hi there - hope 12d isn’t long enough to be considered a gravedigger =p
Any ways, I started testing Graylog and was following both this post
and the documentation step-by-step, but I still fail at something. I’m getting two errors:
time="2017-06-03T14:18:30-03:00" level=error msg="[RequestConfiguration] Fetching configuration failed: Get https://172.28.97.4:443/api/plugins/org.graylog.plugins.collector/9118dac7-157f-4255-8bec-98f895f7b400?tags=%5B%22windows%22%5D: dial tcp 172.28.97.4:443: connectex: Nenhuma conexão pôde ser feita porque a máquina de destino as recusou ativamente."
time="2017-06-03T14:18:30-03:00" level=error msg="[UpdateRegistration] Failed to report collector status to server: Put https://172.28.97.4:443/api/plugins/org.graylog.plugins.collector/collectors/9118dac7-157f-4255-8bec-98f895f7b400: dial tcp 172.28.97.4:443: connectex: Nenhuma conexão pôde ser feita porque a máquina de destino as recusou ativamente."
I’m using the OVA virtual appliance, already updated to 2.2.3, I already successfully installed the Threat Intel plugin and configured the pipeline:
But I can’t seem to get my sidecar to deliver the sysmon logs. Here’s collector_sidecar.yml:
collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id
cache_path: C:\Program Files\graylog\collector-sidecar\cache
log_path: C:\Program Files\graylog\collector-sidecar\logs
- name: nxlog
binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf
- name: winlogbeat
binary_path: C:\Program Files\graylog\collector-sidecar\winlogbeat.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml
- name: filebeat
binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml
one thing I had to do differently from what’s explained on the step-by-step was that I needed to download beats to get some files, namely: “winlogbeat.template.json”, “winlogbeat.template-es2x.json” and “winlogbeat.template-es6x.json” and put them in the same folder as winlogbeat.exe. I also needed a winlogbeat.yml on the generated folder, or else all I was getting on winlogbeat_stderr.log was errors pointing to those files.
At least these were the files that I identified were missing from errors on the log. I installed the sidecar using the installer from Graylog_Sysmon on github, properly configured for my graylog server.
Almost forgot! This is the result from running that curl command on the Windows machine were the sidecar is installed:
c:\Program Files\curl-7.54.0-win64-mingw\bin>curl -v -k -u admin:admin https://172.28.97.4:9000/api/plugins/org.graylog.plugins.collector/collectors
* Trying 172.28.97.4...
* TCP_NODELAY set
* Connected to 172.28.97.4 (172.28.97.4) port 9000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.28.97.4:9000
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 172.28.97.4:9000