Operating System

This document describes the items required when installing and configuring the operating system.

Permissions Required for Installation: Describes the permissions required to install Logpresso Sonar.
Operating System & JDK Installation: Describes how to install the operating system, configure partitions, install required packages, and install the JDK.
Operating System Configuration: Configures JDK permissions, SELinux, host name, NTP, firewall, kernel parameters, and more.
Creating Logpresso Directories: Creates the Logpresso installation directory.

Permissions Required for Installation

To install Logpresso Sonar, you need root privileges on the target server, or a user account that can execute administrative commands using sudo (a user belonging to the wheel group).

Operating System & JDK Installation

The officially supported operating system for Logpresso is Red Hat Enterprise Linux 9.

RHEL 9-compatible operating systems such as Rocky Linux can also be used.
The recommended installation type is Server with GUI.
Separate the operating system partition from the data partition.
- Mount the data partition at /data.
- It is recommended to configure the data partition with LVM so that capacity can be expanded as needed.

Installing Required Packages

Run the following command on a network with internet access to install the required packages.

sudo dnf -y install curl firewalld java-21-openjdk-devel \
  lsof net-tools traceroute unzip

Package	Purpose
curl	Used for API testing
firewalld	Host firewall configuration
java-21-openjdk-devel	JDK required for running Logpresso Sonar
lsof	Diagnostic tool for checking open files and ports
net-tools	Network diagnostic tools such as `netstat`, `ifconfig`
traceroute	Diagnostic tool for tracing network paths
unzip	Extracting Logpresso Sonar installation packages

You must install java-21-openjdk-devel instead of java-21-openjdk so that you can use jmap and jstack commands for debugging in case of failures.
If installing debugging tools is not allowed in your environment, install the java-21-openjdk-headless package.

The following packages are recommended for convenience.

sudo dnf -y install curl vim wget

Package	Purpose
vim	Editing configuration files
wget	Used when running the Sentry installation script on the host where Sentry will be installed

Downloading Packages (For Air-Gapped Environments)

If you need to install in an air-gapped environment, follow these steps to prepare the package files for transfer into the air-gapped environment.

Identify the operating system and version used in the air-gapped environment, and prepare a Linux host with the same version on a network with internet access.

Run the following command to download all required packages and their dependencies to the specified path.

# Downloading packages does not require sudo privileges.
mkdir $HOME/rpm && cd $HOME/rpm && \
dnf download --resolve curl firewalld java-21-openjdk-devel \
  lsof net-tools traceroute unzip vim wget && \
tar czvf rpm.tgz *.rpm

Generate a file containing the hash value of the compressed file. The hash value is needed to verify the integrity of the files transferred into the air-gapped environment.
```
sha256sum rpm.tgz > rpm.tgz.sha256
```
Store the rpm.tgz and rpm.tgz.sha256 files in a safe location (read-only media is recommended).

To install the required packages in the air-gapped environment, follow these steps.

Create a new directory (e.g., $HOME/rpm) and copy the rpm.tgz and rpm.tgz.sha256 files into it.
Run the following command in the new directory to compare the verified hash value with the hash value recorded in the rpm.tgz.sha256 file.
```
sha256sum rpm.tgz
```
Extract the rpm.tgz file and install the packages.
```
tar xzvf rpm.tgz && sudo dnf install -y *.rpm
```

Operating System Configuration

JDK Permission Configuration

Verify the installed JDK version and grant the permissions required to run Logpresso Sonar. This configuration must be performed on all nodes.

Check the installed JDK version.

java -version

You should see version information similar to the following.

openjdk version "21.0.10" 2026-01-20 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.10.0.7-1) (build 21.0.10+7-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.10.0.7-1) (build 21.0.10+7-LTS, mixed mode, sharing)

Grant the required permissions to the java executable.

sudo setcap cap_net_bind_service,cap_sys_time,cap_net_raw=+ep $(readlink /etc/alternatives/java)

The permissions granted to the java executable via setcap are as follows.

Option	Description	Notes
cap_net_bind_service	Permission to use ports below 1024	Regular user accounts cannot use ports below 1024
cap_sys_time	Permission to change the system time	Required for time synchronization and timestamp adjustment
cap_net_raw	Permission to use raw sockets and packet sockets	Used for direct pcap collection, sendsyslog, and the ping app
+ep	+: Add permission e: Apply permission p: Retain permission permanently

Verify that the permissions have been applied correctly.

getcap $(readlink /etc/alternatives/java)

You should see a result similar to the following.

