Best SIEM Logging With Graylog - Routing SIEM Logs with Graylog!

แชร์
ฝัง
  • เผยแพร่เมื่อ 20 ธ.ค. 2024

ความคิดเห็น • 25

  • @iGarrettt
    @iGarrettt ปีที่แล้ว +2

    I've hunted and hunted for an ELI5 video on greylog and this is it. Thank you for such a fantastic and detailed series

  • @vadimkutia6516
    @vadimkutia6516 2 ปีที่แล้ว +4

    Thanks for the video, I enjoyed watching all the parts! I don't fully understand why we collect logs using greylag and wazuh agents together? Why not use only one thing? Please explain this point in more detail.

    • @ArcamNight
      @ArcamNight ปีที่แล้ว

      Yeah also I don't know why he use both 😅

  • @eldecloud
    @eldecloud 2 ปีที่แล้ว +1

    Great and clean (for taking a shower before rec the video) explanation! 😂

  • @hspcd
    @hspcd ปีที่แล้ว

    Taylor - is it possible to implement multi-tenancy where a tenant is a customer?

  • @perfecto25
    @perfecto25 ปีที่แล้ว

    btw, to route events into a stream, you dont needba custom field at Input level
    goto Streams, create new stream rule, gl2_source_input= GUID of the Input
    you can find guid on input section of cfg

  • @Damielsestrem
    @Damielsestrem ปีที่แล้ว

    hi Taylor, is it possible to add 2factor for wazuh login?

  • @eliasantoniadis8556
    @eliasantoniadis8556 2 ปีที่แล้ว

    Finally! Amazing!

  • @xinghe3780
    @xinghe3780 2 ปีที่แล้ว +1

    how to generate ssh log

  • @mikegrok
    @mikegrok 2 ปีที่แล้ว

    At the end, you probably mean no more than 1000 unique keys per index.
    Other reasons to create different indexes for different uses and sources is for security and response time reasons.
    For instance the help desk may need to be able to see the time stamp of the most recent login and failure to login, as well as the source and attempts in the last 24 hours without being able to see who sent emails to HR.

  • @enderst81
    @enderst81 2 ปีที่แล้ว

    Great series thanks!

  • @Huelilik
    @Huelilik 2 ปีที่แล้ว

    Woow a very amazing video adds to my knowledge about this wazuh. I want to ask sir, I have WHM Root Server, Debian OS which is very outdated and does not support wazuh Agnet. We couldn't update it because of the many third-party apps that might not run when I run the update. (I know this is very fatal but I don't dare to take the risk when updating the OS). which is my question. do you have a solution for monitoring the server without installing the agent on the debian server?? is a reverse proxy with a server that supports wazuh agent possible?? ( on the reverse proxy I will install a firewall to secure the website and the wazuh agent for active monitoring and response) . Please advice from you sir. Best Regards

    • @eliasantoniadis8556
      @eliasantoniadis8556 2 ปีที่แล้ว +1

      You can send syslog logs to wazuh without agent

    • @Huelilik
      @Huelilik 2 ปีที่แล้ว

      @@eliasantoniadis8556 how do you do it, can you recommend any documentation or articles about it?

  • @robert4049
    @robert4049 ปีที่แล้ว

    I followed the instructions, but I'm getting the below when go to create a parser on the input in grey log?
    Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].
    Cluster Version: "number" : "7.10.2",
    ii graylog-4.3-repository 1-6 all Package to install Graylog 4.3 GPG key and repository
    ii graylog-integrations-plugins 4.3.15-1 all Graylog Integrations plugins
    ii graylog-server 4.3.15-1 all Graylog server
    ii mongodb-database-tools 100.7.0 amd64 mongodb-database-tools package provides tools for working with the MongoDB server:
    ii mongodb-org 4.4.21 amd64 MongoDB open source document-oriented database system (metapackage)
    ii mongodb-org-database-tools-extra 4.4.21 amd64 Extra MongoDB database tools
    ii mongodb-org-mongos 4.4.21 amd64 MongoDB sharded cluster query router
    ii mongodb-org-server 4.4.21 amd64 MongoDB database server
    ii mongodb-org-shell 4.4.21 amd64 MongoDB shell client
    ii mongodb-org-tools 4.4.21 amd64 MongoDB tools

    • @vishakjaisimha5842
      @vishakjaisimha5842 8 หลายเดือนก่อน

      did u find the fix i struggling with the same issue
      and are u getting any logs from sysmon in wazuh my thing is blank

    • @MrGhost-pj8lf
      @MrGhost-pj8lf 8 หลายเดือนก่อน

      @@vishakjaisimha5842 go to /etc/wazuh-indexer directory and edit opensearch.yml file and change "compatibility.override_main_response_version: false". Then restart the wazuh-indexer and also graylog server

  • @williamice5965
    @williamice5965 2 ปีที่แล้ว

    Hello 👋, I’m new here you just get a new subscriber, please I do have questions do you know any php script to block a browser from visiting your site for example I want to block Firefox user from visiting my site. Which will display this browser not supposed. Please I do need help 🙏

  • @enarcee1
    @enarcee1 ปีที่แล้ว

    Hey Taylor.. been following along with this (excellent) series and have hit a hurdle at this stage. When applying the JSON exractor to both win and linux agent logs I get a processing error in Graylog:
    gl2_processing_error
    Replaced invalid timestamp value in message with current time - Value caused exception: Invalid format: "2023-05-30T04:07:00.230+0000" is malformed at "T04:07:00.230+0000
    Couple of questions:
    [1] is this the aright place to post issues? If not can you point me there.
    [2] have you come acoss this issue previously?
    graylog-server 5.1.1-1
    wazuh-indexer 4.4.5-1
    ubuntu 22.04.2 LTS
    Added 20230531 - I note at th-cam.com/video/ZDL4MUxtIrY/w-d-xo.html in the video you are expereincing same gl2_processing_error. btw - not trying to be picky, just trying to understand.

  • @ohioguy007
    @ohioguy007 ปีที่แล้ว

    @taylorwalton_socfortress In this video, you created the "wazuh-alerts-socfortress_" index. How do you get this index to replace the default "wazuh-alerts-" index in wazuh dashboard so you can visualize the data?

    • @joerg.schindler
      @joerg.schindler ปีที่แล้ว +2

      Hey Metthew, you can change the Default index Stack Management => Advanced Settings. However, I do not recommend using the Wazu Dashboard to visualize your data if you are using Graylog. The problem is the underscore separating the fields e.g. agent_name. By default the Wazuh indexer uses a dot to separate the fields agent.name. There seems to be a way to swap the dot with the underscore in Graylog, but I haven't figured out how to do that yet.
      I asked the Wazuh team if this could be changed in the dashboard, which is currently not possible, except to "recode" the dashboard.
      Maybe they want to fix the problem soon.

    • @DeadlyDragon_
      @DeadlyDragon_ 9 หลายเดือนก่อน

      @@joerg.schindlerMy solution was to setup a separate opensearch cluster that graylog uses, and to feed graylog the wazuh data via syslog in json format. This way I get the features of wazuh and graylog together.