Hello all, this is the first of a new series of posts which will show you how to setup a free centralised logging solution for any environment.
After much trial and error I think I’m set on using Graylog, Windows Event forwarding, Sysmon, and OSSEC/Wazuh.
All the official documentation for Graylog can be found here: Graylog Docs
Ubuntu is still my favourite flavour of Linux so we will be starting with the base install of Server version 18.04.
Let’s get started, as always we start by updating the repository
sudo apt-get update
And if required upgrade your install. (If you are starting with a fresh install but didn’t tick “download updates from the internet” you will need to do this)
sudo apt-get upgrade
Now we are running up to date let’s start with installing the dependencies. First up are these 4 packages, make sure you do all these steps in order or it will not work.
sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
If you get no errors when installing we move on to installing mongodb from the official repository.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update sudo apt-get install -y mongodb-org
If again you receive no errors, we move on to enabling it on start up.
sudo systemctl daemon-reload sudo systemctl enable mongod.service sudo systemctl restart mongod.service
Graylog recommends using Elasticsearch version 6. You can find the installation guide here if you need to refer to it, but you can install using the following. (This is not the latest version, which is not supported so don’t be tempted to try it)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
sudo apt-get update && sudo apt-get install elasticsearch-oss
Before we can configure and start Elasticsearch we need to edit the configuration file which is located at “/etc/elasticsearch/elasticsearch.yml”
We cd to the correct directory
Then open the file
sudo nano elasticsearch.yml
then find the following line, remove the ‘#’ to uncomment the line and set the cluster.name property to “graylog” as shown below.
You also need to add the below to the config file.
Now start Elasticsearch, and enable it at startup.
sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service sudo systemctl restart elasticsearch.service
Now we are ready to install Graylog, cd into your download or tmp directory and download the latest repo config.
First we unpack the download and then install graylog using apt.
sudo dpkg -i graylog-3.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server
Now don’t get carried away, because there is still a bit of work to do before graylog will start.
All the instructions we are contained in the following file “/etc/graylog/server/server.conf”
we can open it directly using the following;
sudo nano /etc/graylog/server/server.conf
Take the time to read through the instructions, it will help you to understand a little of what you are doing. With that in mind, let’s continue. Exit nano using CTL and X.
First we create our “password_secret” from the cmd line. using the below cmd to create the hash.
pwgen -N 1 -s 96
Then open and save the config again and paste the resulting hash into the config file after “password_secret = ”
sudo nano /etc/graylog/server/server.conf
Save and exit, then we create our “root_password_sha2” (Remember this as you will need it to login to graylog later on) in a similar way from the cmd line so save your change and exit the config file.
You could run “echo -n yourpasswordhere | shasum -a 256” as suggested in the config file however the online guidance is to use the below.
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Copy and paste this new hash value into the server.conf file after “root_password_sha2”
OK, so now we will be connecting to graylog over http, to be able to use https we need to configure a proxy server which wont be covered here, so always connect over a vpn if in production and you are not using https. Don’t make the web interface externally available. To configure https have a look at the docs here
Also you should enable the host firewall to only allow ports 22, 9000, and 8514, however don’t enable it yet. Get it setup and confirmed as working, then enable your firewall, as we will show later.
To configure the web interface we need to set two further options in the same server.conf file. These options are; “rest_listen_uri” and “web_listen_uri”
Get the IP of your server with the ifconfig cmd, then paste it into the location shown below and make sure the the line doesn’t have a ‘#’ at the start of the line meaning they are commented out. If the ‘#’ is there remove it. this sets both the Web interface: and REST API: options.
http_bind_address = yourIPaddress:9000/
Save and close the file. If you want more information on configuring the web interface see the documentation here
All that’s left to do is start and configure graylog to enable at startup
sudo systemctl daemon-reload sudo systemctl enable graylog-server.service sudo systemctl start graylog-server.service
That’s it, give your server a restart with the following
sudo shutdown now -r
Browse to “yourIPaddress:9000/” and you should be greeted with the following login box. If not, try manually restarting all the services (mongobd, graylog and elasticsearch) using the steps through this guide and see if that resolves it. If not, you’ve done something else wrong!
Now we we know we can connect let’s enable the firewall
sudo ufw enable
And open the 2 ports we need for connecting to it
sudo ufw allow 22
sudo ufw allow 9000
You can check status as below
sudo ufw status
You can also check the status of graylog as shown below
sudo systemctl status graylog-server.service
If you have any issues you can use the following command to view the logs and look for clues.
sudo tail -f /var/log/graylog-server/server.log
Come back for the next part as we setup a complete SIEM and logging system.