Graylog 5 安裝教學 === :::danger 為符合資通安全責任等級分級辦法資通系統防護基準規定之日誌規定，就來寫個簡日誌伺服器的安裝與設定教學。 ::: --- 預計製作項目： - 事件日誌與可歸責性：貧民的解藥Graylog https://hackmd.io/@BensonH/ry2IWNa1yl - 偵測及回應EDR&XDR：Wazuh(構思中) - 社交工程：釣魚吧！Gophish(構思中) - 防火牆：玩轉OPNsense(構思中) --- ## mongodb安裝 ``` yum -y install epel-release java pwgen sudo tee /etc/yum.repos.d/mongodb-org.repo > /dev/null <<EOF [mongodb-org-6.0] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/6.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc EOF yum -y install mongodb-org #啟動mongodb服務 systemctl daemon-reload systemctl enable mongod.service systemctl start mongod.service systemctl status mongod.service ``` ## elasticsearch安裝 ``` rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch sudo tee /etc/yum.repos.d/elasticsearch.repo > /dev/null <<EOF [elasticsearch-7.10.2] name=Elasticsearch repository for 7.10.2 packages baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF yum -y install elasticsearch-oss # 編輯/etc/elasticsearch/elasticsearch.yml vim /etc/elasticsearch/elasticsearch.yml cluster.name:graylog action.auto_create_index:false #啟動elasticsearch服務 systemctl daemon-reload systemctl enable elasticsearch.service systemctl start elasticsearch.service ``` ## Graylog 5安裝 ``` rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.rpm yum -y install graylog-server pwgen -N 1 -s 96 echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 #然後編輯/etc/graylog/server/server.conf，將上面產生password_secret和root_password_sha2寫入設定文件，並將以下內容新增到最後一行 root_timezone = Asia/Taipei http_bind_address = 0.0.0.0:9000 web_listen_uri = http://0.0.0.0:9000/ rest_listen_uri = http://0.0.0.0:12900/ rest_transport_uri = http://192.168.1.35:12900/ elasticsearch_cluster_name = graylog elasticsearch_shards = 1 elasticsearch_replicas = 0 mongodb_useauth = false #啟動graylog服務 systemctl daemon-reload systemctl enable graylog-server.service systemctl start graylog-server.service ``` --- # Graylog 5 設定 撰寫中 --- # Graylog 5 收取 OS Log 撰寫中 ## Linux 安裝Graylog Sidecar [下載點](https://github.com/Graylog2/collector-sidecar/releases) 選graylog-sidecar-XXXX.rpm或graylog-sidecar-XXXX.deb (撰寫中) ## Windows 安裝Graylog Sidecar [下載點](https://github.com/Graylog2/collector-sidecar/releases) 選graylog_sidecar_installer_XXXX.exe (撰寫中) --- # Graylog 5 收取 Web Log 撰寫中 ## IIS 下載[NXLog CE(官網)](https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition)安裝檔 設定nxlog 設定IIS Graylog接收設定 (撰寫中) ## Nginx ## Apache Apache 設定 Graylog接收設定 (撰寫中) ## Apache Tomcat