Best Praxis? Sidecar -> Stream ->Dashboard

Graylog Central (peer support)
1

I am Using Winlogbeat Sidecar’s on some Windows Server with the standard Configuration

  • name: Application
    ignore_older: 720h
    • name: System
      ignore_older: 720h
    • name: Security
      ignore_older: 720h

in the Stream Configuration i have simple rule
Source == “Windows Server Name”
to use in a Dashboard Message Table. This is working nicely == So far so good…

In the Dashboard i would like to to have a Message Table for each of the winlogbeat_event_provider

  1. for Apllication, 1 for System and 1 for Security logs.
    What is the best way to achieve this?
    Do i need a single Stream for each ? Performance ?

Or is there a more flexible way with Pipeline Rules and Decorators.
I know i should be able to to configure a Decorator with a Pipelinerule on the Message table using the same Stream for all.

So far I haven’t had any luck with that. Only got the some wierd effects like disapering Message Table in the Dashboard , high CPU Usage… I guess my Pipeline rules where not so great

Some working Examples would realy help me out

System specs are
Graylog 4.28 SMB

Linux Ubuntu 20.4 HyperV 16GB 16Cores

thanks in advance

Matthias

2

Hello,
Perhaps I can help.

I’ll show ya some screenshots.

1.Navigate to you message from Winlogbeat.

image

2.Click on the arrow next to winlogbeat_winlog_channel, this opens a new window

image

3.Choose Show top Value

image

4.Now you have a widget with all your channels

image
image946×429 8.63 KB

5.From there you can move/make your dashboards by click on the arrow next to the channel name ( System Application, etc…) and then choose Show Documents for value

image
image1888×804 57.1 KB

Hope that helps

3

Hi gsmith , thx for your answer but this doesnt is what i am looking for

i like to g´have something like this

grafik
grafik1222×815 41.7 KB

4

for this i created some streams

like that

grafik
grafik401×660 38.3 KB

The Result is not realy what i hoped for but i could work with it…, but its a lot work to have for each Box i am monitoring for each event channel a stream …

so i read about Decorator, so far if understood it right it should be possible to have 1 Stream pulling in the Data from the Source and then i “Filter” what is to see in the Message Table with a Pipeline.
??

first i was to go with winlogbeat_event_provider , but i think the field winlogbeat_winlog_channel is better because that is what winglogbeat sidecar ist reading from the Windows logs

the Pipeline Rule i tried should drop all messges accept the one from the Application channel

rule "Winlog Application"
when
    has_field("winlogbeat_winlog_channel") && 
    !contains(to_string($message.winlogbeat_winlog_channel), "Application", true)
then
    drop_message();
end

i tried to use it on Stream TPM-WS-06 as Decorator ->Pipeline Proccessor Decorator bind to the Message Table , but get no result, still all Messages from source TPM-WS-6 appear in the message Table

?? what am i missing :face_with_diagonal_mouth:

5

@Matthias23

That is one way of doing it, but there is a simpler way thou.
I mocked it up for you. Here is my dashboard.

image
image1893×952 85.3 KB

Is this what you wanted?

6

Yes , it looks like it , so how you do it ?

7

A couple of points:

  • The decorator shows up as another field on the message - you would then need to add it to the table to see it.

  • I am not sure why you break up System, Security, Application into separate streams, you can have it all pass one stream and in your pipeline rules (you can attach multiple pipelines to a stream too…) you can actively select the winlogbeat_winlog_channel as you have already done and you can use Stages to sequence how the rules are managed
    (important to note, if you have a message starting in two or more streams, the message stays lockstep in the same stage in every stream as it works its way through. ON the other hand if you use the route_to_stream() function, the message will finish the current stream(s) before moving on to the new one)

  • if you don’t want the Application log, it is way more efficient to remove it from the sidecar configuration than to wait until it gets to Graylog and drop it.

  • Use the </> forum tool when posting code, it cleans it up nicely for reading… I changed it on your post so you can see what I mean.

1 Like
8

i am not shure that i understand, if i use in the pipeline rule a set_field or simple because its a decorator? maybe i understand the whole decorator concept wrong ??
i thought i can use the Pipeline → Decorator construct as a kind off non destructive Filter for messages

its more a “howto” do what ever with Graylog , I am 1 Weak on Graylog now, and to break it up and feed the stream’s into to dedicated Message Table == worked,
but thats exactly what is this excurse about, i am asking is this the right way to go ?
i learnd to
create streams …
Exclude from results and Add to Query to filter a existing message table
how to use Key_Value Extractor
getting the geolocation with a pipeline from some Router Syslog…

rule "geolocation DST"
when    
    has_field("DST") AND    
   NOT in_private_net(to_string($message.DST))
then   
    let geolocation_ip = to_string($message.DST);
    set_field ( "geolocation_ip" , geolocation_ip ); 
end.

i use the ! contains(… to drop all other Messages, so i thought :slight_smile: and keep “Application” in this Pipeline ,
and then to do the same with other Pipelines and rules for System and Security,

i will !! looks a lot nicer , thx for the hint

9

Hello,

This will be a free tutorial on a HowTo :smiley:

If you running one beats input then click on Show received messages.

image
image1633×218 22.3 KB

This will show All messages. For this tutorial, when redirected to the Search page I will set it for a day. It should look like this.

image
image889×453 17.5 KB

Then you need to reread my post again and follow what I did . Start with Step 1.

