How to deploy OpenEDR in your environment

You can deploy and use OpenEDR in following ways:

What is available today (as of 28th September 2020)
1-Full Comodo Dragon Enterprise platform (with Pre-compiled OpenEDR with full management capability and portal (no Fee for 3 months, until you can setup your own ELK stack)
https://enterprise.comodo.com/dragon/ (you can create an account with this link)

Coming soon… (hoping to have these within weeks)
** https://github.com/ComodoSecurity/openedr its now LIVE ( 9th Nov 2021!) ****
1- You can download the source code from Github (coming soon), compile it, then create your own ELK.
2- Use the compiled OpenEDR package integrated into Comodo Dragon Enterprise platform (Free to use) along with your own ELK.
3-Use the compiled OpenEDR package integrated into Comodo Dragon Enterprise platform with Comodo’s data lake (free up to 7 day storage) (for Any Comodo endpointsecurity customers)
4-Comodo to provide managed ELK Stack integrated with OpenEDR (you can use the Comodo Dragon Enterprise Platform to manage all the endpoints, for free)

Happy to hear any other ideas about other deployment scenarios please.

1 Like

did you have evaluate with other siem ?!
for example, collect log from EDR and send via syslog or json ?
because i can have an other siem like qradar/arcsight or splunk in my lab environment…

Hi Jolly,
we will use FileBeats/Logstash for sending the logs and for opensource version the collected logs will be locally stored as well. So here is some examples what you can configure

  • you can configure Beats HTTP output plugin to send to Splunk or QRadar both supports HTTP event collection
  • you can configure syslog-ng to send the logs whatever destination you want
1 Like

Thanks for bringing this to the community. Just wondering, does it support cross-platform or just then Windows environment?

Also, when can we expect the Recommended Specs and Installation Instructions to be released?

yes for now it will support only Windows, we will adapt it for Linux as well.
Tomorrow we are releasing the binaries, I will update with instructions as well

binary is live!

1 Like

I have registered Dragon Enterprise and enrolled devices on my dashboard. But how to find my openedr logs on the dashboard? Any steps to do?

OpenEDR writes the logs to local folder please check install notes here : https://github.com/ComodoSecurity/openedr , we are going to expand this in further releases : https://github.com/ComodoSecurity/openedr_roadmap/issues/1

If you use DragonEnterprise, you dont have to do anything, the agents from the portal automaticly reports to the portal

I installed via the MSI provided on github, and I verified that the service is running;

PS C:\Users\OpenEDR> get-service edrsvc
Status Name DisplayName
Running edrsvc OpenEDR Service

However I am not seeing the following folder C:\ProgramData\edrsvc to grab telemetry data.

What am I missing?

I just created an account on Dragon and it says I can manage 50 devices. how can I expand past 50 without paying?
thanks

hi @stein97

For now we are doing it manually. (automation coming soon).
Please send an email to quick-start@openedr.com, and our guys will provide all the licensing you need to run for more than 50 devices.

Aha, no wonder some code such as nfapi::cmdedr has no reference to the original netfilter sdk.
However, will try releases section at github.

1 Like

let us know if we can be of assistance please @fatah .

OK I have done the following:
Registered account with Dragon
Download agent only & installed
Install OpenEDR 2.0 on the computer.
Rebooted and now I can see the the desktop in Dragon and it says edr is installed.

To test the edr I ran the scripts from github https://github.com/op7ic/EDR-Testing-Script/blob/master/runtests.bat

Script ran MS Defender complained so I stopped it and re-ran.
edr reported no information in Dragon.

What did I do wrong?

thanks

Hi @melih, I have tried to build OpenEDR source code but facing problems.
I have already posted problems in " Problems Issues and Resolutions" tab but not getting response.
Could you please look into that tab.