Graylog Integration with MISP

Development
1

Hi all,

Here is my Graylog environment on host A:
hi graylog-4.3-repository 1-6 all Package to install Gray
hi graylog-integrations-plugins 4.3.8-1 all Graylog Integrations pl
hi graylog-server 4.3.8-1 all Graylog server
hi mongodb-database-tools 100.10.0 amd64 mongodb-database-tools
hi mongodb-org 4.4.17 amd64 MongoDB open source doc
hi mongodb-org-database-tools-extra 4.4.29 amd64 Extra MongoDB database
hi mongodb-org-mongos 4.4.17 amd64 MongoDB sharded cluster
hi mongodb-org-server 4.4.17 amd64 MongoDB database server
hi mongodb-org-shell 4.4.17 amd64 MongoDB shell client
hi mongodb-org-tools 4.4.17 amd64 MongoDB tools

Here is my MISP environment on host B:
MISP 2.5.6

In Host A, I able to get the result from CLI:

> curl -X GET "https://172.18.3.102/attributes/restSearch/value:t21j21t" -H "Accept: application/json" -H "Authorization: auth_key" -H "Content-Type: application/json"
> {"response": {"Attribute": [{"id":"124758","event_id":"456","object_id":"0","object_relation":null,"category":"Payload delivery","type":"malware-sample","to_ids":true,"uuid":"57f64b6a-8400-44c2-806c-4008950d210f","timestamp":"1475758954","distribution":"5","sharing_group_id":"0","comment":"downloaded 2nd stage","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"t21j21t|1e188d977397f791ccd12f0b04288d22","Event":{"org_id":"1","distribution":"3","publish_timestamp":"1737607676","id":"456","info":"Malspam 2016-10-06 (.js in .zip) - campaign: \"Your Order\"","orgc_id":"3","uuid":"57f64039-dec0-4c41-b2eb-42e7950d210f"}},{"id":"124759","event_id":"456","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename|sha1","to_ids":true,"uuid":"57f64b6a-f900-4bbb-b845-4008950d210f","timestamp":"1475758954","distribution":"5","sharing_group_id":"0","comment":"downloaded 2nd stage","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"t21j21t|f3aa004fa60d74e4fb7759a244cf12867ee79ef1","Event":{"org_id":"1","distribution":"3","publish_timestamp":"1737607676","id":"456","info":"Malspam 2016-10-06 (.js in .zip) - campaign: \"Your Order\"","orgc_id":"3","uuid":"57f64039-dec0-4c41-b2eb-42e7950d210f"}},{"id":"124760","event_id":"456","object_id":"0","object_relation":null,"category":"Payload delivery","type":"filename|sha256","to_ids":true,"uuid":"57f64b6b-120c-4e6f-ba28-4008950d210f","timestamp":"1475758955","distribution":"5","sharing_group_id":"0","comment":"downloaded 2nd stage","deleted":false,"disable_correlation":false,"first_seen":null,"last_seen":null,"value":"t21j21t|60be5a920d81590595f532983f6f45a04ce42e3ceec6f7e7b07f0c4b189d5505","Event":{"org_id":"1","distribution":"3","publish_timestamp":"1737607676","id":"456","info":"Malspam 2016-10-06 (.js in .zip) - campaign: \"Your Order\"","orgc_id":"3","uuid":"57f64039-dec0-4c41-b2eb-42e7950d210f"}}]}}

The problem is when I test lookup from web interface:

## MISP <small>(HTTP JSONPath)</small>

Description
*No description.*

#### Configuration

Lookup URL
https://172.18.3.102/attributes/restSearch/value:${key}
Single value JSONPath
`$.response.Attribute.[0].category`
Multi value JSONPath
`$.response.Attribute.[0]`
HTTP User-Agent
Graylog Lookup - https://www.graylog.org/
HTTP Headers

|Name|Value|
| --- | --- |
|Accept|application/json|
|Authorization|auth_key|
|Content-Type|application/json|

Test Lookup:
t21j21t
Lookup result

{
  "single_value": null,
  "multi_value": null,
  "string_list_value": null,
  "has_error": true,
  "ttl": 5000
}

These are the error log in /var/log/graylog-server/server.log

ERROR [HTTPJSONPathDataAdapter] HTTP request error for key <t21j21t>
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Thank you.

1 Like
2

Hey, @ToniYap. Did you solve it? I’m running into this exact same scenario.

(Except i’m running Graylog 6.0)

3

I managed to solve the issue by creating and trusting a custom SSL certificate for the MISP API. The auto-generated SSL certificate used “localhost” as the Common Name (CN), causing Graylog to fail when attempting to verify it.

1. Create new SSL Certificates for MISP API

First, create an OpenSSL configuration file (openssl.cnf) with the necessary details for your MISP server.

vi openssl.cnf

Add the following configuration:

[ req ]
default_bits        = 4096
default_keyfile     = key.key
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
x509_extensions     = v3_req

[ req_distinguished_name ]
commonName          = Common Name (CN)
commonName_default  = misp.example.local

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1   = misp.example.local
DNS.2   = localhost
IP.1    = 10.50.0.182

Then, generate the SSL certificate:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -config openssl.cnf
openssl dhparam -out dhparams.pem 2048

2. Trust the Certificate on Graylog Server

To ensure Graylog trusts the newly created certificate, you need to import it into the JVM’s keystore.

Use Graylog’s keytool (paths may differ based on your setup):

/usr/share/graylog-server/jvm/bin/keytool -import -alias misp -file /opt/graylog/certs/misp/cert.pem -keystore /usr/share/graylog-server/jvm/lib/security/cacerts | /etc/graylog-server/graylog.jks

After completing these steps, Graylog should be able to securely communicate with MISP API.

Hope this helps!

1 Like
4

Hi Luciano,

So should I copy key.pem, cert.pem and dhparams.pem from MISP server to Graylog server?

And do I import only the cert.pem or all of them (3 .pem files)?

Thank you

5

Hi ToniYap,

No, you only need to import the cert.pem and trust it using Graylog’s keytool by pointing it to your cacerts.jks. In my case, I created key.pem and dhparams.pem because I had to regenerate my MISP certificate.

Hope this helps!

Best regards,
Luciano

2 Likes
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.