GrayLog
Graylog Server Update
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
sudo yum clean all
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
Configuration
Graylog - Sidecars
reference: https://docs.graylog.org/en/latest/pages/sidecar.html
Windows
Download Latest sidecar release from: graylog-sidecars releases
Once the necessary file is downloaded and on the desired windows machine open up a command prompt/powershell and run the following command in the same directory as your file
API token for the Sidecar system can be found under System / Authentication click more actions > edit tokens for the Sidecar System user, and use the copy to clipboard button to copy the API token
cd "C:\path\to\directory"
graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL=http://10.0.2.2:9000/api -APITOKEN=yourapitoken
Afterwards you can edit the configuration if needed:
notepad.exe C:\Program Files\Graylog\sidecar\sidecar.yml
Start up the sidecar service with the following command:
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start
Graylog-Sidecar Setup
Create a Beats input where collectors send data to. Under System / Inputs start a global Beats input with bind address 0.0.0.0 port 5044 Next go under System / Sidecars on the top right of the page click Configuration From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip):
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["192.168.1.1:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
ignore_older: 48h
- name: System
ignore_older: 48h
- name: Security
ignore_older: 48h
winlogbeat.event_logs:
- name: Security
level: critical, error, warning
- name: System
level: critical, error, warning
- name: Application
level: critical, error, warning
processors:
- rename:
fields:
- from: "level"
to: "win.level"
ignore_missing: false
fail_on_error: true
Click Create once the configuration is in place Next in the top right of the webpage go to Administration, this page lists available devices to be ran with the configuration/s created. Choose the preferred method to collect data for each device, ie. winlogbeat, then go to Configure > configuration_name Once everything is setup properly, status will be running on the Administration page