Graylog Linux Agent
Author: Stefan Waldvogel
-in preparation-
Overview
Installing a Graylog agent on a Linux system is simple. This article is based on this video: www.graylog.org/webinars/graylog-inputs (start at 14:00) and adds some comments. I will add an agent on RHEL; therefore some small things might be different.
Things like API keys are already generated. See the article about "Graylog Windows agent".
Hint:
If you use a brand new virtual machine, change the name of your new box before you move on. For example, the standard name might be: localhost.localdomain, and if you have multiple machines with the same name, it does not make much sense.
Command to change the name:
sudo nano /etc/hostname
-> pick something else and restart the machine
Install the sidecar package
The video installs sidecar on an Ubuntu-based system and the commands are slightly different. Use the official help to get the commands: docs.graylog.org/en/4.0/pages/sidecar.html#
Ubuntu:
wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-2_all.deb
sudo dpkg -i graylog-sidecar-repository_1-2_all.deb
sudo apt-get update && sudo apt-get install graylog-sidecar
RHEL/CentOS:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm
sudo yum install graylog-sidecar
Edit the configuration file
nano /etc/graylog/sidecar/sidecar.yml
Change the following settings:
server_url: Graylog_server_IP
server_api_token: The generated token. It is on your Graylog box in System/Sidecars -> Create or reuse a token.
Overview
Installing a Graylog agent on a Linux system is simple. This article is based on this video: www.graylog.org/webinars/graylog-inputs (start at 14:00) and adds some comments. I will add an agent on RHEL; therefore some small things might be different.
Things like API keys are already generated. See the article about "Graylog Windows agent".
Hint:
If you use a brand new virtual machine, change the name of your new box before you move on. For example, the standard name might be: localhost.localdomain, and if you have multiple machines with the same name, it does not make much sense.
Command to change the name:
sudo nano /etc/hostname
-> pick something else and restart the machine
Install the sidecar package
The video installs sidecar on an Ubuntu-based system and the commands are slightly different. Use the official help to get the commands: docs.graylog.org/en/4.0/pages/sidecar.html#
Ubuntu:
wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-2_all.deb
sudo dpkg -i graylog-sidecar-repository_1-2_all.deb
sudo apt-get update && sudo apt-get install graylog-sidecar
RHEL/CentOS:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm
sudo yum install graylog-sidecar
Edit the configuration file
nano /etc/graylog/sidecar/sidecar.yml
Change the following settings:
server_url: Graylog_server_IP
server_api_token: The generated token. It is on your Graylog box in System/Sidecars -> Create or reuse a token.
Install and restart the service
Again, check the commands for your Linux; these commands are for RHEL/CentOS.
sudo graylog-sidecar -service install
sudo systemctl start graylog-sidecar
For Ubuntu:
sudo graylog-sidecar -service install
[Ubuntu 14.04 with Upstart]
sudo start graylog-sidecar
[Ubuntu 16.04 and later with Systemd]
$ sudo systemctl start graylog-sidecar
Now, on Graylog's frontend, we see a second entry:
Again, check the commands for your Linux; these commands are for RHEL/CentOS.
sudo graylog-sidecar -service install
sudo systemctl start graylog-sidecar
For Ubuntu:
sudo graylog-sidecar -service install
[Ubuntu 14.04 with Upstart]
sudo start graylog-sidecar
[Ubuntu 16.04 and later with Systemd]
$ sudo systemctl start graylog-sidecar
Now, on Graylog's frontend, we see a second entry:
If you see the sidecar agent, the firewall allows the traffic but we have to apply the configuration to this box.
Apply a configuration
Apply a configuration
Name: Pick a name: e.g. Linux
Change the color: e.g. orange
Collector: Filebeat on Linux
-> change the hosts IP: Your graylog server IP
--> you can change the paths. This is the area where the agent looks for logs.
Change the color: e.g. orange
Collector: Filebeat on Linux
-> change the hosts IP: Your graylog server IP
--> you can change the paths. This is the area where the agent looks for logs.
Create the configuration and under administration apply it to your Linux box.
In my case, it failed: "Couldn't start validation command fork/exec /usr/share/filebeat/bin/filebeat no such file or directory"
-> that is true, on my system (RHEL) this folder does not exist because filebeat is not installed and sidecar needs this service.
Install filebeat on RHEL
These commands might change, use the official installation guide here: www.elastic.co/guide/en/beats/filebeat/7.13/setup-repositories.html#_yum
Download the key:
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Create a .repo extension
sudo nano /etc/yum.repos.d/elastic.repo
Add the following lines:
d[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Install filebeat
sudo yum install filebeat
Configure the service
sudo systemctl enable filebeat
sudo systemctl start filebeat
Check the sidecar configuration
On your graylog server, after some minutes, the sidecar agent jumps to green (running).
-> that is true, on my system (RHEL) this folder does not exist because filebeat is not installed and sidecar needs this service.
Install filebeat on RHEL
These commands might change, use the official installation guide here: www.elastic.co/guide/en/beats/filebeat/7.13/setup-repositories.html#_yum
Download the key:
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Create a .repo extension
sudo nano /etc/yum.repos.d/elastic.repo
Add the following lines:
d[elastic-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Install filebeat
sudo yum install filebeat
Configure the service
sudo systemctl enable filebeat
sudo systemctl start filebeat
Check the sidecar configuration
On your graylog server, after some minutes, the sidecar agent jumps to green (running).
Conclusion
Installing an agent for Linux is not hard. Remember, there are many different Linux distributions, and therefore, you have to change and adjust some small pieces of software. This is the reality, but it shouldn't be a problem for you.
Now, we have a lot of data, and we can do Threat Hunting. As a junior SOC Analyst, you work with given alerts and filters. You might find PowerShell scripts and more. For example, you might see something like this:
Installing an agent for Linux is not hard. Remember, there are many different Linux distributions, and therefore, you have to change and adjust some small pieces of software. This is the reality, but it shouldn't be a problem for you.
Now, we have a lot of data, and we can do Threat Hunting. As a junior SOC Analyst, you work with given alerts and filters. You might find PowerShell scripts and more. For example, you might see something like this:
Let us assume this is on an endpoint in the sales department, and this could be malicious activity.
If you have a working home lab, now you can play with simple things like user creation. Can you catch yourself? If not, why? You might have to change some settings to pull the correct logs. The greatest and best software is useless if it is not correctly configured or does not look for the right things.
You use your home lab!
If you have a working home lab, now you can play with simple things like user creation. Can you catch yourself? If not, why? You might have to change some settings to pull the correct logs. The greatest and best software is useless if it is not correctly configured or does not look for the right things.
You use your home lab!
© 2021. This work is licensed under a CC BY-SA 4.0 license