/usr/lib/jvm/java-21-openjdk-21.0.10.0.7-1.el9.x86_64/bin/java cap_net_bind_service,cap_net_raw,cap_sys_time=ep

SELinux Configuration

SELinux (Security-Enhanced Linux) is a module that enforces kernel-level security policies on Linux. By default, in enforcing mode, it blocks any actions that violate the security policy. Since SELinux may restrict access to certain directories when running Logpresso Sonar, you must change SELinux to permissive mode.

Note

We plan to improve this documentation after verifying the stability of Logpresso Sonar under SELinux enforcing mode. For now, this guide describes the installation process with SELinux set to Permissive.

Open the /etc/selinux/config file and configure it as follows. The changed settings take effect immediately when you restart the system or run the setenforce 0 command.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive

Run the following command to apply Permissive mode immediately.
```
sudo setenforce 0
```
Run the getenforce command to verify that the current SELinux mode is displayed as Permissive.

Changing the Host Name

Change the server host name using the following command so that Logpresso Sonar nodes can be easily identified.

sudo hostnamectl set-hostname HOSTNAME

HOSTNAME: The host name

When there are multiple node pairs, it is recommended to assign host names using node pair identifiers and node identifiers such as c1a/c1b, d1a/d1b, d2a/d2b, f1a/f1b. For example, for a cluster consisting of 1 control node pair, 2 data node pairs, and 1 forwarder node pair, you can use the following host names.

Node Pair	Host Name	Description
c1	c1a	Node A of control node pair c1
c1	c1b	Node B of control node pair c1
d1	d1a	Node A of data node pair d1
d1	d1b	Node B of data node pair d1
d2	d2a	Node A of data node pair d2
d2	d2b	Node B of data node pair d2
f1	f1a	Node A of forwarder node pair f1
f1	f1b	Node B of forwarder node pair f1

NTP Configuration

Synchronize all nodes with the same NTP server to ensure accurate time information.

Note

Check the IP address or FQDN (e.g., time.kriss.re.kr) of the NTP server that provides the network standard time in advance.

Configure the same NTP server or server pool in the /etc/chrony.conf file on all servers so that they synchronize with the same network standard time.

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).
# pool 2.rocky.pool.ntp.org iburst    # Comment out the pool line
server time.kriss.re.kr iburst prefer # KRISS (Korea Research Institute of Standards and Science) NTP server
server 192.0.2.1 iburst               # NTP server in the internal network 192.0.2.0/24 range (example)

Warning: When adding server lines, delete or comment out the pool lines. Only one of the two should be used.

Run the following command to restart the chronyd service.
```
sudo systemctl restart chronyd
```
Run the following command to check the synchronization status of the currently registered NTP servers. If chronyd is operating normally, the synchronization status will be displayed.
```
chronyc sources -v
```
Run the following command to synchronize the time immediately.
```
sudo chronyc -a makestep
```

Host Firewall Configuration

Configure inbound firewall policies to allow the communication required for running Logpresso Sonar. The following is an example of commands to configure firewall policies on the data node server according to the firewall policy configuration described in the prerequisites document.

When receiving data through forwarder nodes

sudo firewall-cmd --permanent --add-port={22,8443,7140}/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

When data nodes receive data directly without forwarder nodes

sudo firewall-cmd --permanent --add-port={22,8443,7140,8514}/tcp --add-port={514,8514,162}/udp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Syslog over DTLS (8514/tcp, 8514/udp) does not have a standard port, so it may vary depending on the operating environment.

The firewall configuration above does not restrict source IP addresses. To restrict source IP addresses at the host firewall, you must run advanced firewall policy commands using the --add-rich-rule option as shown below. Adjust the IP address ranges to match your actual environment.

# 1. Management network: 192.0.2.0/24
# SSH (22/tcp), ENT web console (8443/tcp)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.0.2.0/24" port port="22" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.0.2.0/24" port port="8443" protocol="tcp" accept'

# 2. Control nodes: 203.0.113.240/29
# Control nodes: Sonar Federation (8443/tcp)
# Note: Uses the same port 8443 as operators, but access from the control node range is also separately allowed
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.240/29" port port="8443" protocol="tcp" accept'

# 3. Data node range: 203.0.113.128/27 (203.0.113.129 ~ 203.0.113.159)
# Health check between peer nodes (7140/tcp)
# Note: Only allow traffic from the data node group
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.128/27" port port="7140" protocol="tcp" accept'

# 4. Forwarder node range: 203.0.113.160/27 (203.0.113.161 ~ 203.0.113.190)
# Forwarder nodes: RPC and log transmission (7140/tcp)
# Note: Configure when logs are transmitted to data nodes through forwarder nodes
# Note: Only allow traffic from the forwarder node group
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.160/27" port port="7140" protocol="tcp" accept'

