I’ve been looking and searching the community, marketplace and regular good ol’ internet for a guide about how o use Graylog to log our Win 2016 ad/dc. In the marketplace there’s a few add-ons but the ones i have found is for 2.x/3.x and seems more or less deprecated and not kept up to date.
Have anyone seen a guide for 4.x and an AND that’s at win 2016 functional level? Or is there any fingers that can be pointed in a general direction to something like a good starting point?
Valid question. I guess mainly user activity, when users login and where etc. If that’s done via event ID’s I honestly don’t know since I haven’t looked at it yet. Wanted to find a truusted known 4.x working solution before spending to much time reading doc’s and guides.
A while back with an older version of Graylog I posted up what I had set up in the Marketplace/github here This was with Graylog 3.0.1 so it has legacy alerts in it… and maybe other anomalies… once you import it , pretty sure you can delete what you don’t want. I have yet to clean that up… maybe a project for the near future. It’s a good base to start with … there are some links in there to setting up security auditing…
@tmacgbay Ima try that out soon on GitHub. ( I’m kick myself for not seeing this before.)
@NEO-AMiGA Unfortunately I took a more conventional route.
I create a INPUT with GELF TCP (this creates a lot of fields, like a lot) so if you are tight with disk space maybe not the route to go with. Then I installed a log shipper. Once that was completed I had to enable some settings on my audit GPO in my AD DC to get failed logons, and some other Event
ID’s needed.
The file AD-Monitoring-pipeline-rules.json has just the most recent rules - you can use them in your own pipeline/alerts/dashboards. I was considering separating it out - much better than monolithic.
Looking at this now and I guess this little snippet from the readme is an indication of how it’s going for me.
I am not going into detail here because you should know the details of what you are doing to your server and not just plug things in that some dude on the internet said you should and because this is not a boost, not a HOWTO.
heheheh. After import and installation of the ‘AD-Monitoring-Alerts-Beats.json’ into content packs I’m moving on to this
In System->Sidecars->Configuration - edit both WinlogsDefault and Winlogs-DC to make sure their “Collector” is set to “winlogbeat on Windows” CANCEL setting it to the default template… unless you want to. While you are there, click on “Variables” and edit ${user.BeatsInput} and change the servername from cmg-splunk to the FQDN or IP of your Graylog server. Be sure to set the correct port if you moved it (default is :5044)
I do have the Configuration there in the input field but there’s no Variables listed under variables. Is this a 4.x issue and that I have to add them myself and manually? from the above snippet it sounds like they should’ve appeared there during “installation”.
I guess you have to add the variable manually… very easy - below is a screen shot of creating it, Change GraylogServer.internal.local to the FQDN or IP of your Graylog server. I wish that it was easier to go in and change things that you export in Graylog. If I get time I will work on exporting the current config into more manageable snippets…if I keep saying that it might become true!
They have changed - that was an update in 4.x that I had to adjust for You probably only need winlogbeat_log_level to separate those out since what is coming in on that input/port is all windows logs anyway.
Perfect. And if I understand the manual correctly tags isn’t used any more so I can also remove traces of that in the collector configuration, correct?
I’ve massaged the bat-installer a bit for our needs and I’ll attach that here if some one else find it useful.
In this version server and api-token is added directly in the installer .bat file instead of editing the ‘windows-graylog-sidecar.yml’. I took this approach so that we only have to edit one file. But for this to work as expected you’d probably want to remove the server_url and server_api_token from the ‘original’ ‘windows-graylog-sidecar.yml’.
I’ve also moved most of the stuffs to variables so it’s easier to read and massage for different environments. It’s not perfect, but is something ever…?
@echo OFF
:: CHECK IF WE ARE ADMIN --------------------------------------------------------------------------------------------------------
NET SESSION >nul 2>&1
IF %ERRORLEVEL% EQU 0 (
echo.
echo ####### ADMINISTRATOR PRIVILEGES DETECTED #########
echo.
) ELSE (
echo.
echo ####### ERROR: ADMINISTRATOR PRIVILEGES REQUIRED #########
echo This script must be run as administrator to work properly!
echo Right click on the shortcut and select "Run As Administrator".
echo ##########################################################
echo.
