Graylog Install - Best Log Ingester for Your SIEM!
Vložit
- čas přidán 7. 09. 2024
- Join me as we continue on to Phase 2 of the World's Best SIEM Stack Series, installing Graylog.
Blog Post: / part-2-graylog-install...
Contact Me: taylor.walton@socfortress.co
Buy Me A Coffee: bit.ly/3woh21M
Our Blog: / socfortress
Security Operations Center as a Service: www.socfortres...
Free For Life Tier: www.socfortres...
Professional Services: www.socfortres...
Discord Channel: / discord
Series Playlist: • World's Best SIEM Stack
Ugh sorry about the non full screen, not sure why my screen recoding software had that set...thank you for your patience as I learn this process
Really it's the mic volume that's the real issue. Having it close to full screen makes it easy to follow. But the clipping microphone makes the video a bit hard to watch. That being said This video has so much good information.
Can’t wait for the whole series so I can implement this on my homelab server and do some testing!
Same bro!
Just starting this particular video but I did not hear an answer in this or the first videos:
Is there a reason why you are choosing to point some logs at Greylog and some at Wazuh? It seems to me it would be easier to just set up the syslog connector on Wazuh and point everything at Wazuh? What are your thoughts on this strategy? Benefits vs. drawbacks to each? Trying to think through a less-complicated setup as at the outset this solution, though robust, seems like a lot of overhead to manage. Thank you!
I want to know why me too. I hope he will answer you.
Anyone facing this error in Graylog ?
While retrieving data for this widget, the following error(s) occurred:
Elasticsearch exception [type=illegal_argument_exception, reason=key [types] is not supported in the metadata section].
After completing the steps, don't know why graylog is not listening on port 9000.
Thank you kindly for the videos. Is it possible to full screen tho? :D
Your input gain on your mic is way to high, need to turn that down and have a compressor on your mic to stop it from distorting
I’ll give that an adjustment. Thanks for the feedback!
@@taylorwalton_socfortress no problem I would recommend a goxlr as well having a look at that with also monitoring your sound as that is also a good way to check to make sure you sound correct
I have a conflict that I'm so far unable to get past. As you've recommended, I've used a simple password (e.g., pleasesubscribe) in the elasticsearch_hosts line in Graylog's server.conf file. However, I'm unable to create the internal 'graylog' user in Wazuh since Wazuh requires a complex password (Upper/lower letter, number, and special character). So, Grayscale can't use a complex password and Wazuh won't create a user without a complex password. I've been struggling with this... what am I missing? Thanks.
It's ok just use strong password it can work.
So why are you using graylog to ingest when you can do all of this with wazuh. Guess I'm missing something, can you clarify ?
probably because Graylog can give you some sort of availability because when Indexer is down it can sorta be an indexer and write logs to disk so you dont loose any, Also because he wants to make a normalization pipeline to clean the data before it hits the backend (wazur indexer)
@@rutendorachels5877 but no data is lost because there is a front end syslog server that is collecting the data then sending it to wazuh.
I don't know why you're using Graylog and Fluent Bit together. Fluent Bit can already do all the filtering and renaming stuff, and much more. I've even integrated Fluent Bit with GeoLite2 IP geolocation for putting IP addresses on the maps dashboard. I am not using Graylog at all and I don't think it's worth the extra resources to have it running.
don't effect when i trace your operation
have one error hostname do not verify
I also guet the same mensage. I already added the root ca certificate to the key store and edited the /etc/default/graylog-server file.
@@icblack did you solve it?
I also have the error: "ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: Hostname XXXXXXX not verified:". Did you resolve this issue?
looks like the hostname is not a SAN of your cert...point to your IP instead (your server's ip) with your graylog server config (with Taylors help)
@@nanapee2319 seem use ip not use hostname to connect is success
I run into an issue ""ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: Hostname XXXXXXX not verified". Has anyone had a similar problem, if so did you get it resolved?
check certificate permissions
@@treramine2478 I changed the certificate permission but I am running into the same issue.
@@nanapee2319 depending on the opensearch version, you can added elasticsearch_version = 7.XX to the graylog server.config file and stop and reload the service.
did you fix it yet? if not I found out making this change in the graylog server.config file will work. elasticsearch_hosts = hxxps://username:pass@:9200. not elasticsearch_hosts = hxxps://username:pass@:9200
@@treramine2478 it worked. Thanks so much.
Great job but invest in a better microphone ... plz.
👍🚀🚀🚀
Man, how is your audio so bad? It sounds like you recorded a bad cell phone call on loud speaker with a $2 microphone.
I can't for the life of me get GrayLog to work. Now I'm getting :
ERROR [Messages] Caught exception during bulk indexing: ElasticsearchException{message=ElasticsearchException[An error occurred: ]; nested: IOException[Unable to parse response body for Response{requestLine=POST /_bulk?timeout=1m HTTP/1.1, host=x.x.x.x:9200, response=HTTP/1.1 200 OK}]; nested: NullPointerException;, errorDetails=[]}, retrying (attempt #).
Hello, I have the same issues. Have you solves yours ?
@@Abdoulaye-creative No. I chose not to use GrayLog. It shouldn’t be that difficult to install and configure. I’ll reevaluate when it is a bit more mature.
@@MarianoMattei Thank’s for your feedback. I’m still stuck with that issues even using the latest version of wazuh-indexer and graylog.
@@MarianoMattei GL has been around since 2015, not sure it's going to get any better.
Hi there
I am facing the same error message
Any workaround or should i work without Graylog?