Best SIEM Logging With Graylog - Routing SIEM Logs with Graylog!

I've hunted and hunted for an ELI5 video on greylog and this is it. Thank you for such a fantastic and detailed series

Great and clean (for taking a shower before rec the video) explanation! 😂

Thanks for the video, I enjoyed watching all the parts! I don't fully understand why we collect logs using greylag and wazuh agents together? Why not use only one thing? Please explain this point in more detail.

Finally! Amazing!

btw, to route events into a stream, you dont needba custom field at Input level
goto Streams, create new stream rule, gl2_source_input= GUID of the Input
you can find guid on input section of cfg

Great series thanks!

At the end, you probably mean no more than 1000 unique keys per index.
Other reasons to create different indexes for different uses and sources is for security and response time reasons.
For instance the help desk may need to be able to see the time stamp of the most recent login and failure to login, as well as the source and attempts in the last 24 hours without being able to see who sent emails to HR.

Taylor - is it possible to implement multi-tenancy where a tenant is a customer?

how to generate ssh log

hi Taylor, is it possible to add 2factor for wazuh login?

Woow a very amazing video adds to my knowledge about this wazuh. I want to ask sir, I have WHM Root Server, Debian OS which is very outdated and does not support wazuh Agnet. We couldn't update it because of the many third-party apps that might not run when I run the update. (I know this is very fatal but I don't dare to take the risk when updating the OS). which is my question. do you have a solution for monitoring the server without installing the agent on the debian server?? is a reverse proxy with a server that supports wazuh agent possible?? ( on the reverse proxy I will install a firewall to secure the website and the wazuh agent for active monitoring and response) . Please advice from you sir. Best Regards

Hello 👋, I’m new here you just get a new subscriber, please I do have questions do you know any php script to block a browser from visiting your site for example I want to block Firefox user from visiting my site. Which will display this browser not supposed. Please I do need help 🙏

I followed the instructions, but I'm getting the below when go to create a parser on the input in grey log?
Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].
Cluster Version: "number" : "7.10.2",
ii graylog-4.3-repository 1-6 all Package to install Graylog 4.3 GPG key and repository
ii graylog-integrations-plugins 4.3.15-1 all Graylog Integrations plugins
ii graylog-server 4.3.15-1 all Graylog server
ii mongodb-database-tools 100.7.0 amd64 mongodb-database-tools package provides tools for working with the MongoDB server:
ii mongodb-org 4.4.21 amd64 MongoDB open source document-oriented database system (metapackage)
ii mongodb-org-database-tools-extra 4.4.21 amd64 Extra MongoDB database tools
ii mongodb-org-mongos 4.4.21 amd64 MongoDB sharded cluster query router
ii mongodb-org-server 4.4.21 amd64 MongoDB database server
ii mongodb-org-shell 4.4.21 amd64 MongoDB shell client
ii mongodb-org-tools 4.4.21 amd64 MongoDB tools

Hey Taylor.. been following along with this (excellent) series and have hit a hurdle at this stage. When applying the JSON exractor to both win and linux agent logs I get a processing error in Graylog:
gl2_processing_error
Replaced invalid timestamp value in message with current time - Value caused exception: Invalid format: "2023-05-30T04:07:00.230+0000" is malformed at "T04:07:00.230+0000
Couple of questions:
[1] is this the aright place to post issues? If not can you point me there.
[2] have you come acoss this issue previously?
graylog-server 5.1.1-1
wazuh-indexer 4.4.5-1
ubuntu 22.04.2 LTS
Added 20230531 - I note at th-cam.com/video/ZDL4MUxtIrY/w-d-xo.html in the video you are expereincing same gl2_processing_error. btw - not trying to be picky, just trying to understand.

@taylorwalton_socfortress In this video, you created the "wazuh-alerts-socfortress_" index. How do you get this index to replace the default "wazuh-alerts-" index in wazuh dashboard so you can visualize the data?