# 5. Service network: 203.0.113.0/25 (203.0.113.1 ~ 203.0.113.126)
# Sentry: RPC and log reception (7140/tcp)
# Configure when Sentry connects directly to data nodes without forwarder nodes
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/25" port port="7140" protocol="tcp" accept'

# Syslog reception (514/udp)
# Configure when receiving Syslog data directly without forwarder nodes
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/25" port port="514" protocol="udp" accept'

# Syslog over DTLS reception (8514/tcp, 8514/udp)
# Configure when receiving Syslog over DTLS data directly without forwarder nodes
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/25" port port="8514" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/25" port port="8514" protocol="udp" accept'

# SNMP TRAP reception (162/udp)
# Configure when receiving SNMP TRAP data directly without forwarder nodes
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/25" port port="162" protocol="udp" accept'

# 6. Apply and verify settings
sudo firewall-cmd --reload
sudo firewall-cmd --list-rich-rules

Socket Buffer and Memory Map Configuration

When receiving Syslog, Syslog over DTLS, or SNMP TRAP, insufficient kernel socket buffers or memory buffers can cause log packet loss. To prevent this, modify the socket buffer and memory map settings. Perform this task on all nodes.

Create a 50-logpresso.conf file in the /etc/sysctl.d directory and add the following content.

net.core.rmem_default = 52428800
net.core.rmem_max = 52428800
net.ipv4.udp_rmem_min = 8192
net.ipv4.ipfrag_high_thresh = 16777216
vm.max_map_count = 10000000
vm.swappiness = 1

The meaning of each item is as follows:

Variable	Description	Default	Setting
net.core.rmem_default	Default receive buffer size for sockets	212992	52428800
net.core.rmem_max	Maximum receive buffer size for sockets	212992	52428800
net.ipv4.udp_rmem_min	Minimum receive buffer size for UDP sockets	4096	8192
net.ipv4.ipfrag_high_thresh	Maximum IP packet reassembly buffer size	4194304	16777216
vm.max_map_count	Maximum number of virtual memory area mappings	65530	10000000
vm.swappiness	Minimize swap usage	60	1

Run the following command to apply the changed kernel settings immediately.
```
sudo sysctl -p
```

Run the following command to verify the changed settings.

sudo sysctl -a | grep -E "rmem_default|rmem_max|udp_rmem_min|ipfrag_high_thresh|max_map_count"

Resource Limit Configuration

Create a 50-logpresso.conf file in the /etc/security/limits.d directory and add the following content.
```
logpresso        soft    nofile         126488
logpresso        hard    nofile         126488
logpresso        soft    nproc          126488
logpresso        hard    nproc          126488
```
- nofile: Maximum number of files that can be open simultaneously
- nproc: Maximum number of processes (and threads) that can run simultaneously

Run the following commands to verify the changed settings.

ulimit -n  # Check file open limit (nofile)
ulimit -u  # Check process limit (nproc)

Granting Diagnostic Tool Permissions

Run the following commands to find the exact paths of the jstack and jmap executables.

readlink /etc/alternatives/jstack
readlink /etc/alternatives/jmap

You should see results similar to the following.

/usr/lib/jvm/java-21-openjdk/bin/jstack
/usr/lib/jvm/java-21-openjdk/bin/jmap

Run sudo visudo /etc/sudoers.d/logpresso and edit as follows. This grants the logpresso account permission to execute the jstack and jmap executables at the paths confirmed in step 1.

# Adjust the paths according to the output of the readlink command.
%logpresso     ALL=(ALL)       NOPASSWD: /usr/lib/jvm/java-21-openjdk/bin/jstack
%logpresso     ALL=(ALL)       NOPASSWD: /usr/lib/jvm/java-21-openjdk/bin/jmap
%logpresso     ALL=(ALL)       NOPASSWD: /usr/bin/arping
%logpresso     ALL=(ALL)       NOPASSWD: /usr/bin/netstat
%logpresso     ALL=(ALL)       NOPASSWD: /usr/sbin/ifconfig
%logpresso     ALL=(ALL)       NOPASSWD: /usr/sbin/tcpdump

Defaults:logpresso    !requiretty

Note

The logpresso account is created during Logpresso Sonar installation. Here, we describe granting diagnostic tool permissions in advance.
The arping, netstat, ifconfig, and tcpdump commands are used by Logpresso Sonar to check Sentry status or collect pcap files.

Run the following command to verify that the permissions have been applied correctly.
```
sudo visudo -c
```

Creating Logpresso Directories

Run the following command to create the directory where Logpresso will be installed. The Logpresso directory can be changed to suit your operating environment. This document uses /opt/logpresso.

sudo mkdir -p /opt/logpresso