Config in graylog
Go to System > Inputs, click “Select input” dropdown, and
- select “GELF UDP.”
- Tick “Global”.
- Give it a Title: windows Events
- Bind address, leave it as 0.0.0.0
- Port: give it anything legal, I will choose 3514, which prepends a 3 to syslog port 514.
- leave others as default.
Since your graylog is listening to port 3514, you need to allow it on firewall:
on Centos: type:
firewall-cmd --zone=public --permanent --add-port=3514/udp firewall-cmd --reload
Config on Windows:
Download and install nxlog, navigate to C:\Program Files\nxlog\conf\nxlog.conf
Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> #<Extension _fileop> # Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB # <Schedule> # Every 1 hour # Exec if (file_exists('%LOGFILE%') and \ # (file_size('%LOGFILE%') >= 5M)) \ # file_cycle('%LOGFILE%', 8); # </Schedule> #Below for windows event viewer <Extension _gelf> Module xm_gelf </Extension> <Input eventlog> Module im_msvistalog <Schedule> Every 5 min First 2022-09-14 09:00:00 Exec log_info("scheduled execution at " + now()); </Schedule> ##Below query can be copied from event viewer,"filter current custom view" > under filter tab, select the filter, go to XML tab, and copy. <QueryXML> <QueryList> <Query Id='1'> <Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path="Security">*[System[band(Keywords,4503599627370496)]]</Select> <Select Path="System">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5)]]</Select> </Query> </QueryList> </QueryXML> </Input> <Output graylog> #Enter the IP address and the the port on which the syslog server is listening to. Module om_udp Host 192.168.61.116 Port 3514 OutputType GELF </Output> #the path here is from the name of the <Input> above to the name of the <Output> , so it is eventlog =>graylog <Route graylog_route> Path eventlog => graylog </Route>
After you save the config file, restart the nxlog service.
Email notification:
Email transport
sudo vi /etc/graylog/server/server.conf
transport_email_enabled = true #This is important! transport_email_hostname = smtp.gmail.com 319 #Take note of this address! transport_email_port = 465 #Yours may vary transport_email_use_auth = true transport_email_use_tls = true transport_email_use_ssl = true transport_email_auth_username = [email protected] #This is an account you’ve created for the purpose of sending automated emails transport_email_auth_password = Y0urPassw0rd! transport_email_subject_prefix = [graylog] transport_email_from_email = [email protected]
Once you finish the above, close the text file and run:
$ sudo systemctl graylog-server restart
Modify field
let’s say you want to modify the hostname from DC01.mydomain.com.au to DC01, given that you only have a single domain, and want the dashboard to be nice and neat.
System > inputs
click “manage extractors” button.
Then click “Get started” button, select an input, select an input you created before, click button “Load Message”
Then click “select extractor type” after the source message field, then click “Regular expression”.
On the top it will show the original message: DC01.mydomain.com.au. modify below.
- In the regular expression box, type: (.*?)\.
- Store as field: source
- Extractor title: Extract Hostname from FQDN
Click “Create extractor”
Configure Pipelines
Pipelines can be used to drop messages, remove field, and much more, see here for the functions: https://archivedocs.graylog.org/en/2.2/pages/pipelines/functions.html#drop-message
I will use a drop message as an example here:
I want to drop message with full_message field containing keywords “CN=ADFS ProxyTrust – NHSADFSWAP”
Create a rule
To do so, Click System > pipelines, then click the “Manage Rules” button, then click “Create Rule” button.
In the description box, type a descriptive title.
In the Rule source, type below:
rule "Drop ADFS ProxyTrust - NHSADFSWAP Messages" when contains(to_string($message.full_message),"CN=ADFS ProxyTrust - NHSADFSWAP") then drop_message(); end
Then click Save & Close.
Add pipelines
Click Manage Pipelines button at the top right corner, Then click “Add new pipeline”, type a Title and description, click save, now you are in the pipeline edit page.
Click the “edit connections” button, select a stream, by default it is “All messages”, click save.
Then click “Add new stage”, and select the “Stage rules”, find the rule you created above, click save.