internal storage only. Enable IPMI/iDRAC and configure the management IP address.

4

Operating System and Software Installation

Install the approved operating system image on each appliance using the secure boot-verified installation media. Apply all security patches before connecting to the production network. Install the log security software components in the following order: HSM driver and PKCS#11 library, vault storage agent, ingest gateway service, collector agent. Verify software signatures before installation.

5

Network Configuration and Zone Assignment

Configure network interfaces with the approved IP addresses and VLAN assignments. Configure static routes for inter-zone communication. Verify connectivity to NTP servers and DNS resolvers. Configure firewall rules on the managed switch and dedicated firewall. Test connectivity between all components using the approved test plan.

6

HSM Initialization and Key Ceremony

Perform the HSM key ceremony with at least two authorized personnel present. Initialize the HSM with the approved security officer and user credentials. Generate the signing key pair (ECDSA P-384) and the encryption key (AES-256). Export the public key certificate for distribution to all components. Backup the HSM key material to the offline backup token using the approved procedure. Document the key ceremony with signed records.

7

Certificate Installation and mTLS Configuration

Install the CA root certificate on all components. Issue and install TLS certificates for each component from the organization PKI. Configure mTLS on all inter-component connections: collector-to-gateway, gateway-to-vault, management interfaces. Verify that all mTLS connections are established successfully using openssl s_client. Verify that certificate revocation checking (OCSP or CRL) is working correctly.

8

WORM Storage Configuration

Configure the vault storage with WORM/Object Lock in Compliance mode. Set the default retention period to the required value (e.g., 3 years for PCI DSS). Verify that the WORM lock is active by attempting to delete a test object and confirming the deletion is rejected. Configure the storage monitoring to alert on WORM policy violations. Document the WORM configuration with screenshots.

9

Integration and End-to-End Test

Configure log sources to forward events to the collector using the approved protocol (syslog TLS, Beats, or API). Verify that events flow end-to-end from source to vault storage. Verify that the hash chain is correctly formed. Configure SIEM integration and verify that events appear in the SIEM. Configure alerting and verify that test alerts are delivered. Proceed to acceptance testing as described in Chapter 10.

11.3 Common Debugging Scenarios

The following table documents the most common issues encountered during installation and initial operation, along with their root causes and recommended remediation steps.

Symptom: mTLS connection fails — "certificate verify failed"
Cause: CA root certificate not installed on one or both endpoints; certificate hostname mismatch; certificate expired
Fix: Verify CA root certificate is installed on both endpoints using openssl verify. Check certificate SAN/CN matches the hostname. Check certificate expiry with openssl x509 -noout -dates.
Symptom: Log events not appearing in vault — EPS counter shows 0
Cause: Firewall blocking port 6514 (syslog TLS) or 5044 (Beats); collector service not running; incorrect gateway IP configured
Fix: Test connectivity with nc -zv <gateway-ip> 6514. Check collector service status. Verify gateway IP in collector configuration file.
Symptom: Hash chain integrity alert — "gap detected at segment 1042"
Cause: Clock drift caused out-of-order segments; network outage caused segment loss; storage write failure
Fix: Check NTP synchronization status. Review collector buffer for unsent segments. Check storage write error logs. Manually verify segment continuity around the gap.
Symptom: HSM PKCS#11 error — "CKR_TOKEN_NOT_PRESENT"
Cause: HSM USB token not connected; HSM service not running; incorrect slot number configured
Fix: Verify HSM token is physically connected. Restart HSM service. Check slot number with pkcs11-tool --list-slots.
Symptom: WORM deletion test fails — deletion succeeds instead of being rejected
Cause: WORM policy not applied to the correct storage bucket; Object Lock not enabled at bucket creation; retention period set to 0
Fix: Verify Object Lock is enabled on the bucket (cannot be enabled after creation — bucket must be recreated). Verify default retention period is set correctly. Retest with a new test object.
Symptom: NTP drift alert — "drift exceeds 100ms threshold"
Cause: NTP server unreachable; firewall blocking UDP port 123; NTP authentication key mismatch
Fix: Test NTP server reachability with ntpq -p. Check firewall rules for UDP 123. Verify NTP authentication key matches on both client and server.
← Chapter 10: Quality & Acceptance Chapter 12: O&M →