Best SIEM Dashboards - Grafana Install and Dashboard Creation
HTML-код
- Опубликовано: 19 окт 2024
- Join me as we continue on to Phase 6 of the World's Best SIEM Stack Series, installing Grafana and building our first SIEM dashboard!
Blog Post: / part-6-best-open-sourc...
Contact Me: taylor.walton@socfortress.co
LinkedIn: / socfortressmdr
Twitter: / socfortress
Our Blog: / socfortress
Buy Me A Coffee: bit.ly/3woh21M
Security Operations Center as a Service: www.socfortres...
Free For Life Tier: www.socfortres...
Professional Services: www.socfortres...
Discord Channel: / discord
Series Playlist: • World's Best SIEM Stack
Your videos are amazing. We would love to see mode videos about Opensearch like building a SOC stack.
I guess your audience would love a tutorial like that as we don't have it here yet I guess.
Hey there! The wazuh-indexer is opensearch under the hood :)
Hi Taylor, thanks for the awesome video, Grafana is much faster since its written in GOlang which is complied to machine language same level as C++ in terms of operation speed
Product that are also written in go is Docker and kubernetes , i personally ditched Kibana because of the speed Grafana have to offer , and the fact that you are not entitled only to use ES or OS , BTW there is kind of new log indexer from grafan called LOKI which offer less costly index size and suppose to be much faster.
Thanks
Thanks for sharing!
Your videos are amazing.
Thank you so much, I learned a lot from your channel!
Thanks so much for this series, especially with the effort of releasing it at a consistent schedule. I know we aren't there yet but is there any reason why you choose Cassandra as oppose to other DB like mongoDB got backend storage?
Hi Taylor,
Firstly, amazing videos.
I can't get the geolocation to work on Geomap. If I use country code - it says "Unable to find location fields" when location mode is set to Auto.
your videos are amazing, I've followed your steps, and I'm getting a bad gateway in Grafana!!! How i can solve this issue, do i have to change wazuh SSL certificates?
Hey thanks for the video.
I can’t get any sysmon event 3 for some reason. Tried different configurations of sysmon. Any ideas?
Me too
Did you find any solution ?
Future person. If you’re watching and following along, chances are great that nothing works(there most have been a lot of editing magic by the creator to make everything seem to work) all the time you have/will spend on this “demo” is probably better spent with trusted accounts managers on buying a reliable solution.
Tech tutorials should not be followed verbatim. With very minor changes and reading of documentation everything up to this point is still working as expected for me.
I am keeping my own internal documentation of differences for reference for other people I recommend to follow along with this, but in the end as things change with the software referenced you need to consider a 1 year old tutorial out of date and ensure you do your own footwork along the way.
@@minutemadeinc this!
Hey taylor thanks for your videos they are amazing.
I have a question about grafana and graylog configuration.
I’m having issue in my grafana saying “Elasticsearch: error Bad Gateway”
I’m using graylog and elastic search in a same machine and grafana in another and i can’t connect them?
Trying to follow along in my lab, how many servers are you using now 2? 1 for Wazuh-Indexer, Graylog and Grafana and 1 for Wazuh Manager? I realize there would be separate servers and a cluster for Wazuh-Indexer in a large production environment.
You will likely get an error regarding g2 processing due to incorrect time format within every log that's placed. it'll look something like this
gl2_processing_error
Replaced invalid timestamp value in message with current time - Value caused exception: Invalid format: "2023-08-02T16:56:53.307-0400" is malformed at "T16:56:53.307-0400".
Make a new pipeline and use this rule and it'll fix it.
rule "parse custom timestamp"
when
has_field("timestamp")
then
let new_date = parse_date(to_string($message.timestamp), "yyyy-MM-dd'T'HH:mm:ss.SSSZ");
set_field("timestamp", new_date);
end
Thanks a lot
First of all thank you very much! Your videos are very helpful and really amazing!
I need to ask for your help, because I can't find any event id 3 log in graylog or in wazuh discovery.
I can see that logs in event viewer and I cheeked few times configuration for groups, checked if sysmon installed with correct configs by extracting config from test pc by Sysmon64.exe -c and comparing it with config provided by Olaf, but still can't find any event id 3 log in graylog or in wazuh discovery panel.
Can you please point where I can found the root of the issue, or maybe someone already faced to the similar issue and able to solve it?
