xTend for Linux
Getting Started
1. Introduction
1.1. Purpose of This Guide
This guide provides an overview of xTend software along with the installation, configuration, and usage of xTend software.
1.2. What is xTend?
Introducing Ennetix xTend, the next level of observability for Linux users. This ground-breaking tool provides unparalleled visibility into the covert activities taking place in your system. With xTend, you can finally peel back the layers of your Linux computer operations to see what’s really happening underneath.
1.3. Supported Linux Distributions
Currently, xTend is supported on Ubuntu 22.04+ and Debian 12+.
2. Installation
2.1. System Requirements
No special system requirements other than supported Linux versions.
2.2. Downloading the Installer
Please download xTend version 1.0 for Linux from here: xTend Installer.
2.3. Installation Process
Unzip and enter the xTend directory with:
tar xf /path/to/xtend.tar.gz cd path/to/xtend
xTend is supported natively on Debian testing (Trixie) and Ubuntu 23.10, but can be installed on Debian 12 and Ubuntu 22.04 by running the install script:
Note: For Ubuntu 22.04, the 23.10-main repository will be added for the duration of the installation and will update glibc6 to 2.38, which requires restarting multiple services; select yes when prompted to automate the restart of the required services.
chmod +x install.sh ./install.sh
On Debian Testing (Trixie) and Ubuntu 23.10, no additional dependencies are required and xTend can be installed easily with:
sudo apt update && sudo dpkg –i xTend_0.0.1_amd64.deb
3. Upgrading xTend
Installing the .deb package will automatically install our apt repository and signing key to enable auto-updating with the apt package manager. The repository and key can also be manually installed with the following script:
sudo apt install wget gpg wget -qO- https://xvisor.blob.core.Linux.net/public/xtend/linux/deb/xtend.deb.asc | gpg --dearmor > xtend.deb.gpg sudo install -D -o root -g root -m 644 xtend.deb.gpg /etc/apt/keyrings/xetend.deb.gpg sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/xtend.deb.gpg] https://xvisor.blob.core.Linux.net/public/xtend/linux/deb stable non-free" > /etc/apt/sources.list.d/xtend.list' rm –f xtend.deb.gpg
Then update apt’s package cache and install xTend using:
sudo apt install apt-transport-https sudo apt update sudo apt install xtend
4. Running xTend
When installed, xTend will automatically be created and started as a systemd service and will run on startup. To disable this functionality, disable and stop the service as this:
sudo systemctl stop xtend.service sudo systemctl disable xtend.service
This service can similarly be started and enabled to run on startup with:
sudo systemctl start xtend.service sudo systemctl enable xtend.service
xTend can also be started simply by calling xTend in any terminal; however, ensure that only one instance of xTend is running at a time.
5. Accessing xTend Logs
The xTend data can be written to either /usr/share/xtend/ or /var/log/xtend/. By default, you will find the xTend logs in /var/log/xtend/logs. Logs are constantly written to event_logging.json and rolled over to event_<timestamp>.json. In this directory, you will have files that contain both process creation and network connection logs.
5.1. Understanding the Log Files
The log files will contain both process creation and network connection logs that describe the system activities on the device where xTend is running. The following data described is specific to a process creation event or a network connection event.
5.2. Process Creation Logs
Process-creation event logs will contain the following information:
- process[args]: The list of arguments the process was run with.
- process[args_count]: The number of arguments of the process.
- process[executable]: The executable path.
- process[pid]: The ID of the process.
- process[parent][executable]: The parent executable path.
- process[parent][pid]: The ID for the parent process.
- user[name]: The user that the process event happened on.
- parent_processes: All parent processes.
Following is an example line you would see in a log file for a process-creation event:
{"@timestamp":"2024-04-30T19:27:45Z", "count":1,"ecs":{"version":"8.11.0"}, "host":{"hostname":"EN-Joe", "ip":"192.168.1.128", "os":{"type":"Linux", "version":"6.1.0-18-amd64"}}, "labels":{"xomeId":0}, "message":"Provenance_Data", "parent_processes":[{"exectuable":"code","pid":3348193}], "process":{"args":["args"], "args_count":1, "executable":"/usr/bin/docker", "parent":{"executable":"code", "pid":3348193}, "pid":3775437}, "tags":["0.0.0"], "user":{"name":"joe"}}
5.3. Network Connection Logs
Network connection event logs will contain the following information:
- destination[ip]: Destination IP for a network connection (May be omitted for aggregated data).
