hi there - hope 12d isn’t long enough to be considered a gravedigger =p
Any ways, I started testing Graylog and was following both this post
https://www.graylog.org/blog/83-back-to-basics-enhance-windows-security-with-sysmon-and-graylog
and the documentation step-by-step, but I still fail at something. I’m getting two errors:
time="2017-06-03T14:18:30-03:00" level=error msg="[RequestConfiguration] Fetching configuration failed: Get https://172.28.97.4:443/api/plugins/org.graylog.plugins.collector/9118dac7-157f-4255-8bec-98f895f7b400?tags=%5B%22windows%22%5D: dial tcp 172.28.97.4:443: connectex: Nenhuma conexão pôde ser feita porque a máquina de destino as recusou ativamente."
time="2017-06-03T14:18:30-03:00" level=error msg="[UpdateRegistration] Failed to report collector status to server: Put https://172.28.97.4:443/api/plugins/org.graylog.plugins.collector/collectors/9118dac7-157f-4255-8bec-98f895f7b400: dial tcp 172.28.97.4:443: connectex: Nenhuma conexão pôde ser feita porque a máquina de destino as recusou ativamente."
I’m using the OVA virtual appliance, already updated to 2.2.3, I already successfully installed the Threat Intel plugin and configured the pipeline:
But I can’t seem to get my sidecar to deliver the sysmon logs. Here’s collector_sidecar.yml:
server_url: https://172.28.97.4:443/api
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
node_id: graylog-collector-sidecar
collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id
cache_path: C:\Program Files\graylog\collector-sidecar\cache
log_path: C:\Program Files\graylog\collector-sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
backends:
- name: nxlog
enabled: false
binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf
- name: winlogbeat
enabled: true
binary_path: C:\Program Files\graylog\collector-sidecar\winlogbeat.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml
- name: filebeat
enabled: false
binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml
one thing I had to do differently from what’s explained on the step-by-step was that I needed to download beats to get some files, namely: “winlogbeat.template.json”, “winlogbeat.template-es2x.json” and “winlogbeat.template-es6x.json” and put them in the same folder as winlogbeat.exe. I also needed a winlogbeat.yml on the generated folder, or else all I was getting on winlogbeat_stderr.log was errors pointing to those files.
At least these were the files that I identified were missing from errors on the log. I installed the sidecar using the installer from Graylog_Sysmon on github, properly configured for my graylog server.
https://github.com/ion-storm/Graylog_Sysmon/blob/master/Installers/Install_Sidecar_noprompt.bat
Almost forgot! This is the result from running that curl command on the Windows machine were the sidecar is installed:
c:\Program Files\curl-7.54.0-win64-mingw\bin>curl -v -k -u admin:admin https://172.28.97.4:9000/api/plugins/org.graylog.plugins.collector/collectors
* Trying 172.28.97.4...
* TCP_NODELAY set
* Connected to 172.28.97.4 (172.28.97.4) port 9000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.28.97.4:9000
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.28.97.4:9000