Will very grateful for any help.
Ok, so after some time spent to smashinging myself to wall I found the way, however it's a little bit weird way and I don't expect that it's correct one.
If you have cetnrlized configuration for agent that include settings for "Microsoft-Windows-Sysmon/Operational" it's not working, at least it's not working for eventID 3. I mean, if your even create the group and add this settings to group, you will see it in shared/agent.conf file, but for the some reason it will bring to your Graylog server not all events. If you manualy put this config to ossec.conf file on monitored machine, you will start receive the logs.
Anyway I will try to understand what should be done to get same results with centralized configuration through the agents group.
Also, for easy generating the traffic from windows machine you can use PowerShell command.
Thanks Gentlemen
IS there someone who got issues with HTTPS on Grafana?
And thank you very much for your time, yyour videos are amazing
yeah same
What issue do you see? For me I had an issue when I tried to change the port to 443. Also the directory permissions
@@JuanDuarte_58 u need to configure a self signed certificate for grafana so you'll be able to use it on port 443-https
Help me,
I had problems when installing Worldmap Panel. I am using grafana v11. In the grafana plugin the worldmap panel option didn't appear, and finally I installed it using the CLI. I have followed these steps, but when searching the worldmap panel I couldn't find it.
Is there a problem with the grafana version?
How would you setup agent -> squid proxy -> destination -> port?
Hi taylor, when i load the sankey panel. It shows error that p is not a function. How to fix this?
We are very interested that graylog can replace filebeat and send data to Wazuh index, and we are also very happy with the application of grafana dashboard. But we also want to keep the image of wazuh kibana, but we don't know how to generate wazuh indices (Just like wazuh-alerts-4.x-2022.*) from graylog. I don't know how to coexist(grafana dashboard & wazuh kibana dashboard)?
gray log with wazuh, will let you loose wazuh modules , it will malfunction due to indexing issues
how can i make a dashboard with grafana for shadow server?
can you share the tutoriel commands thanks
Terrible time with these Grafana visualizations (Grafana version 10).
*Disclaimer: I stoopit. Worldmap or whatever is gone -- integrated directly into Grafana as Geomap.
I'm still pondering the Sankey. I have the data coming in just fine (verified by clicking the "table view" on). The graph however is blank with an error of, "g is not a function". "g is not a function" is apparently a Grafana error that doesn't necessarily reflect anything to do with the actual error (cascading up the error stack and finally, if nothing catches the real error, it spills out as the 'g is not a function' error -- at least that's what I gather). It therefore has not been resolved (github issue lists it and the response was that there's no real data to know where to begin the troubleshooting), and indeed may well be Grafana more than the plugin. That said, maybe you'll get lucky (whoever you are).
Next:
Geomap wouldn't map a location. This is due to it not seeing relevant fields. In Graylog, after discovering one can't use Extractors because Geo Location processor needs the processed stream that has already done the extracting, turns out one needs a lookup table (faster anyway, I think). This link is your friend here:
www.graylog.org/post/how-to-set-up-graylog-geoip-configuration/
...I wanted destination mapped, so change that accordingly in the rule if that's your case. When creating the pipeline to use the pipeline rule, easy enough but go to System/Pipelines -> Pipelines and create a new one. Link the Wazuh stream, edit Stage 0 and add the pipeline rule you expertly crafted and save. Done. Then configure Geomap in Grafana to use your query by setting the Data dropbox correctly ("A" is the name of your query likely if you didn't rename it), Location Mode to "Lookup", and then you *should* see your pipeline rule field listed in the "Lookup field" box. Gazetteer = Countries. Styles Size = Count (the metric from the query). Should work (fingers crossed).
You saved the day mate, cheers
You saved the day here with geoip and pipeline rule setups thank you!
Many thanks Taylor really, I don't know what to say to thank you!
I have this error message after enabling Geo-Location Processor, appreciate your advice.
gl2_processing_error
Replaced invalid timestamp value in message with current time - Value caused exception: Invalid format: "2023-05-01T09:32:13.933-0400" is malformed at "T09:32:13.933-0400"
He has the same error as can be seen here "ruclips.net/video/qR5BH-bKpOg/видео.html". Furthermore in the video he doesn't show how to create a pipeline so that geo location works...
There is a rule you can create. It is in one the comments on this video