The search should look like this now. But wait, there is more :smiley:

image
image1888×804 57.1 KB

Click on one of the widgets. For this tutorial I will choose Application. There is a Edit button in the upper right of the widget, click on that.

You should see this now

image
image1825×703 46.2 KB

Un-check the section in the left pane called “Show message in ne row

Now it should look like this.

image
image1789×576 31.6 KB

Click Save button.

You have two choices after this. Either save it as a search or transfer this widget to a dashboard.

Example HowTo save as search.

image
image1070×350 12.5 KB

Example HowTo Transfer to Dashboard.

image
image1009×327 14.6 KB

There are a couple other routes you can take with the same outcome, but I think this would be easy enough to get you started, Feel free to explore :pirate_flag:

Hope that helps

1 Like
10

Decorators: These are not related to pipelines, they are an inline tool with “Search” (Data pulled from Elasticsearch database based on your queries) that dynamically creates temporary fields in search results based on decorator configurations you set up. The resulting fields are not searchable. So for instance you could have a search on a stream connected to firewall and add a decorator to pick out information for clarity. Here is an example:

Palo Alto FW Message:
eastcoastFW.myco.co 1,2022/04/29 07:43:08,012001018874,TRAFFIC,end,2561,2022/04/29 07:43:08,10.20.7.19,207.211.31.113,50.207.58.82,207.211.31.113,outbound-connect,,,ssl,vsys1,internal-zone,external-zone,ethernet1/2,ethernet1/1,log forwarding,2022/04/29 07:43:08,16913,1,60612,443,53899,443,0x40041a,tcp,allow,6615,1367,5248,18,2022/04/29 07:42:51,0,not-resolved,,7037914757779042946,0x0,10.20.0.0-10.20.255.255,United States,,8,10,tcp-rst-from-client,0,0,0,0,,fwb1,from-policy,,,0,,0,,N/A,0,0,0,0,953d8a3a-3bca-4460-a56c-e2dbb76cedb1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2022-04-29T07:43:08.073-04:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0

[NOTE: The message above has been broken out into constituent fields with a separate pipeline rule (open new question if you want that)]

With a “Format String” decorator applied you can arrange the information so it reads easier:

Here is the Decorator rule (shows when editing a message table)
image

Which would give you a field in your search that looks like this:

ThisJustHappened
10.20.7.19 just connected out to something in Provincetown, United States with an IP of 205.139.111.12 (decorated)

Streams: With Graylog, you receive messages on an Input and store them in an Elasticsearch database. In between those two are Streams. A Stream can be attached to one or more inputs to catch the messages and direct them to an Index. (There is a default stream that everything goes through unless you set up your own) These Streams are where you can manipulate the data… actually… you can manipulate data before it hits streams with an Extractor attached to the Input to catch-and-modify. If you want to change data in the stream, you attach a processing pipeline to the stream and set up rules in the pipeline to manipulate data - i.e. pull out fields from the original message.

With all that - if you have a stream of messages coming from windows you would only break out three streams if you wanted to make sure you are storing “application”, “Security”, “System” (etc.) into different index files so that you can change retention times for each…If they all come in on one stream
going to one index, the pipeline rules, can simply say in the WHEN of each rule that the the winlog_channel must be the type you want to manipulate (application, security system, etc)

Dropping messages: If you use drop_message() in a pipeline, that means it will never get to the index (stored in Elasticsearch) so if all three streams/pipelines go back to the same index when you drop “application” in one stream, it will never get stored in the index.

Hope all that makes sense!

11

Yes it does and clears up a lot on how to handle Graylog, i played around with your suggestions and must say the whole handling is a lots of fun and much more flexible then i was going for.

i think https://docs.graylog.org/docs/queries will stear me in the right direction
:relieved:

thx for all the work

1 Like
12

@tmacgbay

Your going to hit me on this one, I was looking every where for Decorators :laughing:
For 6 years I haven’t really messes with that section.

13

@Matthias23

Nice… glad to help and as you learn more Graylog has many other settings/configuration that can be used.
If this post is completed could you mark this as resolved for future search’s?

14

Ha!! I only played with decorators a while back… too me a bit to remember they are available when editing a message table! Eventually I will create some Graylog views for Management and use decorators on their pages for readability.

1 Like
15

I have more questions, but that’s for another discussion, thanks again for your help.

1 Like
16

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.