EXIT /B 1
)
:: SOME VARS, EDIT FOR YOUR OWN NEEDS ----------------------------------------------------------------------------------
:: Your environment
:: Name of your server, only cosmetic in the installer and never used
set "graylogServerHostName=graylogServerHostname"
:: Installation directory on disk. Normally C:\Program Files\graylog
set "graylogInstallationDir=C:\Program Files\graylog"
:: Path to the graylog_sidecar_installer_x.x.x-x.exe installer
set "graylogSidecarInstaller=C:\Users\%USERNAME%\Downloads\graylog_sidecar_installer_1.1.0-1.exe"
:: URL to your server
set "graylogServerURL=http://192.168.900.900:9000/api/"
:: API TOKEN. Generate in web ui for the graylog-sidecar user
set "graylogAPItoken=replace_this_with_your_api-token"
:: The Graylog-AD-beats-master dir. Default is the one this bat file is runing from.
set "installerDir=%~dp0"
:: timestamp for backup of settings
for /F "usebackq tokens=1,2 delims==" %%i in (`wmic os get LocalDateTime /VALUE 2^>NUL`) do if '.%%i.'=='.LocalDateTime.' set ldt=%%j
set timestamp=%ldt:~2,2%%ldt:~4,2%%ldt:~6,2% %ldt:~8,2%%ldt:~10,2%%ldt:~12,2%
:: DEBUG OUTPUT OF VARS ------------------------------------------------------------------------------------------------
:: comment out the below 'goto' to see output. Normally only needed when you have issues with install.
goto :skipdebug
echo.
echo ####### DEBUG OUTPUT! ####################################################################
echo DEBUG: graylogServerHostName: %graylogServerHostName%
echo DEBUG: graylogInstallationDir: %graylogInstallationDir%
echo DEBUG: graylogSidecarInstaller: %graylogSidecarInstaller%
echo DEBUG: graylogServerURL: %graylogServerURL%
echo DEBUG: graylogAPItoken: %graylogAPItoken%
echo DEBUG: installerDir: %installerDir%
::echo DEBUG: tags: %tags%
echo.
echo.
:skipdebug
:: --------------------------------------------------------------------------------------------------------------
:: --------------------------------------------------------------------------------------------------------------
:: --------------------------------------------------------------------------------------------------------------
:: INSTALLATION PROCESS, PROBABLY NO NEED TO EDIT ANYTHING BELOW ------------------------------------------------
echo This script installs the Graylog Sidecar log forwarder going to %graylogServerHostName%
echo.
: GIVE THE USER AN OPTION OF WHAT TO DO
goto :install_choice
:install_choice
echo.
set /P c=Are you sure you want to continue with the installation [y/N]?
setlocal EnableDelayedExpansion
if /I "!c!" == "Y" goto :startInstall
if /I "!c!" == "N" goto :eof
goto :install_choice
:startInstall
:: Check if alreaedy installed. If so, uninstall service.
if exist "%graylogInstallationDir%\sidecar\graylog-sidecar.exe" (
echo.
echo - Graylog Sidecar SERVICE UNINSTALL...
"%graylogInstallationDir%\sidecar\graylog-sidecar.exe" -service uninstall
)
echo.
echo - Graylog Sidecar INSTALL
%graylogSidecarInstaller% /S -SERVERURL=%graylogServerURL% /S -SERVERURL=%graylogServerURL% -APITOKEN=%graylogAPItoken%
echo.
echo - Graylog YAML - Backing up original config to 'sidecar.yml-orig-%timestamp%'...
move "%graylogInstallationDir%\sidecar\sidecar.yml" "%graylogInstallationDir%\sidecar\sidecar.yml-orig-%timestamp%" >nul 2>&1
echo.
echo - Graylog YAML - Creating Yaml from template and adding server URL and API Token to it...
echo server_url: %graylogServerURL% >>"%graylogInstallationDir%\sidecar\sidecar.yml"
echo server_api_token: "%graylogAPItoken%" >>"%graylogInstallationDir%\sidecar\sidecar.yml"
type %installerDir%\windows-graylog-sidecar.yml >> "%graylogInstallationDir%\sidecar\sidecar.yml"
echo.
echo - Graylog Sidecar App Installed and configured
echo.
:: Check if alreaedy installed. If it is we DON'T install it. We only need to start it. Some issues so we run this twice.
sc query graylog-sidecar >nul 2>&1
sc query graylog-sidecar >nul 2>&1
if %ERRORLEVEL% NEQ 0 (
echo - Graylog Sidecar SERVICE Installing...
"%graylogInstallationDir%\sidecar\graylog-sidecar.exe" -service install
"%graylogInstallationDir%\sidecar\graylog-sidecar.exe" -service start
) else (
echo.
echo - Graylog Sidecar SERVICE starting...
:: the stop is here since the installer starts one of the services. Stoping gives a cleaner result.
:: But honesly, the else isn't needed since we uninstall the service above instead of stopping
"%graylogInstallationDir%\sidecar\graylog-sidecar.exe" -service stop
"%graylogInstallationDir%\sidecar\graylog-sidecar.exe" -service start
)
echo.
echo - Graylog Sidecar SERVICE Done
echo.
echo - Graylog Sidecar Installation Complete
echo.
@echo ON