Graylog will receive logs from our Wazuh-Manager, network devices, or any service that has a syslog forwarding option.
Prerequisites
• A Wazuh manager should be installed and running.
• An installed and running Graylog server.
The Broad Steps:
1. Point your browser to the Graylog server.
2. Navigate to System -->Inputs
3. Launch a new Raw/Plaintext TCP input
4. Keep the default settings and select "Save". Graylog is now accepting TCP messages on port 5555.
5. Log into your Wazuh-manager terminal.
6. Install graylog-agent package:
curl https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh | sh
7. Open the config file and write the following parameters:
----------------------------------- /etc/fluent-bit/fluent-bit.conf -------------------------------
[SERVICE]
flush 5
daemon Off
log_level info
parsers_file parsers.conf
plugins_file plugins.conf
http_server Off
http_listen 0.0.0.0
http_port 2020
storage.metrics on
storage.path /var/log/flb-storage/
storage.sync normal
storage.checksum off
storage.backlog.mem_limit 5M
Log_File /var/log/td-agent-bit.log
[INPUT]
name tail
path /var/ossec/logs/alerts/alerts.json
tag wazuh
parser json
Buffer_Max_Size 5MB
Buffer_Chunk_Size 400k
storage.type filesystem
Mem_Buf_Limit 512MB
[OUTPUT]
Name tcp
Host *your graylog host*
Port *your graylog port*
net.keepalive off
Match wazuh
Format json_lines
json_date_key true
-------------------------------------------------------------------------------------------------------
8. Enable and start the service.
systemctl enable fluent-bit && systemctl start fluent-bit
9. Check on the Graylog server that alerts exist.
Conclusion
Graylog is one of the best tools within the OpenSource community for log ingestion, parsing and enriching. With many features built in, we can add intelligence behind the logs we ingest before they are permanently written to our backend storage.