- destination[port]: Destination port for a network connection.
- source[ip]: Source IP of a network connection.
- source[port]: Source port of the network connection (May be omitted for aggregated data).
- network[application]: The application that created the network connection (will be empty if no application created the connection).
- network[direction]: Whether the network connection is inbound or outbound.
- network[transport]: The transport protocol of the network connection.
- process[pid]: The ID of the process that created the network connection (will be 0 if no application created the connection).
Following is an example line you would see in a log file for a network-creation event:
{"@timestamp":"2024-04-30T19:27:46Z", "count":1, "destination":{"ip":"1.1.1.1", "port":0}, "ecs":{"version":"8.11.0"}, "host":{"hostname":"EN-Debian-Joe", "ip":"2.8.1.8", "os":{"type":"Linux", "version":"6.1.0-18-amd64"}}, "labels":{"xomeId":0}, "message":"Network_Connection","network":{"application":"DNS Res~er #705", "direction":"outbound", "transport":"udp"}, "process":{"pid":73170}, "source":{"ip":"2.8.1.8", "port":55244}, "tags":["0.0.0"]}
5.4. Viewing xTend Logs (Personal Edition)
[some screenshots will be added here]
6. xTend Configuration (Personal Edition)
6.1. Overview of the Configuration File
xTend includes a single configuration file “config.json” to manage all its services. Some of the services in xTend (personal edition) are: OS, Aggregation, and Provenance. It is important to note that users of the personal edition of xTend do not need to configure anything. Default configurations will work automatically. But, for curious users, a sample configuration file will be in the following format:
{ "os" : { "exporter" : { "type": "socket", "args": { "port": 11427 } } }, "aggregation" : { "additional_config": { "aggregation_time": 0.1 }, "listener" : { "type": "socket", "args": { "port": 11428 } }, "exporter" : { "type": "logging", "args": { "maxSizeKB" : 64, "maxLogFiles" : 4, "fileDirectory" : "../logs", "fileExtension" : "json" } } }, "provenance" : { "listener" : { "type": "socket", "args": { "port": 11427 } }, "exporter" : { "type": "socket", "args": { "port": 11428 } } }
6.2. Understanding Configuration Options
Each section of the configuration file represents a single xTend service which must contain a listener and exporter object except for OS which contains an exporter. By default, xTend is configured so that the OS service exports to the Provenance service’s listener via a socket on port 11427 which similarly exports to Aggregation on port 11428. If the configuration file is changed, the application should be restarted so that the configuration can be reapplied to xTend. Below, details on the types of supported listeners and exporters and configurations of each of these options are provided.
6.2.1. Listener Settings
The “listener” object in the configuration is used for the Aggregation and Provenance services and not the OS service. The “listener” object can use the following configurations:
1. File Overwrite: Reading data from a file.
{ "listener": { "type": "file_overwrite", "args": { "filename": "filename" } }
Note: The filename is a path relative to the executable.
2. Socket: Read data from a socket.
{ "listener": { "type": "socket", "args": { "port": 1123 } } }
{ "listener": { "type": "socket", "args": { "port": 1123 } } }
Note: If the specified port is in use, the program will not run; current default port used is 11427.
2. File Stream: Continuously write to a file in a folder without rotating (file grows infinitely).
{ "exporter": { "type": "file_stream", "args": { "folderPath": "folderPath" } } }
Note: Keep this in mind that “folderPath” and “filename” serve different roles. The “folderPath” points to a specific location for saving the file, which then gets automatically assigned its name.
3. Rotating Logs: Continuously write to a file in the folder with rotating logs (logs rotated when one file reaches a certain size).
{ "exporter" : { "type": "logging", "args": { "maxSizeKB" : 64, "maxLogFiles" : 4, "fileDirectory" : "../logs", "fileExtension" : "json" } } }
Note: “maxSizeKB” is in KB and “maxLogFiles” will produce 1 + maxLogFiles number of files where one file is where data is initially written to before rotating.
