Installing and operating the Graylog SIEM solution

Log Inspector

Annoying the Man in the Middle

If a server or device is located outside the internal network, encrypted communication is a must-have. Graylog, rsyslog, and NXLog manage your encrypted communication. On Graylog, you have to set the tls_enable parameter to true and fill in the tls_cert_file and tls_key_file parameters accordingly.

On Linux, you will want to choose the TCP protocol (@@) and set all the necessary parameters important for encryption. Parameter order is not arbitrary. The configuration file for sending is shown in Listing 8.

Listing 8

Sender-Side Configuration

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile </Path>/cert.pem
$ActionSendStreamDriver gtls # Use Gtls netstream driver
$ActionSendStreamDriverMode 1 # Absolutely TLS
$ActionSendStreamDriverAuthMode anon # Client authentication is not necessary
*.* @@host.domain.ac.at:1516;RSYSLOG_SyslogProtocol23Format

Note that the send stream driver gtls is included in the rsyslog-gnutls package. Under Windows with NXLog, a few lines are also needed in the config file for secure transmission. The om_ssl module must be defined in the output tag, and the path to the CA file must be specified (Listing 9).

Listing 9

Windows SSL Communication

<Output out>
Modules om_ssl
Host GraylogServerName
Port 1516
CAFile %CERTDIR%/filename.crt
AllowUntrusted FALSE
</Output>

Apache Anonymously On Board

Many applications create logfiles independent of rsyslog. The integration of most application logs of this type into rsyslog is basically possible but requires extensive configuration on both sides and knowledge of how to send the log to rsyslog within the specific application.

Graylog solves this problem with just a few steps, now demonstrated with the Apache log. Set up a GELF TCP input in Graylog; then, configure Apache on the source server by defining a log format and forwarding it with Netcat.

The European Union (EU) General Data Protection Regulation (GDPR) does not allow companies to store the IP addresses of visitors from the EU to a website without their consent or without "legitimate interest." Because SIEM archives log data, it is advisable to anonymize the IP addresses from the outset.

In Graylog, it is possible to anonymize IP addresses using an extractor: Under System/Inputs select the IP address field in Inputs | Manage extractors | Add extractor | Get started | Load Message ; then, select Regular Expression as the extractor type. In this case, fill out the source_ip form that opens and insert the values shown in Table 2 and Figure 5. The regular expression shown searches for IP addresses.

Table 2

Source IP Extractor Config

Parameter Value
Regular expression (searches for IP address) ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.|$)){4}
Condition Always try to extract
Store as field IP_Address
Extraction strategy Cut
Extractor title Anonym-ip
Add converter <empty>
Anonymize IPv4 addresses by replacing last octet Check
Figure 5: Settings for anonymizing IP addresses.

Your Own Agent

Some applications (e.g., listener.log or alert.log from Oracle) generate very peculiar logfiles that lack information like the hostname and a message. A self-written script (Listing 10) that adds these fields before sending prevents misunderstandings between the sender and receiver. The script reads the original logfile and forwards the content.

Listing 10

Editing Oracle Logs

01 #!/bin/bash
02 #set -x
03 file=/tmp/listner.log
04 if [ ! -e "$file" ]; then
05 touch /tmp/listner.log
06 fi
07 tail -n 0 -F /db/oraclese/product/diag/tnslsnr/pics-db11/listener/trace/listener.log | while read LINE
08 do
09 echo "\"host:\" "\"picsdb\", \"message:\" "\"$LINE\"" >> /tmp/listner.log
10
11 if [ $? = 1 ]
12 then
13 echo -e "$LINE ... \n found on $HOSTNAME" | mail -s "Something's wrong on $(hostname)" bf@onb.ac.at
14 fi
15 done &
16 tailf /tmp/listner.log | nc -u dlogger.onb.ac.at 12202

On the Graylog side, with only one GELF TCP input to implement, you already see the log entries (Figure 6). By setting up an alert, you can send notifications when Graylog receives error messages (usually starting with the string ORA ).

Figure 6: Oracle log entries in Graylog.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus