Config in graylog

Go to System > Inputs,  click “Select input” dropdown, and

  • select “GELF UDP.”
  • Tick “Global”.
  • Give it a Title: windows Events
  • Bind address, leave it as 0.0.0.0
  • Port: give it anything legal, I will choose 3514, which prepends a 3 to syslog port 514.
  • leave others as default.

 

Since your graylog is listening to port 3514, you need to allow it on firewall:

 

on Centos:  type:

firewall-cmd --zone=public --permanent --add-port=3514/udp

firewall-cmd --reload

 

Config on Windows:

 

Download and install nxlog,  navigate to C:\Program Files\nxlog\conf\nxlog.conf

 

Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data

define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data

<Extension _syslog>
Module xm_syslog
</Extension>

<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
Module xm_exec
</Extension>

#<Extension _fileop>
# Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
# <Schedule>
# Every 1 hour
# Exec if (file_exists('%LOGFILE%') and \
# (file_size('%LOGFILE%') >= 5M)) \
# file_cycle('%LOGFILE%', 8);
# </Schedule>

#Below for windows event viewer

<Extension _gelf>
Module xm_gelf
</Extension>

<Input eventlog>
Module im_msvistalog

<Schedule>
Every 5 min
First 2022-09-14 09:00:00
Exec log_info("scheduled execution at " + now());
</Schedule>

##Below query can be copied from event viewer,"filter current custom view" > under filter tab, select the filter, go to XML tab, and copy.
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Security">*[System[band(Keywords,4503599627370496)]]</Select>
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select>
</Query>
</QueryList>
</QueryXML>

</Input>

<Output graylog>
#Enter the IP address and the the port on which the syslog server is listening to.
Module om_udp
Host 192.168.61.116
Port 3514
OutputType GELF
</Output>



#the path here is from the name of the <Input> above to the name of the <Output> , so it is eventlog =>graylog

<Route graylog_route>
Path eventlog => graylog
</Route>

After you save the config file, restart the nxlog service.

 

Email notification:

 

Email transport

 

sudo vi /etc/graylog/server/server.conf

transport_email_enabled = true #This is important!
transport_email_hostname = smtp.gmail.com 319 #Take note of this address!
transport_email_port = 465 #Yours may vary
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = specialaccount@yourdomain.tld #This is an account you’ve created for the purpose of sending automated emails
transport_email_auth_password = Y0urPassw0rd!
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@example.com

Once you finish the above, close the text file and run:
$ sudo systemctl graylog-server restart

 

Modify field

 

let’s say you want to modify the hostname from DC01.mydomain.com.au to DC01, given that you only have a single domain, and want the dashboard to be nice and neat.

System > inputs

click “manage extractors” button.

Then click “Get started” button, select an input, select an input you created before, click button “Load Message”

Then click “select extractor type” after the source message field, then click “Regular expression”.

On the top it will show the original message: DC01.mydomain.com.au. modify below.

  • In the regular expression box, type: (.*?)\.
  • Store as field: source
  • Extractor title: Extract Hostname from FQDN

Click “Create extractor”

 

Configure Pipelines

 

Pipelines can be used to drop messages,  remove field, and much more, see here for the functions: https://archivedocs.graylog.org/en/2.2/pages/pipelines/functions.html#drop-message

 

I will use a drop message as an example here:

I want to drop message with full_message field containing keywords “CN=ADFS ProxyTrust – NHSADFSWAP”

 

Create a rule

To do so, Click System > pipelines, then click the “Manage Rules” button, then click “Create Rule” button.

In the description box, type a descriptive title.

In the Rule source, type below:

 

rule "Drop ADFS ProxyTrust - NHSADFSWAP Messages"
when
contains(to_string($message.full_message),"CN=ADFS ProxyTrust - NHSADFSWAP")
then
drop_message();
end

Then click Save & Close.

Add pipelines

 

Click Manage Pipelines button at the top right corner, Then click “Add new pipeline”, type a Title and description, click save, now you are in the pipeline edit page.

 

Click the “edit connections” button, select a stream,  by default it is “All messages”, click save.

Then click “Add new stage”, and select the “Stage rules”, find the rule you created above, click save.