Alarm through applocker

Hey,

i’am Mikel and we are trying to get familiar with Graylog Open. We have some server with GELF logs allready incoming and some dashboard.

Now we want to get an email alert, if someone try to start a specific application. Therefore we have applocker enable to log this and forward the events to Graylog.
The email config is setup, so we can get mails from Graylog

2. Describe your environment:

  • OS Information: Ubuntu 20.04 LTS

  • Package Version: v4.2.7+879e651

4. How can the community help?
Now, i dont know how to handle it, that Graylog send and alert when e.g. Teamviewer startet on a client/server.
I think there must be a possibility to extract from the field full_message the last area \TEAMVIEWER…
and test it against a rule, so that an email alert will be triggert. In the best case the email contains the full_message, so that you can see who tryed and which application

full_message:%OSDRIVE%\USERS\ADMIN\DESKTOP\TEAMVIEWER_SETUP_X64.EXE was prevented from running.

I hope you understand my problem^^

Hello && Welcome Hank,

One of the first things to think about when a message comes in is how to break it up into it’s parts so you can act on those parts rather than on the whole message. It’s important to note that some Inputs such as Beats will automatically break out some basic fields for you )

Right in your Input section you can work on creating Extractors that have a variety of ways to break out the data including regex, GROK, key=value… al of that will be in the docs. Graylog also provides processing in a rule format inside a Processing Pipeline… you can do pretty much the same as using an extractor so the choice is up to you. When you think of Processing Pipelines consider that inputs feed streams, streams feed pipelines, pipelines contain rules for action at the end of which the details stored into Elasticsearch. Once you have the fields separated properly you can use Alerts set up with e-mail to notify your team.

That’s the high level view with some links to documentation where needed. If you run into more specific problems, post them here with relevant details (How to ask questions and Tips on Questions)

Hey,

your hint with BEATS was the little thing which helped me a lot :smiley: I tryed BEATS at the beginning with Graylog but our DC`s have generating so much loggs that the space was in a few days full and so i tryed the GELF format.
We still have a hughe amount of loggs with GELF with 5 Servers but its ok.

Now i get an Alert if someone try to start a specific application and i am able to try more stuff.

Edit: I forgot something…i created a new index and a new stream for this applocker stuff…the problem is, that the messages are go through both streams: “all messages” and “applocker”. The other Stream i create “Windows Server” only go to itself and not to “all messages” as well. The Streamrule is the unique gl2_source id. So, i dont understand why the messages for the stream “applocker” is also go to “all_messages”

Maybe see you soon^^
THX

You can process events in Beats before sending to Graylog which helps a LOT in cutting down on the amount of logs coming in from DC’s. Whether you choose to go with selectively blocking or selectively allowing, it can all be placed in the beats configurations you create (Side note - the configuration is very sensitive to spacing and back slashes in windows paths need to be doubled) Here is a good example of someone who wrote an extensive beat to get exactly what he wants from the server.

It is likely that you need to check the box Remove matches from 'All messages' Stream when editing the applocker stream - here is an example on a testing stream:

image

1 Like

Wow…it has been so easy :see_no_evil: this little tiny check box^^
THX again!

Before we are cutting down the events we have to discuss which ones we need and which ones we can cut off.
It´s all in a kind of testing right now and the indices are set to 30 days, so we dont waste to much space

Hey,

i’am not the best in coding and such things and i would like to extract something.
In the Field: winlogbeat_winlog_user_data_FullFilePath is the full path of the application. There could be a other various application with a complete different location and i only want the part with the application name. Everything behind the last “”
This should be with the extractors but how?

C:\Users\admin\Desktop\TeamViewer_Setup_x64.exe

THX

You could use a regex (Regular Expression) extractor… I could put in the regex that would do it but it would be better if you learn regex or at least research the regex solution since you will need to know it for future extractions. For instance, here is a Google Search that will get you started on the regex you want. You can also play around with regex solutions with an online regex tool such as this one.

I just went over the beats configure link you posted, Holy Cow man :laughing: That’s huge and really good.

1 Like

Thanks again! Now, everything is right and i can go and try more before we start the Graylog Enterprise trial.
And i dont have a clue how high our eps are compared…with six servers (5x domain controller) we have approximate 50gb a day…i think thats to much^^

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.