Any up to date info on Graylog 4x and logging of active directory (Win 2016 functional level)?

Aaah! That I will. Will try it on a few machines first to make sure it’s okay.

@NEO-AMiGA

Good job man :smiley:

1 Like

Have used that installer on 4 window boxes and one DC now. All working fine and we get the messages to Graylog. Huge thanks @tmacgbay ! :pray:

But I’m now in the stage where I have to go through all rules and pipelines and what more. It feels a bit wasted if I only do this for our installation and since I have to go through pretty much all of it i can’t help to wonder if I can do this in some smart way that would be useful for you if you want to update your scripts?

One approach I though of was if I after mapping and investigation of the renamed fields in graylog was to do a search and replace in ‘AD-Monitoring-Alerts-Beats.json’ and reimport it. not sure if that would screw something up though and if I would end up with multiple objects.

Do you have any thoughts regarding best approach here? And if there’s some way to approach this that would benefit others as well. :thinking:

I ran a single test on the installer you built with my settings and it worked flawlessly!

I am happy to export my rules again, though it will take a bit to clear out private data. In the original monolithic export a couple of years ago, I spent time trying to variableize things that were unique to me but it was quite a chore. it wouldn’t be too hard to do a replace on the json - when done, there is a checker here that would help to maintain integrity and ease expansion.

Ultimately I could build it into something similar to Graylog’s illuminate but I would need to start from scratch and build a test environment… currently its an organic build.

I am game if you have a plan!

Never looked into illuminate so not sure how that works nor what it really is. :face_with_hand_over_mouth: And illuminate is enterprise only, right?

But do I understand you correct that the best approach for me now would be to search and replace in the available json and re-import?

I’m still so new to graylog that I have a hard time knowing what’s in the json that’s deprecated and that should be removed. I will poke around in it and see if I can find some sort of documentation over what variables that have changed names.

So, I’m not sure I have a plan atm. :joy: I just want to find a good approach that would be valuable for others. I mean, no matter what I do have to go through it and massage it for our needs so that it works. If that result is useful It would be wasteful to not make it available to others. :nerd_face:

I’m also still pondering over whether I should extract more info from the message itself or not. Like ‘account name’ and so on. Or maybe it’s supposed to do that but it’s just “broken” here. :thinking:

I am extracting my current windows event ID rules, I will post them up to github today. Illuminate is a separate wholistic build to look at authentications etc. and is only purchased in addition to Enterprise. It includes a standardized schema build so that field names are consistent, rules, dashboards etc. Well thought out compared to my ad-hoc… at least that’s what I have read… haven’t actually used it yet.

I don’t have a best approach :smiley: I would love to be paid for re-building it all from scratch including normalizing field names, standardizing rules and maybe trying to work within Graylog’s alert system (which I don’t… I rearranged it a bit to fit my needs, more below).

re: extracting more info - The winlogbeats running on the windows machines extracts all the info into constituent fields pretty well with with some exceptions that didn’t cause to many issues. I use a generic HTML Alert notification that has logic/standards in it for only show fields if they exist. This is the different way I handle alerts… the way Graylog handles it, you need an “Event Definition” AND a Notification for every unique instance of something you want to alert on… I wanted to be able to mark something as alertable in the pipeline, and have a generic even definition and notification handle the rest … otherwise it’s three customized stages for every alert… Parse, define and notify… I am going on a tangent here. Will post up new rules soon…

1 Like

Awesome! Thanks! Ran into a small snafu though and what I can find on the subject indicates it’s a bug. Will investigate further. What I did was to upload the new JSON as a content pack and then hit install. I assume that’s all you should need to do.

2022-01-24T11:04:54.793+01:00 ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource
org.graylog2.contentpacks.exceptions.ContentPackException: Failed to install content pack <9d035b1c-c37d-4f25-ae64-0b17a3d3b6c7/3>
	at org.graylog2.contentpacks.ContentPackService.installContentPack(ContentPackService.java:158) ~[graylog.jar:?]
	at org.graylog2.contentpacks.ContentPackService.installContentPack(ContentPackService.java:99) ~[graylog.jar:?]
	at org.graylog2.rest.resources.system.contentpacks.ContentPackResource.installContentPack(ContentPackResource.java:293) ~[graylog.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_312]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_312]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_312]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_312]
	at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) ~[graylog.jar:?]
	at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) ~[graylog.jar:?]
	at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
	at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
	at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
	at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) [graylog.jar:?]
	at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
	at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
	at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_312]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_312]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]
Caused by: org.graylog2.contentpacks.exceptions.DivergingEntityConfigurationException: Different pipeline rule sources for pipeline rule with name "AP3-WinSec-BadPw"
	at org.graylog2.contentpacks.facades.PipelineRuleFacade.compareRuleSources(PipelineRuleFacade.java:151) ~[graylog.jar:?]
	at org.graylog2.contentpacks.facades.PipelineRuleFacade.findExisting(PipelineRuleFacade.java:140) ~[graylog.jar:?]
	at org.graylog2.contentpacks.facades.PipelineRuleFacade.findExisting(PipelineRuleFacade.java:126) ~[graylog.jar:?]
	at org.graylog2.contentpacks.ContentPackService.installContentPack(ContentPackService.java:131) ~[graylog.jar:?]
	... 29 more