6.2.3. Additional Settings
The “additional_config” object in the configuration contains additional options and adjustments for the Services. Currently, this object is used for only the Aggregation config section. The object determines how long the application aggregated data for before logging the aggregated data. The “additional_config” object is in the following format:
{ "additional_config": { "aggregation_time": 0.1 }
Note: The aggregation time is in seconds.
7. xTend Configuration (Enterprise Edition)
7.1. Overview of the Configuration File
xTend includes a single configuration file “config.json” to manage all its services. Some of the services in xTend (enterprise edition) are: OS, Aggregation, Provenance, and Sigma. It is important to note that xTend with the default configuration will work automatically. But, for advanced users, a sample configuration file will be in the following format:
{ "os" : { "exporter" : { "type": "socket", "args": { "port": 11427 } } }, "aggregation" : { "additional_config": { "aggregation_time": 0.1 }, "listener" : { "type": "socket", "args": { "port": 11428 } }, "exporter" : { "type": "logging", "args": { "maxSizeKB" : 64, "maxLogFiles" : 4, "fileDirectory" : "../logs", "fileExtension" : "json" } } }, "provenance" : { "listener" : { "type": "socket", "args": { "port": 11427 } }, "exporter" : { "type": "socket", "args": { "port": 11428 } } }, "sigma" : { "listener" : { "type": "socket", "args": { "port": 11428 } }, "exporter" : { "type": "logging", "args": { "maxSizeKB" : 64, "maxLogFiles" : 4, "fileDirectory" : "../sigmalogs", "fileExtension" : "json" } } } }
7.2. Understanding Configuration Options
Each section represents a single xTend service which must contain a listener and exporter object except for OS which contains an exporter. By default, xTend is configured so that the OS service exports to the Provenance service’s listener via a socket on port 11427 which similarly exports to Aggregation and Sigma-rule-based detection on port 11428. The Sigma (rule-based detection) service is an optional service that can be disabled by excluding it from the config.json file. If the configuration file is changed, the application should be restarted so that the configuration can be reapplied to xTend. Below, more details on the types of supported listeners and exporters and configurations of each of these options are provided.
7.2.1. Listener Settings
The “listener” object in the configuration is used for the Aggregation, Provenance and Sigma services and not the OS service. The “listener” object can use the following configurations:
1. File Overwrite: Reading data from a file.
{ "listener": { "type": "file_overwrite", "args": { "filename": "filename" } }
Note: The filename is a path relative to the executable.
2. Socket: Read data from a socket.
{ "listener": { "type": "socket", "args": { "port": 1123 } } }
Note: If the specified port is in use, the program will not run; current default port used is 11427.
2. File Stream: Continuously write to a file in a folder without rotating (file grows infinitely).
{ "exporter": { "type": "file_stream", "args": { "folderPath": "folderPath" } } }
Note: Keep this in mind: “folderPath” and “filename” serve different roles. The “folderPath” points to a specific location for saving the file, which then gets automatically assigned its name.
3. Rotating Logs: Continuously write to a file in folder with rotating logs (logs rotated when one file reaches a certain size).
{ "exporter" : { "type": "logging", "args": { "maxSizeKB" : 64, "maxLogFiles" : 4, "fileDirectory" : "../logs", "fileExtension" : "json" } } }
Note: “maxSizeKB” is in KB and “maxLogFiles” will produce 1 + maxLogFiles number of files where one file is where data is initially written to before rotating.
4. Kafka: Write data to a Kafka server.
{ "exporter": { "type": "kafka", "args": { "bootstrapServer": "localhost:9092", "user": "testingUser", "password": "testingPassword", "topic": "testing" } } }
Note: “user” and “password” are optional; and if at least one is not defined, then localhost server is used as the Kafka server.
7.2.3. Additional Settings
The “additional_config” object in the configuration contains additional options and adjustments for the Services. Currently, this object is used for only the Aggregation config section. The object determines how long the application aggregated data for before logging the aggregated data. The “additional_config” object is in the following format:
{ "additional_config": { "aggregation_time": 0.1 }
Note: The aggregation time is in seconds.