GrayLog: Difference between revisions
(Graylog Server Notes) |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==File Locations== | |||
===Server configuration file=== | |||
<syntaxhighlight lang="bash" line start="1"> | |||
/etc/graylog/server/server.conf | |||
</syntaxhighlight> | |||
===BIN Directory=== | |||
<syntaxhighlight lang="bash" line start="1"> | |||
# Set the bin directory here (relative or absolute) | |||
# This directory contains binaries that are used by the Graylog server. | |||
# Default: bin | |||
bin_dir = /usr/share/graylog-server/bin | |||
</syntaxhighlight> | |||
===Data Directory=== | |||
<syntaxhighlight lang="bash" line start="1"> | |||
# Set the data directory here (relative or absolute) | |||
# This directory is used to store Graylog server state. | |||
# Default: data | |||
data_dir = /var/lib/graylog-server | |||
</syntaxhighlight> | |||
===Plugin Directory=== | |||
<syntaxhighlight lang="bash" line start="1"> | |||
# Set plugin directory here (relative or absolute) | |||
plugin_dir = /usr/share/graylog-server/plugin | |||
</syntaxhighlight> | |||
==Check Graylog Version== | |||
<syntaxhighlight lang="bash" line start="1"> | |||
yum info graylog-server | |||
</syntaxhighlight> | |||
==Graylog Server Update== | ==Graylog Server Update== | ||
Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf | Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf | ||
| Line 38: | Line 73: | ||
From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip): | From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip): | ||
<syntaxhighlight line start="1"> | <syntaxhighlight lang="yaml" line start="1"> | ||
# Needed for Graylog | # Needed for Graylog | ||
fields_under_root: true | fields_under_root: true | ||
Latest revision as of 19:46, 5 November 2020
File Locations
Server configuration file
/etc/graylog/server/server.conf
BIN Directory
# Set the bin directory here (relative or absolute)
# This directory contains binaries that are used by the Graylog server.
# Default: bin
bin_dir = /usr/share/graylog-server/bin
Data Directory
# Set the data directory here (relative or absolute)
# This directory is used to store Graylog server state.
# Default: data
data_dir = /var/lib/graylog-server
Plugin Directory
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin
Check Graylog Version
yum info graylog-server
Graylog Server Update
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
sudo yum clean all
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
Configuration
Graylog - Sidecars
reference: https://docs.graylog.org/en/latest/pages/sidecar.html
Windows
Download Latest sidecar release from: graylog-sidecars releases
Once the necessary file is downloaded and on the desired windows machine open up a command prompt/powershell and run the following command in the same directory as your file
API token for the Sidecar system can be found under System / Authentication click more actions > edit tokens for the Sidecar System user, and use the copy to clipboard button to copy the API token
cd "C:\path\to\directory"
graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL=http://10.0.2.2:9000/api -APITOKEN=yourapitoken
Afterwards you can edit the configuration if needed:
notepad.exe C:\Program Files\Graylog\sidecar\sidecar.yml
Start up the sidecar service with the following command:
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start
Graylog-Sidecar Setup
Create a Beats input where collectors send data to. Under System / Inputs start a global Beats input with bind address 0.0.0.0 port 5044 Next go under System / Sidecars on the top right of the page click Configuration From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip):
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["192.168.1.1:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
ignore_older: 48h
- name: System
ignore_older: 48h
- name: Security
ignore_older: 48h
winlogbeat.event_logs:
- name: Security
level: critical, error, warning
- name: System
level: critical, error, warning
- name: Application
level: critical, error, warning
processors:
- rename:
fields:
- from: "level"
to: "win.level"
ignore_missing: false
fail_on_error: true
Click Create once the configuration is in place
Next in the top right of the webpage go to Administration. This page lists available devices to be ran with the configuration/s created.
Choose the preferred method to collect data for each device, ie. winlogbeat, then go to
Configure > configuration_name
Once everything is setup properly, status will be running on the Administration page.