CYBERSECURITY JOB HUNTING GUIDE
Graylog Installation
Author: Stefan Waldvogel
Install Graylog for your home lab!
-in preparation-
Overview
You can install Graylog in many ways, the official help gives you some ideas (docs.graylog.org/en/4.1/pages/installation.html). This article shows you two options, via an OVA file and the manual way.
Installation via OVA file
If you can, install it the most straightforward way with an OVA file (packages.graylog2.org/appliances/ova). Download the file and load it with VirtualBox or VMWare. Start the VM and you see a login page with the connection details. Open a browser and connect to the system with the user admin and the password ubunto.
You find the official guide here: docs.graylog.org/en/4.0/pages/installation/virtual_machine_appliances.html
Small hint: Graylog 4.1 does not have an ova file.
Maybe you want to become a SOC Analyst, and here it is not essential to know how to install this tool. A Security Architect might do it, but not you as a beginner. If you install it manually, think about preinstalled firewalls (e.g., CentOS -> you need to configure SELinux) and routing because you have to allow traffic from Syslog to your Graylog instance, and without you do not see anything.
If you have problems, use google or the massive official help to find the issue.
Manual installation on CentOS8 (Graylog 4.1)
Why should you install Graylog via the manual way? It is simple, and you learn how to fix problems and deal with firewalls and application logs. If you work for a company and your agent does not work, it is beneficial if you know more about Graylog as an application.
Get a standard CentOS8 iso and install it via a hypervisor. I am using Virtual Machine Manager on an RHEL host, but you can use any other hypervisor and host. One thing to consider: Select the right network. I am using nat default with DHCP and without IP reservation.
-> This is the standard setting, but if you restart the machine, you might get a different IP. Know this (you need to reconfigure some settings) or change the IP to a static IP (better option) before installing everything.
The following pictures are based on this video: www.graylog.org/videos/centos-install. The video is for CentOS7 and Graylog 3. This guide works for CentOS8 and Graylog 4.1. All new commands are in the documentation: docs.graylog.org/en/4.0/pages/installation/os/centos.html
Overview
You can install Graylog in many ways, the official help gives you some ideas (docs.graylog.org/en/4.1/pages/installation.html). This article shows you two options, via an OVA file and the manual way.
Installation via OVA file
If you can, install it the most straightforward way with an OVA file (packages.graylog2.org/appliances/ova). Download the file and load it with VirtualBox or VMWare. Start the VM and you see a login page with the connection details. Open a browser and connect to the system with the user admin and the password ubunto.
You find the official guide here: docs.graylog.org/en/4.0/pages/installation/virtual_machine_appliances.html
Small hint: Graylog 4.1 does not have an ova file.
Maybe you want to become a SOC Analyst, and here it is not essential to know how to install this tool. A Security Architect might do it, but not you as a beginner. If you install it manually, think about preinstalled firewalls (e.g., CentOS -> you need to configure SELinux) and routing because you have to allow traffic from Syslog to your Graylog instance, and without you do not see anything.
If you have problems, use google or the massive official help to find the issue.
Manual installation on CentOS8 (Graylog 4.1)
Why should you install Graylog via the manual way? It is simple, and you learn how to fix problems and deal with firewalls and application logs. If you work for a company and your agent does not work, it is beneficial if you know more about Graylog as an application.
Get a standard CentOS8 iso and install it via a hypervisor. I am using Virtual Machine Manager on an RHEL host, but you can use any other hypervisor and host. One thing to consider: Select the right network. I am using nat default with DHCP and without IP reservation.
-> This is the standard setting, but if you restart the machine, you might get a different IP. Know this (you need to reconfigure some settings) or change the IP to a static IP (better option) before installing everything.
The following pictures are based on this video: www.graylog.org/videos/centos-install. The video is for CentOS7 and Graylog 3. This guide works for CentOS8 and Graylog 4.1. All new commands are in the documentation: docs.graylog.org/en/4.0/pages/installation/os/centos.html
epel and pwgen are optional and needed to create a password.
Install MongoDB, Elasticsearch, and Graylog. Graylog is now in version 4, the video has the link to version 3; please use the official installation guide to get the newest commands (copy and paste from there)!
Install MongoDB, Elasticsearch, and Graylog. Graylog is now in version 4, the video has the link to version 3; please use the official installation guide to get the newest commands (copy and paste from there)!
Create test logs and configure firewall/rsyslog:
Configure inputs for local raw files
If you use a pre-configured system, you might not have to configure your system for the first test, but you need to configure an input. It is like an ear, and this ear listens for messages.
Pick raw UDP under inputs.
If you use a pre-configured system, you might not have to configure your system for the first test, but you need to configure an input. It is like an ear, and this ear listens for messages.
Pick raw UDP under inputs.
You can select global or select your node. Then, pick a title and change the port to something higher than 1024 because if you use Linux, Graylog needs root rights to claim a lower port.
Create an input
on Linux, you can send messages to the input. Open a new console and write the command:
while true ; do logger -n 127.0.0.1 -P 1514 "I am here" ; sleep 2 : echo 'log send' ; done
Every two seconds, you send a UDP message to 127.0.0.1 on port 1514.
After a short amount of time, you get the messages and see them in Graylog.
-> This task is for a company not very useful, but if you have problems, it is relatively simple to fix. However, if you start with digesting Syslog or Windows logs with forwarders, you have more bricks, and you might not know where you should start with troubleshooting.
Create an input
on Linux, you can send messages to the input. Open a new console and write the command:
while true ; do logger -n 127.0.0.1 -P 1514 "I am here" ; sleep 2 : echo 'log send' ; done
Every two seconds, you send a UDP message to 127.0.0.1 on port 1514.
After a short amount of time, you get the messages and see them in Graylog.
-> This task is for a company not very useful, but if you have problems, it is relatively simple to fix. However, if you start with digesting Syslog or Windows logs with forwarders, you have more bricks, and you might not know where you should start with troubleshooting.
© 2021. This work is licensed under a CC BY-SA 4.0 license