# Building a SIEM - 3 - Installing Graylog 04-23-2025 Tags: #Wazuh #SIEM #Graylog Links: [[Building a SIEM - 2 - Installing Wazuh]]. [[Building a SIEM - 4 - Graylog Inputs, Wazuh Tuning, and Agents]] --- **Table of Contents** - [[#Introduction|Introduction]] - [[#Important Step: Adjusting `opensearch.yml`|Important Step: Adjusting `opensearch.yml`]] - [[#Installing Graylog|Installing Graylog]] - [[#Installing MongoDB|Installing MongoDB]] - [[#Installing Graylog-Server|Installing Graylog-Server]] - [[#Installing Graylog-Server#Configure Certificates for Graylog-Wazuh|Configure Certificates for Graylog-Wazuh]] - [[#Installing Graylog-Server#Configure the Connection to your Wazuh-Indexer:|Configure the Connection to your Wazuh-Indexer:]] - [[#Configuring Graylog-Server|Configuring Graylog-Server]] - [[#Logging into Graylog|Logging into Graylog]] - [[#References|References]] --- ## Introduction Welcome to my third post as I build my own open-source SIEM stack! I'm working on installing Graylog, which will write to our Wazuh-Indexer backend. Graylog will work to ingest logs from the Wazuh-manager, devices with syslog, 3rd party services like antivirus, etc., and will be our universal ingester. It also allows us to normalize the logs, which is awesome/necessary if we want to be able to create dashboards from all the different types of endpoints. We can configure Graylog to be on it's own server. If we do, we could potentially also use it to work as a temporary backend storage in case of an issue with Wazuh, holding onto logs in case of failure until we're able to get Wazuh back up. I'm following Taylor Walton's guide [here](https://www.youtube.com/watch?v=63pNANfZHIk&t) if you want to follow him as well! ## Important Step: Adjusting `opensearch.yml` Before we start doing a whole lot, we need to tweak a setting in Wazuh-indexer’s `opensearch.yml` config. Otherwise, Graylog won't be able to write events into Wazuh-indexer — it'll be able to _see_ it but not _save_ anything. Open up the file: `sudo nano /etc/wazuh-indexer/opensearch.yml` and comment out this line: ```opensearch.yml compatibility.override_main_response_version: true ``` **Why We're Doing This** Wazuh Indexer uses OpenSearch internally; the above compatibility line affects how Wazuh-Indexer responds to clients (like clients that are expecting an Elasticsearch-like API). By default, Wazuh tries to *look like* Elastic 7.10 for Wazuh internal components. Graylog can "see" the indexer, but fail at *writing* to it because the responses from Wazuh don't match *exactly* what Graylog is expecting Overall, Graylog may successfully connect to Wazuh-indexer but fail to write data, because the fake versioning (`compatibility.override_main_response_version: true`) causes API incompatibilities during indexing operations. If we comment out the above line, it makes Wazuh act like OpenSearch, and not pretend to be Elasticsearch. Anyways, we continue on! ## Installing Graylog Now that Wazuh is up and running, we can install Graylog. First, we install our dependencies: ```terminal sudo apt update && sudo apt upgrade sudo apt install apt-transport-https openjdk-11-jre-headless uuid-runtime dirmngr gnupg wget ``` ## Installing MongoDB **First!** Double check and make sure that your CPU has *AVX* enabled. MongoDB >v5 doesn't support CPUs without AVX, so check with ```terminal lscpu | grep avx ``` Graylog is dependent on MongoDB, so we'll pull the public key and install it: 1. Import the MongoDB public key: ```terminal curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \ sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \ --dearmor ``` 2. Create a list file ``` echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list ``` 3. Reload the local package database: ```terminal sudo apt update ``` 4. Install MongoDB ```terminal sudo apt-get install -y mongodb-org ``` 5. Edit the config file Edit the configuration file with `sudo nano /etc/mongod.conf` MongoDB only listens locally default so we can modify it to bind to an interface or to listen on all interfaces. I'm going to keep mine at **127.0.0.1** ```mongod.conf net: port: 27017 bindIp: <my_ip_address> ``` 5. start and enable the service ```terminal sudo systemctl daemon-reload sudo systemctl enable --now mongod.service ``` ## Installing Graylog-Server Now we can install the core graylog service. This is designed to have MongoDB on the same node, so in a real production, we wouldn't separate the two. I'll start with installing **Graylog Open** ```terminal wget https://packages.graylog2.org/repo/packages/graylog-6.2-repository_latest.deb sudo dpkg -i graylog-6.2-repository_latest.deb sudo apt-get update sudo apt-get install graylog-server ``` ### Configure Certificates for Graylog-Wazuh We need to configure Graylog to be able to write to the Wazuh Indexer. We can do this by adding the RootCA to Keystore (if using HTTPS for Wazuh-Indexer) ```terminal mkdir /etc/graylog/server/certs cp -a /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/server/certs/cacerts cp /etc/wazuh-indexer/certs/root-ca.pem /etc/graylog/server/certs/root-ca.pem keytool -importcert -keystore /etc/graylog/server/certs/cacerts -storepass changeit -alias root_ca -file /etc/graylog/server/certs/root-ca.pem ``` *Note*: in the keytool