So my boss wants me to deploy this for our small network with mostly windows machines. After going through a lot of documentation, I feel I am more confused than I was. What I want to find out is what is really the best approach? The OVA noted that it’s purpose is to give us a feel for the product. By the way, I wasn’t able to get the feel as I really had no idea of how to configure it to pull windows logs.
From reading documentation, I am able to deploy graylog with CentOS 6 or 7 with prerequisites like Java, Elasticsearch and MongoDB. But I’ve also read somewhere that some folks have used NXlogs to pull logs from Windows Server 2012 R2. Nowhere did it say that this would also work for other Windows machines. However, I did come across utilizing sidecar and winlogbeat to pull windows event logs.
So now that I’m even more confused, it would be great if someone can chime in on what the best approach is to deploy graylog on our small network. Just to add, we will soon add Linux systems as well.
I’m right with you! I’m working on Windows log forwarding and having many “learning experiences” doing it!
FWIW, LInux is much easier to work with. I have a smattering of older servers pre-rsyslog, and some newer Ubuntu machines. They’re all on VMware, so spinning up a new server is easy.
I found that not every server talks nice to a non-standard syslog port. Because Graylog runs in the user space, you don’t get access to port 514. Having a relay server collect the logs and forward to a Graylog collector has saved me quite a bit of trouble. This resource here was very helpful in configuring the log routing. The downside is that I needed a Linux VM for each port, but I’m living with that.
My personal suggestion is to use winlogbeat to get windows event logs because the footprint is smaller and the configuration is less complex than nxlog. How you configure winlogbeat is up to you and your environment. Just install it manually and configure it on any host is an option if you have only a few server. Using configuration management - if you have one - is another. The third option is to use the Graylog sidecar to configure that.
Sorry for the plug - but as a Windows Admin I was pretty overwhelmed as well so I typed up a draft document the other day explaining what I thought were the key concepts and how I understood them myself. I haven’t really published it anywhere yet, and it needs to be cleaned up - but maybe it will help you get started. Mods can delete if this isn’t appropriate.
I have been following the Getting Started Guide and so far I am stuck at configuring the winlogbeat collector. Below is what I’ve done so far.
Installed OVA 3.0.1-2 (with access to web interface)
Installed/configured sidecar on one host for now with my server url and generated server API token (service installed/started)
Created a global beats input where collectors can send data to (0.0.0.0:port of my choice)
So when configuring the winlogbeat collector, I am unsure of what needs to be reconfigured. I set output.logstash hosts to the beats input (0.0.0.0) which I am unsure of. Then when trying to assign it to the sidecar I receive an error which state that at least one collector is not configured yet. I don’t think I skipped a step based on the guide but not really sure.
Thanks in advance,
Jon
Update: I was able to configure the winlogbeat and assign it to the target host but not seeing any messages.
Update: After reviewing the winlogbeat logs, I saw that the host was getting a rejected by the target system (graylog server) at 0.0.0.0 for my beats input and tried to see what would happen if I changed it to my graylog server’s IP and now all is well. I am able to receive my messages from the host. Now I just need to figure out how to create a dashboard with the information I want. Thanks everyone!
Appreciate you input. However, as much as I would like to I don’t have the option of using Linux machines for our current environment. It would seem that there have been people that have successfully grabbed logs from Windows machines with the use of winlogbeat or nxlog so am hoping that someone will be able to point me in the right direction.
I just caught the part where you have a linux VM for every port.
Is there a reason for a full VM vs a logstash config or port forwarding? I think even IPTables could do it for most cases (untested):
