Question pour la mise en place de Graylog


J’ai comme projet de mettre en place un serveur graylog dans mon entreprise

J’ai établi quelques paramètres et j’ai également quelques questions pour m’assurer de partir dans la bonne direction :

Pour la configuration matériel de la machine, j’ai trouver ce qu’il me fallait, j’ai mis 60Go de taille disque car je ne sais pas vraiment comment va évoluer l’augmentation

J’ai prévu de surveiller comme logs :

-Pour les machines WINDOWS en format GELF UDP avec NXLOG pour envoyez log

- les logs sur les authentifications & échec connexion 

 -les arrêts des VM Windows 

 -pour Active Directory une alerte quand un compte utilisateur est verrouillé

LINUX : format syslog UDP

  • connexion SSH

  • Il y a t’il d’autres paramètres à surveiller?

PARE-FEU : format syslog UDP

  • Connexion VPN suivi des réussites et des échec

SWITCH : quel format

  • Connexion SSH

  • Comment surveiller et détecter via graylog les boucles réseaux ?

  • comment envoyer les logs switch vers un serveur graylog? nxlog? syslog?

Pourquoi récolter les logs en format UDP ou TCP, quel différence et pourquoi UDP plus utilisé que TCP?

La différence enter GELF et syslog importante ? Possible récolter en format GELF les logs stormshield/linux ?


Hello and welcome!

Please post in English - although this is an international forum, English is the default and you are more likely to receive an answer… although I don’t represent my French speaking friends. :smiley:

There are a bunch of short videos here on how parts of Graylog works and of course all the docs.

Tips on posting

more tips on posting

1 Like

Please, if you could post in English that would be great :+1:
I tried to translate this for you.

Ok thx, i will post in english :slight_smile:

To answer a couple of questions (Thanks for translating @gsmith )

  • TCP and UDP are both available because some devices only will do one of those. UDP is faster communication because it doesn’t ensure that data packets get to the destination… so small chance you might loose bits of info in network hiccups but only relevant in large/rare situations… I would say prefer TCP but it doesn’t matter too much.

  • You can find all sorts of info in the community by searching there is a great section here that is starting to grow snippets of information such as winlogbeats to capture Windows account locking

  • Gelf and syslog write up…

  • You can find some great detail on key windows log information here They also have a full encyclopedia

  • Graylog maintains a preferred schema of naming conventions etc. But you can follow it as you are parsing out messages to make sure you have data consistency for everything that you are pulling in.

1 Like

Thx very well !! I will look :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.