Implementing Graylog from Security point of view

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hi!
Does anyone have some document that what can be done in Graylog to deal with security in your organization.
I have done small part of Failed login from AD and Failed login from vpn. But want to do more and what can Graylog provide and what can I implement.
Some ideas that I can implement?

2. Describe your environment:

• OS Information:

• Package Version:

• Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hello there

On the Graylog Enterprise side, there is a plugin called Graylog Illuminate:

https://www.graylog.org/products/illuminate

more info:

A standard use of a platform like Graylog is to feed in your firewall logs, and then check the source and destination IPs of each request against geolocation and against threat libraries to detect external access/threats or internal illict activity. Good for detecting if someone is using the office network for torrenting or cryptomining too!

Hi!

I am using free version so I will look for information that can help with free version.

Thanks

Hello,

If your going to do this yourself there are things to consider. The correct and maybe separate INPUTs for all your devices in case you need to create extractor. Then you need to make sure the correct fields are generated not only for you Windows, Linux, Firewalls, etc… Next you will need to create stream to hold these filtered messages for alerting, Dashboards, Widget etc…

Here is an example of my lab, please take note this Dashboard for my Linux device ONLY.

image1871×703 47.2 KB

Here is an example of my lab, please take note this Dashboard for my Windows device ONLY.

image1893×757 59.8 KB

On both of those screenshots there is a stream with Event Definition attached for alerting if need be.
I’m not going to lie , it will take some time to set up and testing. Once your created the basic configuration it will work.

Hope that helps

Thats nice.

So this is what I did so far.
I have started with Windows DC. I am parsing logs from my DC which is all the AD roles on it.
I am using nxlog and sending only specific event ids because of the limit issue as I am only allowed to use 5G per day.

Module im_msvistalog
ReadFromLast TRUE
SavePos TRUE
Query

*[System[Level=0 and (EventID=4624 or EventID=4647 or EventID=4740 or EventID=4771)]]

I have created indices for my DC and then created stream for it. Then I go to search, select the stream which is domain controller and in the perform search box I write 4740 and I can see A user account was locked out.
I created a Dashboard name DomainController.
Now how can I create dashboards using these logs. Thats What I am looking for.

Thanks

@capricorn80

Glad I can help.

Just and FYI, a couple mistakes I have made were the folowing.

1. Not enabling Audit logging in my AD server and since your using Windows this is disabled by default. For better clarity here is what I’m suggesting.

2.With Nxlog-ce fine tuning the configuration. Below are a couple ideas that may help.

@gsmith Thanks. I am stuck in Dashboard now. Can you please share your Dashboard settings?

Might be worth looking at this also Integrating Threat Intelligence into Graylog 3+ | Graylog

Hello,

I’m using GELF TCP/TLS inputs, and be aware this creates a lot of fields which you may need to increase you volume size.

Then I created Streams to route the Event ID’s need for failed logons, etc…

When the stream are completed I created Widgets and alerts from those streams.

@gsmith Thanks. I have done most of the part. Its only your widgets I am interested in. If you share screetshot of few of them that I can what settings you have for them.

Thanks

Hello,

Here is my failed logon attempt.

image1389×868 42.9 KB

here is User Account was lockout

image1387×629 30.8 KB

If you noticed there both attached to a stream.

Hope that helps

Perfect. Thanks for your help.

Glad I can help.

If this post is completed could you mark it as resolved for future searches?

• Thanks

Few things I want to ask you.
you have different settings then my graylog.
I dont have all these options. Like in Metrics section I dont have Field or name attributes.

image1507×147 13.1 KB

Hello,
I see,

Sorry, I was assuming you had version 4.2. What version of GL do you have?

Version:

4.0.13+f00a2cc, codename Noir

By chance can you update to version 4.1?

I tried with apt-update but it didnt go further than 4.0.13. I will check some manual to update it.

The section for Updating Graylog is a little hidden in the current docs, you can find it here:

https://docs.graylog.org/docs/operating-system-packages

Remember once you have your new repo for Graylog 4.1, or 4.2 make sure you clean the cache then apply update/upgrade.

Some Examples:

yum clean all
sudo apt-get clean