blogLog: Top Graylog Community Members Interview with @shoothub

Interviews with Top Graylog Community Members: @shoothub

We asked @shoothub, at long-time, loyal Graylog community member to talk about an issue he recently had that involved log management as part of the solution. Here’s what he had to say:

Shoothub_Top Graylog Community Members.pdf (315.9 KB)

Kudos to @shoothub . When you see him around the community, be sure to say hello!

Top Graylog Community Members
Interview with @shoothub
Aug, 2021

We asked @shoothub, at long-time, loyal Graylog community member to talk about an issue he
recently had that involved log management as part of the solution. Here’s what he had to say:

“We recently deployed one Network Detection and Response (NDR) solution because it
generates a lot of valuable logs we store and analyze. Our NDR solution have only option to
forward generated events/logs to external log system in formats like Syslog, LEEF and CEF, so
we setup external log forwarding to Graylog. We chose CEF because it contains more
information than other formats. For example, CEF format captures the user’s workstation name
when logging in or out of the NDR solution web interface. That information is valuable to us.”
“Although our NDR solution generated system logs, we could display only the current day in the
web interface. Unfortunately, we had to click day by day to see yesterday’s log or any past
days’ log. We wanted to have all the system logs in one place, so an external, more robust log
management solution was appropriate.”

“To solve this issue, we used pure Graylog and created CEF input with TLS encryption. To
remove unnecessary and normalize fields from CEF, we used pipeline connected to steam and
simple pipeline rule:”

rule "NDR remove unused fields and rename"
when
has_field("deviceFacility")
then
// the following fields will be removed
remove_field("dproc");
remove_field("deviceProcessName");
remove_field("externalId");
// the following fields will be renamed
rename_field("src", "src_ip");
rename_field("dst", "dst_ip");
rename_field("app", "application");
rename_field("spt", "src_port");
rename_field("dpt", "dst_port");
end

“We chose Graylog because it was our go-to tool solution, and we are familiar with Graylog capabilities. We typically use Graylog to collect and analyze new services in our network, network devices, and servers. We are happy with the results.” “In the end, we were able to create an excellent dashboard of system events from the new NDR solution, with a lot of widgets. We were also able to send alerts for essential system events like update failed, and span port stop sending data or login failed.

Hi @dscryber,
maybe posting here as text would be better option that pdf.