A Proof-of-Concept repository for automating Graylog and connecting it with The Hive. NOTE: Some Terraform modules, the Docker Compose file, Python script and this README contain empty strings/values, so make sure to fill them in correctly, according to your own situation/environment. Besides: this repository was initially a Proof-of-Concept, so some features (such as sending an alert to The Hive) is done in a basic way to show its purpose/goal. Feel free to create a PR to improve this.
This repository makes use of a single Terraform stack, namely:
However, you can apply modules to your own liking instead of having to apply them all.
We're making use of an Ubuntu Minimal 22.04 instance running on a hypervisor.
| Resources | Values |
|---|---|
| CPUs | 4 |
| Memory | 8GB |
| Storage | 12GB |
-
Install updates
apt update && apt upgrade -
Make sure you've installed a text editor (e.g. Nano or Vim). So for example:
apt install nano -y
-
Change hostname and hosts (otherwise Graylog may not function properly)
nano /etc/hostname nano /etc/hosts
Now reboot to apply the changes.
-
Because it's a bad security practice to execute everything under root, we'll create our own user.
adduser <user>
-
Assign user variable to username
export USER="test-user"
-
Make user sudo-er
usermod -aG sudo $USER -
Move SSH-keys from root to the by you made user and change ownership of the file
cp -R /root/.ssh/ /home/$USER/ chown -R $USER:$USER /home/$USER/.ssh
-
Only permit the user you made to login with SSH; disallow root to login with SSH, so change/add the following lines:
nano /etc/ssh/sshd_config
Change the following lines:
PermitRootLogin no AllowUsers test-user
Restart the service so that the changes take effect
systemctl restart sshd
-
Now switch to the user you just created
su <username>
In this repository we already have created a docker-compose.yml. See here or here in case you didn't create one yet.
NOTE: don't forget to change the values in docker-compose.yml and its corresponding .env file. Click here or here for the .env file.
-
Verify you have Docker Compose installed
sudo docker-compose -v
-
If you don't have Docker Compose installed, install it
-
Execute the following to start the containers in the background
sudo docker-compose up -d
Note: execute this command in the directory where the docker-compose.yml file is located!_
-
Create input to test if log messages are received
Navigate to http://HOSTNAME:9000/system/inputs and launch a RAW/Plaintext TCP input with the following values:
- Enter the desired settings
- Click save
-
In case you don’t have netcat installed yet, enter the following command:
sudo apt install netcat
We can then send a plaintext message by entering the following command:
sudo echo 'First log message' | nc <fully qualified domain name of the machine> 5555
-
See if sent log data is present on the Graylog server
Go back to http://HOSTNAME:9000/system/inputs and click “Show received messages”.
The page should look similar to this (and most importantly, contain the log message):
- In case you want to start all over again regarding containers (e.g. for testing purposes), you can use this script, which stops the containers, then deletes them, including the images, networks and volumes.
The Python scripts used come from Recon InfoSec. They have also written a blog about it. Credits to them for making these scripts.
NOTE: following/executing the next steps assume that the Dockerfile is already on the server. It's also recommended to execute the steps as sudo'er.
-
Configure SSL certificate paths in
app.py, or comment out all context lines if not using SSL -
Set your values like API key, Hive URL and Graylog URL in the .env file
-
Optional:
app/__init__.py, configure any other IP, hash, URL, or filename fields in place of src_ip and dst_ip to include them as artifacts/observables in your alert -
Run the Dockerfile:
docker build -t graylog2thehive . -
Runs at https://0.0.0.0:5000, accepts POST requests
- Point your Graylog HTTP Notification to https://[YOURSERVER]:5000/create_alert_http (see
/terraform/the_hive/terraform.tfvarsfor the value). You can find the IP-address of your Docker Graylog container by using
sudo docker inspect <containerID>
- Point your Graylog HTTP Notification to https://[YOURSERVER]:5000/create_alert_http (see
-
Run the Docker container with the image you just built:
docker run -dp 5000:5000 graylog2thehive -
Check whether it runs correctly or not:
docker ps -a- If not, run
docker logs <containerID>
- If not, run
This Proof-of-Concept uses the following Terraform provider: https://registry.terraform.io/providers/zahiar/graylog/latest/docs. In order to execute all modules, do the following:
-
Switch to the corresponding directory to execute the first stack
cd terraform/graylog -
To make sure you'll push the correct configuration, check all values and attributes within the modules, such as putting the
web_endpoint_uriin graylog.tf. It should look similar tohttp://<domain-name-or-IP:9000/api> -
In the same directory, you have to install the provider, which you can do by the following
terraform init
-
Now you have to validate whether the modules are written correctly
terraform validate
-
In order to see what will be applied once you run
terraform apply, you have to run the following command:terraform plan
-
Last but not least, we're now going to apply the actual modules to the server
terraform apply