The last post showed how to install graylog server, but what good is a log server with no logs?!
Let’s get some data into our servers, we are going to start with a Ubuntu server version 16.04 which is using rsyslog. (Which is installed by default)
Throughout this post the graylog server will be referred to as “graylog”, the server which is being configured to forward it’s logs will be referred to as Ubuntu.
First we need to go to the Ubuntu server login and cd to where we configure rsyslog. For a full explanation, or if you are using syslog-ng look here
using the “ls” command we can see two files in this directory.
We are going to create a new config file for graylog
sudo nano 60-graylog.conf
A blank file will open, as we are running the latest version of Ubuntu we will be running the newer version of rsyslog so we will enter the following into our file
If you are running an older version you will need the following.
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" *.* @yourGraylogServerIP:8514;GRAYLOGRFC5424
If you want to use the most modern approach you would use the following
action(type="omfwd" target="yourGraylogServerIP" port="8514" template="RSYSLOG_SyslogProtocol23Format")
I have not fully tested this latest approach, so if you have any issues with this revert back to the first example.
The eagle-eyed will notice that the port number used is 8514, whereas syslog typically runs over 514. This is due to permission issues when setting up ports in graylog which are below 1000. You can chose any port you wish as long as it starts above 1000.
Save and close the file, then restart rsyslog
sudo service rsyslog restart
We will also need to open the port on the firewall. If you are using Ubuntu and ufw the command will be.
sudo ufw allow 8514/udp
Now we go over to graylog and login, and go to the “Systems/Input” menu as shown.
Then we Select “Launch New Input”
And fill in as shown. You only have one node, so select your server from the drop down menu.
If you get a green box saying “running” as below, that’s it.
If you think it’s not working then restart the Ubuntu Server (the forwarding server), and login as root, or create a new file so some logs are created, it’s common to think that the logging process is not working when in actual fact there just hasn’t been any new logs created!
If you are still getting a failed message and are running a firewall on the graylog server you will need to open port 8514.
If using ufw you would type;
sudo ufw allow 8514/udp
Or if you have already done this then check it’s OK by checking the status.
sudo ufw status
Now go to the “Search” tab and select all logs and have a look through your logs. Happy threat hunting. In a later post will look at some further configuration, and setup a Windows Server to forward to graylog.