GrayLog

From SWKLS WIKI
Revision as of 14:23, 26 March 2020 by Unknown user (talk)
Jump to navigation Jump to search

Graylog Server Update

Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
sudo yum clean all
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins


Configuration

Graylog - Sidecars

reference: https://docs.graylog.org/en/latest/pages/sidecar.html

Windows

Download Latest sidecar release from: graylog-sidecars releases

Once the necessary file is downloaded and on the desired windows machine open up a command prompt/powershell and run the following command in the same directory as your file

API token for the Sidecar system can be found under System / Authentication click more actions > edit tokens for the Sidecar System user, and use the copy to clipboard button to copy the API token

cd "C:\path\to\directory"
graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL=http://10.0.2.2:9000/api -APITOKEN=yourapitoken

Afterwards you can edit the configuration if needed:

notepad.exe C:\Program Files\Graylog\sidecar\sidecar.yml

Start up the sidecar service with the following command:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

Graylog-Sidecar Setup

Create a Beats input where collectors send data to. Under System / Inputs start a global Beats input with bind address 0.0.0.0 port 5044 Next go under System / Sidecars on the top right of the page click Configuration From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below (modify the hosts field to the host's ip):

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["192.168.1.1:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     ignore_older: 48h
   - name: System
     ignore_older: 48h
   - name: Security
     ignore_older: 48h
winlogbeat.event_logs:
  - name: Security
    level: critical, error, warning
  - name: System
    level: critical, error, warning
  - name: Application
    level: critical, error, warning
processors:
- rename:
    fields:
     - from: "level"
       to: "win.level"
    ignore_missing: false
    fail_on_error: true

Click Create once the configuration is in place

Next in the top right of the webpage go to Administration. This page lists available devices to be ran with the configuration/s created. Choose the preferred method to collect data for each device, ie. winlogbeat, then go to Configure > configuration_name

Once everything is setup properly, status will be running on the Administration page.