Graylog Basics
Author: Stefan Waldvogel
Learn a SIEM!
-in preparation-
Overview
Graylog is an open-source SIEM and has some paid options for cloud and enterprise versions. The SIEM is easy to install and, compared to Splunk, simple to learn. If you are a beginner, Graylog is an easy and solid starting point. Graylog supports dashboards, queries, alarms, and much more. The most significant advantage is the pricing. Additionally, Graylog's Community Edition is free and allows unlimited data. The Small Business version comes with a lot more features, and it is free up to 5GB per day. This is 10x more compared to Splunk's 500MB "free" license.
Overview
Graylog is an open-source SIEM and has some paid options for cloud and enterprise versions. The SIEM is easy to install and, compared to Splunk, simple to learn. If you are a beginner, Graylog is an easy and solid starting point. Graylog supports dashboards, queries, alarms, and much more. The most significant advantage is the pricing. Additionally, Graylog's Community Edition is free and allows unlimited data. The Small Business version comes with a lot more features, and it is free up to 5GB per day. This is 10x more compared to Splunk's 500MB "free" license.
If you are new to cybersecurity, you can start with the open version. However, it would help your career if you had time to learn the basic features (write queries, install the product, create some dashboards). It does not really matter if you know Graylog, Splunk, ELK, or other SIEMs because all products do more or less the same. Sure, the syntax is a bit different and where the features are, but if you understand one, you can transfer the knowledge quickly. In easy words, a SIEM is just a tool to find malicious things in logs. The next step is automation and alarm creation.
Installation
Graylog offers a lot of different ways to install.
Installation
Graylog offers a lot of different ways to install.
source: https://www.graylog.org/downloads-2
|
source: https://docs.graylog.org/en/4.0/pages/installation.html
|
The easiest and fastest way is installing per ova file. Download the newest file here: packages.graylog2.org/appliances/ova and install it with VMWare or VirtualBox.
You can pick other options like the manual path, too. Here, you learn how to configure the system, but it is not as beginner-friendly compared to a simple and configured image.
Getting help
One massive advantage of Graylog is the community. The official help (docs.graylog.org/en/4.0/pages/getting_started.htmll) is enormous and covers more topics you can learn. Additionally, the Graylog website (www.graylog.org/resources-videos) offers free webinars and videos about different topics. The website has one drawback: The material is not organized and is a collection of a lot of resources. You have to know what you want to learn. As a beginner, this is not easy.
I would suggest the following path for the first days:
- install Graylog with a method of your choice
- install/configure the first inputs (maybe a RAW UDP on localhost on port 1514)
- create a test input (in a console on your Graylog server: while true ; do logger -n 127.0.0.1 -P 1514 "I am here" ; sleep 2 : echo 'log send' ; done)
- play with the data
Use the links to install Graylog and some agents.
You can pick other options like the manual path, too. Here, you learn how to configure the system, but it is not as beginner-friendly compared to a simple and configured image.
Getting help
One massive advantage of Graylog is the community. The official help (docs.graylog.org/en/4.0/pages/getting_started.htmll) is enormous and covers more topics you can learn. Additionally, the Graylog website (www.graylog.org/resources-videos) offers free webinars and videos about different topics. The website has one drawback: The material is not organized and is a collection of a lot of resources. You have to know what you want to learn. As a beginner, this is not easy.
I would suggest the following path for the first days:
- install Graylog with a method of your choice
- install/configure the first inputs (maybe a RAW UDP on localhost on port 1514)
- create a test input (in a console on your Graylog server: while true ; do logger -n 127.0.0.1 -P 1514 "I am here" ; sleep 2 : echo 'log send' ; done)
- play with the data
- Create search queries
- Play in the "Search" area. The GUI is interactive, you can add a field, and it is straightforward to understand the logic. You can exclude and include data via the GUI.
- Create a dashboard
Use the links to install Graylog and some agents.
© 2021. This work is licensed under a CC BY-SA 4.0 license