I also forked your git repo and pushed my updated installer. Will also post it where you pointed me. :+1:

When troubleshooting the above I noticed something. Do you have a pipeline rules in place to rename the fields in the incoming messages from winlogbeat? Maybe something like mentioned here, Enhance Windows Security with Sysmon, Winlogbeat and Graylog | Graylog

I took a look at the updated ‘AD-Monitoring-pipeline-rules.json’ but the fields referred to there does not match what I get in. For instance here:

rule "AP3-WinSec-BadPw"
when
    // assumes you have checked for
    // windows-security-information
    to_string($message.winlog_event_id) == "4625"             

From what I can see the rules in that updated JSON does not have the ‘winlogbeat_’ prefix that I have on all my incoming messages. :thinking: Or have I missed something in the config on all those windows boxes?

Screenshot 2022-01-24 at 11.31.51

The newer versions (newer than the one in the sidecar installer) of Elasticsearch Beats changes the prefix from winlogbeat to winlog I had updated some of the beats I had and not others and created all sorts of confusion on some things getting notifications/graphed and others not. I am currently using winlogbeat.exe 7.11.1.0. They did not change the executable name… So you could update the winlogbeat.exe application or find/replace on the json before install.

1 Like

Aaah! Gotha. Will look at that when I fix what I broke here. :rofl: The long error message above got me into a scenario where I uninstalled the original, edited that Json and reimported and that made my sidecars explode. :hot_face:

Many moving targets here. :upside_down_face:

Think I broke this into infinity. I couldn’t import just the pipeline rules since they’re colliding with what I assume is the existing rules imported in the original content pack. So playing with this I uninstalled everything and now when I install the original content pack again I get this error when I go to System > Sivecars > manage sidecar on one of them > check winlogbeat checkbox. The error appears on ‘something went wrong’ page with a monkey with a banana on his face, actually pretty much what I look like now. =/

e is undefined


Stack Trace:

9tn/C35b/value/l<@http://192.168.44.92:9000/assets/f3c90359-36.cc0a67727747cd78ffec.js:1:10104
value@http://192.168.44.92:9000/assets/f3c90359-36.cc0a67727747cd78ffec.js:1:10084
Ho@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:287277
Ro@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:287072
Ls@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:322686
_c@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:314129
mc@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:314052
sc@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:311082
23/Qa/<@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262723
434/exports.unstable_runWithPriority@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:771201
Ua@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262432
Qa@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262670
Va@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262603
23/D/<@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:331676
D@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:331682
W@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:219304
B@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:219388
$t@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:240891
Jt@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:240109
434/exports.unstable_runWithPriority@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:771201
Ua@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262432
C@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:331511
Qt@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:239924


Component Stack:

    in i
    in div
    in t
    in CollectorsAdministrationActions
    in div
    in CollectorsAdministration__HeaderComponentsWrapper
    in span
    in t
    in ListGroupItem__StyledListGroupItem
    in span
    in ListGroupItem__RefContainer
    in ForwardRef
    in ControlledTableListHeader__StyledListGroupItem
    in f
    in div
    in t
    in be
    in div
    in m
    in div
    in t
    in div
    in t
    in Row
    in p
    in div
    in CollectorsAdministration
    in CollectorsAdministrationContainer
    in div
    in t
    in div
    in t
    in Row
    in span
    in a
    in Ie
    in Unknown
    in n
    in t
    in t
    in div
    in t
    in PageContentLayout__StyledGrid
    in s
    in div
    in PageContentLayout__Container
    in E
    in t
    in t
    in div
    in App__PageContent
    in i
    in tt
    in div
    in App__AppLayout
    in h
    in yt
    in t
    in t
    in o
    in t
    in ut
    in Unknown
    in ConnectStoresWrapper[Unknown/Anonymous] stores=streams
    in gL
    in i
    in Ct
    in je
    in L
    in mt
    in At
    in bt
    in Pt
    in u
    in kt
    in Unknown
    in n
    in Q
    in je
    in L
    in ae

The little issue with that you just cant import and update the rules complicates things a bit too. I will have to look into updating your original content pack or see if I can find a solution to merge the new rules with that pack. I’ll look around here and see if I can find some more duct-tape. :no_mouth::grimacing:

There is a json format checker online that you can use as long as you don’t have private inside info in the JSON. I posted it a couple of days ago… quick way to make sure that your formatting is working…

ah yes. I did use that. The json is fine. I think. I will recheck.

at the moment it seems like the jsons are the least of my problems.

