Install Graylog windows agent
Author: Stefan Waldvogel
Log gathering with the help of sidecar
-under construction-
Overview
Graylog can digest data from Windows and Linux clients. This article is based on: www.graylog.org/webinars/graylog-inputs but adds a troubleshooting section because the video does not explain the firewall settings.
General setup to see if Graylog is installed:
Overview
Graylog can digest data from Windows and Linux clients. This article is based on: www.graylog.org/webinars/graylog-inputs but adds a troubleshooting section because the video does not explain the firewall settings.
General setup to see if Graylog is installed:
This task was a quick check to see if Graylog works.
If you are sure Graylog is working, you can skip this short task.
Create a Windows host
If you are sure Graylog is working, you can skip this short task.
Create a Windows host
During the other article, we created a Graylog server, and now we need a Windows client. You can use any Windows OS. If you do not have a Windows 10, download it here: www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise.
Install the OS via a hypervisor, pick the right network (graylog server and the windows client have to be in the same subnet), and move on. Technically you can use a different PC with Windows if you have one.
Configure Graylog sidecar
Sidecar is a wrapper script, and it helps you to install and configure the Windows agent. Next, move back to your Graylog server and open Graylog's web interface. We can do most things with the web interface.
Install the OS via a hypervisor, pick the right network (graylog server and the windows client have to be in the same subnet), and move on. Technically you can use a different PC with Windows if you have one.
Configure Graylog sidecar
Sidecar is a wrapper script, and it helps you to install and configure the Windows agent. Next, move back to your Graylog server and open Graylog's web interface. We can do most things with the web interface.
Configure a Graylog input
Graylog needs a place where the data is coming in. Sidecar only is for the configuration; the input controls/accepts/ allows the data flow.
Graylog needs a place where the data is coming in. Sidecar only is for the configuration; the input controls/accepts/ allows the data flow.
Graylog index
This is the index for Elastic.
This is the index for Elastic.
Graylog Stream
A Graylog stream is helpful if we want to separate data from different resources. Windows logs are in a separate area, and it is easier to manage all the data.
A Graylog stream is helpful if we want to separate data from different resources. Windows logs are in a separate area, and it is easier to manage all the data.
Install the windows agent
Switch back to your Windows box and download the agent: github.com/Graylog2/collector-sidecar/releases. You will get a warning; that is okay.
Switch back to your Windows box and download the agent: github.com/Graylog2/collector-sidecar/releases. You will get a warning; that is okay.
Check Graylog (sidecar)
Switch back to your Graylog Linux box and see if the Sidecar agent is checked in. If yes, great; if not, you might have a problem with your firewall. Your Linux box must allow TCP 9000 and later TCP 5044. Port 9000 is the sidecar agent, and the traffic comes on port 5044.
If you have problems, check the logs on the Windows side and the Linux side. If you follow the official video, the firewall settings are not explained.
If you see the sidecar agent, create and apply a configuration.
Switch back to your Graylog Linux box and see if the Sidecar agent is checked in. If yes, great; if not, you might have a problem with your firewall. Your Linux box must allow TCP 9000 and later TCP 5044. Port 9000 is the sidecar agent, and the traffic comes on port 5044.
If you have problems, check the logs on the Windows side and the Linux side. If you follow the official video, the firewall settings are not explained.
If you see the sidecar agent, create and apply a configuration.
If you have trouble with the firewall, you can use the GUI. Install the GUI with:
yum install firewall-config
Start the GUI with:
firewall-config
The firewall looks like this:
yum install firewall-config
Start the GUI with:
firewall-config
The firewall looks like this:
Under options, you can set "LogDenied=all." You can now see if the Windows client is sending logs to your Linux box and getting rejected by your Linux firewall. The command to see the logs is:
sudo tail -f /var/log/messages
Hint: the newest messages are on the bottom.
If you send data from your Windows box and do not see anything, you might have a network problem, or the windows firewall has a problem with outgoing traffic.
If you use pfSense or a different firewall, allow both data streams (9000 and 5044).
See the logs:
After some minutes, all windows logs are visible under streams.
sudo tail -f /var/log/messages
Hint: the newest messages are on the bottom.
If you send data from your Windows box and do not see anything, you might have a network problem, or the windows firewall has a problem with outgoing traffic.
If you use pfSense or a different firewall, allow both data streams (9000 and 5044).
See the logs:
After some minutes, all windows logs are visible under streams.
Conclusion
Graylog is simple to install, and it is free. If you want to become a SOC Analyst, you can learn all basic SIEM features for free. If you know how to install agents, you can help a customer to fix some fundamental problems.
You can learn the same things with Splunk or ELK. Installing an agent/forwarder with Splunk is somewhat more straightforward, but this version of Graylog is free, and Splunk's free version has a ton of limitations, and the paid versions are costly. Smaller companies do not need Splunk; Graylog is fine.
Graylog is simple to install, and it is free. If you want to become a SOC Analyst, you can learn all basic SIEM features for free. If you know how to install agents, you can help a customer to fix some fundamental problems.
You can learn the same things with Splunk or ELK. Installing an agent/forwarder with Splunk is somewhat more straightforward, but this version of Graylog is free, and Splunk's free version has a ton of limitations, and the paid versions are costly. Smaller companies do not need Splunk; Graylog is fine.
© 2021. This work is licensed under a CC BY-SA 4.0 license