command above, we're using the password `changeit`. This is to keep things simple, but the password is what you decide it should be **Change Default Java Options** Add our cacerts keystore that we copied over to our default Graylog Java options. `nano /etc/default/graylog-server` Comment out this line: ``` GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true ``` Add the following: ``` GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacerts -Djavax.net.ssl.trustStorePassword=changeit" ``` ### Configure the Connection to your Wazuh-Indexer: Before We can do this next part, we need to configure a Graylog user in Wazuh. I'll open up the Wazuh interface, go into the menu, and find **Security**, under **Indexer Management** ![[wazuh_menu_graylog_user_configuration.png]] I'll then touch **Internal Users** and **Create Internal User**. I'll give it a username of *graylog* and a password. *Note*: Graylog will error out if you use special characters in this password (for some reason) so try not to use them I'll also set the backend role to be `admin` since Graylog needs to be able to read and write to the Indexer. In `etc/graylog/server/server.conf`, we'll configure: ```server.conf elasticsearch_hosts = https://username:[email protected]:9200 ``` using the username and password that I configured in the Wazuh dashboard. I'm using `127.0.0.1` because that is what the Wazuh-Quickstart script uses when configuring the TLS certificates that it uses to set up secure communications between it's components. ## Configuring Graylog-Server 1. We're going to need a password secret and a hash of our root admin password, to store in the graylog server config. We'll start with the password secret, which I'll then copy and paste into `/etc/graylog-server/server/server.conf`, to password_secret: ```terminal sudo apt install pwgen pwgen -N 1 -s 96 ``` 1. Then I'll use the following to create a hash for the root admin password. I'm going to use this hash in the Graylog config file, so make sure to take a note of this password! ```terminal echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 ``` *Note*: Graylog recommends to not log into Graylog yet using this password. There will be a preflight login with first-time credentials generated. Once the pre-flight is complete, then we can use our password 2. Open the Graylog server config file, ```terminal sudo nano /etc/graylog/server/server.conf ``` 3. Copy and paste the root password hash into `root_password_sha2`. 4. Set the `http_bind_address` in the graylog config file to the ip address where the Graylog web and API server will be listening. It's commented out by default. ```terminal http_bind_address = 0.0.0.0:9000 ``` 5. Graylog recommends to configure the journal settings to have a max age of 72 hours and the size of the *expected* total log volume over a 72 hour period. They show the following example, using a daily log volume of 30GB ```terminal message_journal_max_age = 72h message_journal_max_size = 90gb ``` These settings are commented out in `server.conf`, so comment them out and adjust them. I'm keeping the default of 12h and 5gb. 6. Now, we open the `graylog-server` file found by default at `/etc/default/`: ```terminal sudo nano /etc/default/graylog-server ``` 7. In this file, it's recommended to adjust your heap settings to half the system memory up to a max of 16 GB for the Graylog service. Like before, It is recommended that we set the minimum and maximum values to be the same. If we set the minimum to 2 GB, like shown in `-Xms2g`, and the maximum to 2 GB, like shown in `-Xmx2g`, the setting may look like:  ``` GRAYLOG_SERVER_JAVA_OPTS="-Xms2g -Xmx2g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow" ``` Again, I'm keeping the default and using 1gb. 8. Enable Graylog and start the service: ``` sudo systemctl daemon-reload sudo systemctl enable graylog-server.service sudo systemctl start graylog-server.service ``` Once installation is complete, we can go to the web URL and login! `http://local_ip_address:9000` and login with the admin username and password that you used in step 1 of the **Configuring Graylog** section of this post. ## Logging into Graylog ![[graylog_login.png]] Once we login, we can view the dashboard for Graylog: ![[graylog_dash.png]] If I go into **System**, at the top, then **Nodes**, I can check that my node is active and running (though there won't be any inputs being processed yet, so no logs flowing) ![[graylog_system_nodes.png]] If we flip back to Wazuh, go into **Index Management**, then **Indexes**, we can see that Graylog has created it's own indexes and written them into Wazuh Indexer, which is a default action for Graylog: ![[wazuh_graylog_indices.png]] Everything is looking good! In the next post, we'll start tweaking our stack, making it so that Wazuh Manager forwards logs to Graylog, as well as setting up a Wazuh agent. --- ## References >Graylog Installation: https://go2docs.graylog.org/current/downloading_and_installing_graylog/ubuntu_installation.htm >Taylor Walton, *Graylog Install - Best Log Ingester for Your SIEM!*: https://www.youtube.com/watch?v=63pNANfZHIk&t >Taylor Walton, *# Part 2. Graylog Install — Log Ingestion* : https://socfortress.medium.com/part-2-graylog-install-log-ingestion-da149c4844dc