Debian 9 64 Bits – Graylog 2

Auteur : Vince Nadus
Date de publication : 5 mars 2019
monitoring log debian

Basé sur http://docs.graylog.org/en/2.5/pages/installation/os/debian.html

Script d’installation sur :

https://gitlab.nadus.fr/root/script-bash.git

Autoriser Java a écouter les ports < 1024 :

apt-get install libcap2-bin setcap cap_net_bind_service=+epi /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Configuration des clients :

nano /etc/rsyslog.conf

Ajout en dernière ligne

. @10.10.1.28:10514;RSYSLOG_SyslogProtocol23Format

Pour les clients pfSense ;

Aller dans Status > System Logs > Settings

ou

Passer sur Syslog-ng

https://marketplace.graylog.org/addons/f2e0208f-9935-4bf5-b20d-f0562237b236

NXLOG (windows)

c:\program files(x86)\nxlog^conf\nxlog.conf

Panic Soft

NoFreeOnExit TRUE

define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _gelf> Module xm_gelf </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') >= 5M)) \
                file_cycle('%LOGFILE%', 8);
</Schedule>

# Rotate our log file every week on Sunday at midnight
<Schedule>
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>

</Extension>

<Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0"> <Select Path="Application">[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path="System">[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path="Security">[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path="Setup">[System[(Level=1 or Level=2 or Level=3)]]</Select> <Select Path="Windows Powershell"></Select> <Select Path="Microsoft-Windows-TaskScheduler/Operational"></Select> <Suppress Path="Security">[System[(EventID=4689 or EventID=5158 or EventID=5440 or EventID=5444)]]</Suppress> <Suppress Path="Windows PowerShell">[System[(EventID=501 or EventID=400 or EventID=600)]]</Suppress> </Query> </QueryList> </QueryXML> </Input>

<Output out> Module om_udp Host 10.168.50.166 Port 12514 OutputType GELF_UDP </Output>

<Route 1> Path eventlog => out </Route>