GrayLog

From SWKLS WIKI
Revision as of 13:57, 26 March 2020 by Unknown user (talk) (Created page with "==Graylog Server Update== Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf <syntaxhighlight l...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Graylog Server Update

Reference: https://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html#operating-package-upgrade-rpm-yum-dnf

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
sudo yum clean all
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins


Configuration

Graylog - Sidecars

reference: https://docs.graylog.org/en/latest/pages/sidecar.html

Windows

Download Latest sidecar release from: graylog-sidecars releases

Once the necessary file is downloaded and on the desired windows machine open up a command prompt/powershell and run the following command in the same directory as your file

API token for the Sidecar system can be found under System / Authentication click more actions > edit tokens for the Sidecar System user, and use the copy to clipboard button to copy the API token

cd "C:\path\to\directory"
graylog_sidecar_installer_1.0.0-1.exe /S -SERVERURL=http://10.0.2.2:9000/api -APITOKEN=yourapitoken

Afterwards you can edit the configuration if needed:

notepad.exe C:\Program Files\Graylog\sidecar\sidecar.yml

Start up the sidecar service with the following command:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

Graylog-Sidecar Setup

Create a Beats input where collectors send data to. Under System / Inputs start a global Beats input with bind address 0.0.0.0 port 5044 Next go under System / Sidecars on the top right of the page click Configuration From here you will create a new configuration item with winlogbeat on windows as the chosen collector, giving you a default configuration similar to below: [modify the hosts field to the host's ip] <sntaxhighlight lang="bash" line start="1">

  1. Needed for Graylog

fields_under_root: true fields.collector_node_id: ${sidecar.nodeName} fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:

  hosts: ["192.168.1.1:5044"]

path:

 data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
 logs: C:\Program Files\Graylog\sidecar\logs

tags:

- windows

winlogbeat:

 event_logs:
  - name: Application
    ignore_older: 48h
  - name: System
    ignore_older: 48h
  - name: Security
    ignore_older: 48h

winlogbeat.event_logs:

 - name: Security
   level: critical, error, warning
 - name: System
   level: critical, error, warning
 - name: Application
   level: critical, error, warning

processors: - rename:

   fields:
    - from: "level"
      to: "win.level"
   ignore_missing: false
   fail_on_error: true
   

</syntaxhighlight>

Click Create once the configuration is in place Next in the top right of the webpage go to Administration, this page lists available devices to be ran with the configuration/s created. Choose the preferred method to collect data for each device, ie. winlogbeat, then go to Configure > configuration_name Once everything is setup properly, status will be running on the Administration page