GrayLog: Difference between revisions

From SWKLS WIKI
Jump to navigation Jump to search
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
==File Locations==
===Server configuration file===
<syntaxhighlight lang="bash" line start="1">
/etc/graylog/server/server.conf
</syntaxhighlight>
===BIN Directory===
<syntaxhighlight lang="bash" line start="1">
# Set the bin directory here (relative or absolute)
# This directory contains binaries that are used by the Graylog server.
# Default: bin
bin_dir = /usr/share/graylog-server/bin
</syntaxhighlight>
===Data Directory===
<syntaxhighlight lang="bash" line start="1">
# Set the data directory here (relative or absolute)
# This directory is used to store Graylog server state.
# Default: data
data_dir = /var/lib/graylog-server
</syntaxhighlight>
===Plugin Directory===
<syntaxhighlight lang="bash" line start="1">
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin
</syntaxhighlight>
==Check Graylog Version==
<syntaxhighlight lang="bash" line start="1">
yum info graylog-server
</syntaxhighlight>
==Graylog Server Update==
==Graylog Server Update==
Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf
Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf
Line 38: Line 73:
From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip):
From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip):


<syntaxhighlight line start="1">
<syntaxhighlight lang="yaml" line start="1">
# Needed for Graylog
# Needed for Graylog
fields_under_root: true
fields_under_root: true
Line 84: Line 119:
</code>
</code>


Once everything is setup properly, status will be running on the Administration page
Once everything is setup properly, status will be running on the Administration page.
 
 
[[Category:Linux]]

Latest revision as of 19:46, 5 November 2020

File Locations

Server configuration file

/etc/graylog/server/server.conf

BIN Directory

# Set the bin directory here (relative or absolute)
# This directory contains binaries that are used by the Graylog server.
# Default: bin
bin_dir = /usr/share/graylog-server/bin


Data Directory

# Set the data directory here (relative or absolute)
# This directory is used to store Graylog server state.
# Default: data
data_dir = /var/lib/graylog-server

Plugin Directory

# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin

Check Graylog Version

yum info graylog-server


Graylog Server Update

Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
sudo yum clean all
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins


Configuration

Graylog - Sidecars

reference: https://docs.graylog.org/en/latest/pages/sidecar.html

Windows

Download Latest sidecar release from: graylog-sidecars releases

Once the necessary file is downloaded and on the desired windows machine open up a command prompt/powershell and run the following command in the same directory as your file

API token for the Sidecar system can be found under System / Authentication click more actions > edit tokens for the Sidecar System user, and use the copy to clipboard button to copy the API token

cd "C:\path\to\directory"
graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL=http://10.0.2.2:9000/api -APITOKEN=yourapitoken

Afterwards you can edit the configuration if needed:

notepad.exe C:\Program Files\Graylog\sidecar\sidecar.yml

Start up the sidecar service with the following command:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

Graylog-Sidecar Setup

Create a Beats input where collectors send data to. Under System / Inputs start a global Beats input with bind address 0.0.0.0 port 5044 Next go under System / Sidecars on the top right of the page click Configuration From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip):

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["192.168.1.1:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     ignore_older: 48h
   - name: System
     ignore_older: 48h
   - name: Security
     ignore_older: 48h
winlogbeat.event_logs:
  - name: Security
    level: critical, error, warning
  - name: System
    level: critical, error, warning
  - name: Application
    level: critical, error, warning
processors:
- rename:
    fields:
     - from: "level"
       to: "win.level"
    ignore_missing: false
    fail_on_error: true

Click Create once the configuration is in place

Next in the top right of the webpage go to Administration. This page lists available devices to be ran with the configuration/s created. Choose the preferred method to collect data for each device, ie. winlogbeat, then go to Configure > configuration_name

Once everything is setup properly, status will be running on the Administration page.