2. Lack of etiquette and manners is a huge turn off.
KnolX Etiquettes
Punctuality
Join the session 5 minutes priorto
the session start time. We start on
time andconclude on time!
Feedback
Makesure to submita constructive
feedback for all sessions as it is
very helpful for the presenter.
Silent Mode
Keep yourmobiledevices in silent
mode, feel free to moveout of
session in case you need to attend
an urgent call.
Avoid Disturbance
Avoidunwantedchitchat during
the session.
4. Introduction
• Abundance of data (sources can be devices, applications, and operating systems)
• A centralized Log Management System (LMS) like Graylog provides a means to aggregate,
organize, and make sense of all this data.
• Graylog efficient in collecting and parsing petabytes of data .
• Once it has been parsed, log data can provide extremely useful information for forensic investigations,
threat hunting, and business analytics in general
5. Why Graylog ?
• Graylog Open Core + Shared Commercial Features
• Specific Content, Dashboards, and Alerts for Each Solution.
• No Additional Data Storage Needed.
• Easier and more affordable
• Find and fix issues quicker and easier
• Great data sharing
7. Graylog Core Features
• Streams operate as a form of tagging for incoming messages. Streams route messages into
categories in real time, and team rules instruct Graylog to route messages into the appropriate
stream.
• The Graylog Search page is the interface used to search logs directly. Searches may be saved
or visualized as dashboard widgets that may be added directly to dashboards from within the
search screen.
• Graylog Dashboards are visualizations or summaries of information contained in log events.
• Alerts are created using Event Definitions that consist of Conditions. When a given condition is
met it will be stored as an Event and can be used to trigger a notification.
8. Graylog Core Features
• Content packs accelerate the set-up process for a specific data source. A content pack can include
inputs/extractors, streams, dashboards, alerts, and pipeline processors. For example, users can create
custom inputs, streams, dashboards, and alerts to support a security use case.
• An Index is the basic unit of storage for data in OpenSearch and Elasticsearch. Index sets provide
configuration for retention, sharding, and replication of the stored data.
• Graylog Sidecar is an agent to manage fleets of log shippers, like Beats or NXLog. These log shippers
are used to collect OS logs from Linux and Windows servers.Graylog supports management of any log
shipper as a backend.
• Graylog’s Processing Pipelines enable the user to run a rule, or a series of rules, against a specific type
of event. Tied to streams, pipelines allow routing, denylisting, modification, and enrichment of messages
as they flow through Graylog.
•
9. •The Graylog server application is compatible with the following operating systems:
•Debian 10 and 11
•Ubuntu 18.04, 20.04, & 22.04
•RHEL/CentOS/AlmaLinux/Rocky Linux 9
•Also required is one of the following databases:
• Either Elasticsearch 7.10.2
• OR OpenSearch 2.x
• MongoDB 5.0 and 6.0
• OpenJDK 17
System Requirement
10. • Operating system
Graylog offers official DEB and RPM package repositories for the following supported
operating systems:
- Debian 10, 11
- Ubuntu 20.04, 22.04
- RHEL/CentOS 7-9
- SLES 13,15
• Docker
• Manual SetUp
Installation
11. Requirements
You will need a recent version of Docker, at least v20.10.10. In addition, use the following
Docker images in this chapter:
- Graylog: graylog/graylog
- MongoDB: mongo
- OpenSearch: https://hub.docker.com/r/opensearchproject/opensearch
- Elasticsearch: https://www.docker.elastic.co/r/elasticsearch
- https://github.com/Graylog2/docker-compose
- GRAYLOG_PASSWORD_SECRET and GRAYLOG_ROOT_PASSWORD_SHA2
•
Docker Compose Installation