Something broke to a great degree when fiddling with the content packs. As soon as I click the winlogbeat checkbox for a node I’m thrown to the banana monkey page and the error below. Not really sure how to get this back up and running, there’s nothing in the server log about it. =/ Even if I delete all content packs and the sidecars i get this error now. :astonished: Thinking that it might be something with the node-id maybe, but not sure. Restart of graylog doesn’t help either.

e is undefined

Stack Trace:

9tn/C35b/value/l<@http://192.168.44.92:9000/assets/f3c90359-36.cc0a67727747cd78ffec.js:1:10104
value@http://192.168.44.92:9000/assets/f3c90359-36.cc0a67727747cd78ffec.js:1:10084
Ho@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:287277
Ro@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:287072
Ls@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:322686
_c@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:314129
mc@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:314052
sc@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:311082
23/Qa/<@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262723
434/exports.unstable_runWithPriority@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:771201
Ua@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262432
Qa@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262670
Va@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262603
23/D/<@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:331676
D@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:331682
W@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:219304
B@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:219388
$t@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:240891
Jt@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:240109
434/exports.unstable_runWithPriority@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:771201
Ua@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:262432
C@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:331511
Qt@http://192.168.44.92:9000/assets/vendor.7b2e72342f604d7babb9.js:2:239924


Component Stack:

    in i
    in div
    in t
    in CollectorsAdministrationActions
    in div
    in CollectorsAdministration__HeaderComponentsWrapper
    in span
    in t
    in ListGroupItem__StyledListGroupItem
    in span
    in ListGroupItem__RefContainer
    in ForwardRef
    in ControlledTableListHeader__StyledListGroupItem
    in f
    in div
    in t
    in be
    in div
    in m
    in div
    in t
    in div
    in t
    in Row
    in p
    in div
    in CollectorsAdministration
    in CollectorsAdministrationContainer
    in div
    in t
    in div
    in t
    in Row
    in span
    in a
    in Ie
    in Unknown
    in n
    in t
    in t
    in div
    in t
    in PageContentLayout__StyledGrid
    in s
    in div
    in PageContentLayout__Container
    in E
    in t
    in t
    in div
    in App__PageContent
    in i
    in tt
    in div
    in App__AppLayout
    in h
    in yt
    in t
    in t
    in o
    in t
    in ut
    in Unknown
    in ConnectStoresWrapper[Unknown/Anonymous] stores=streams
    in gL
    in i
    in Ct
    in je
    in L
    in mt
    in At
    in bt
    in Pt
    in u
    in kt
    in Unknown
    in n
    in Q
    in je
    in L
    in ae

I took the easy route after spending way too many hours troubleshooting, restored a snapshot of the server. :roll_eyes:

I did update winlogbeats.exe on a few clients but the odd thing is that I still see the same “old” names here. :thinking:

winlogbeat_agent_version
    7.16.3

winlogbeat_winlog_event_id
    4611

Ay-ya - you likely have the beats input set to apply the prefix… This is with it checked in my system.

image

1 Like

AAAAAAH! Yes. Ha! Thanks. :pray: Wow! That was driving me nuts. I guess that have changed since the content pack was created or that flag didn’t import properly.

With that I don’t think a client update is needed, looks like the fields are correct on the 7.11.1 clients as well now.

@tmacgbay you never ran into the issue of the banana-monkey with sidecars? Smells like a bug that i’ve poked a bit to hard. Importing a content pack with a configured ‘sidecar_collector_configuration’ that has the same name as an already existing one seems to be enough to break it. I guess it messes with the ID of the collector and instead of doing that nicely, it does it poorly. :crying_cat_face: I haven’t found any way to get out of that mess other than restoring snapshot of the server. :grimacing:

I haven’t run into it. The only things that should/could change are the configurations you are pushing to the sidecar client or maybe the sidecar.yml file on the client. Rather than restoring a whole server snapshot can’t you rename/delete/re-write the configuration you are pushing?

Sadly doesn’t work.

The workaround I have found that, for now, works is that before an import of a new revision of this content pack you change the sidecar config of all nodes to a temporary one. After import you can go back and config the imported config and deploy it to the nodes. If you don’t do this you break it beyond repairability. :grimacing:

Why I keep importing stuffs? Good question… I’m updating the ‘AD-Monitoring-Alerts-Beats.json’ with your latest rules and with fixes for a handful of small things (that i’ve ran across above) so that it comes in in a working state in v4.

Of course it’s the whole thing with alerts and what more that I need to take a swing at. But I still think that your json is a solid starting point here. :pray: :+1:

1 Like