ITTN-012: Graylog k8s deployment and configuration

  • Heinrich Reinking

Latest Revision: 2020-04-22

Note

This technote is not yet published.

Graylog k8s deployment and configuration

1   1   Introduction

Hierarchical construction, deployment and configuration of a Graylog chart over GKE

2   2   Requirements

2.1   2.1   Google Cloud Platform account

In order to correctly deploy the chart over GKE (Google Kubernetes Engine), it is needed for you to have a payed account, and sufficient priviledges to create a cluster and nodes among it.

3   3   Creating the Cluster

4   4   GCloud and kubectl extension

5   5   Helm charts and values.yaml

6   6   Ingress Controller

7   7   Deploying the charts

8   8   Configuring Graylog

8.1   8.1   Adding the Inputs

  1. Keeping to know the structure order

    Note

    Keeping to know the structure order

  2. Keeping to know the structure order

  3. Keeping to know the structure order

8.2   8.2   LookUP Tables

8.3   8.3   Dashboard

8.3.1   8.3.1   Centralized Logging System

a.Top Access to Servers b.Recent Root Access c.Failed Sudo Access d.Top Access to NetDevices e.Flapping Interfaces f.Successfull Loggins g.Failed Logins h.DNS hits LS/Dev i.Top Servers Talkers j.NetDev Interface Change State k.Top NetDev Talkers l.Authorized VPN Users Location m.Potencial Attacks through IP GeoLocation n.VPN Location - Username - IP

8.4   8.4   Extractors

8.4.1   8.4.1   Firewall

  1. Name: Source Name Description: Type: Substring Source Field: source New Field: source Configuration:

    • end_index: “5”
    • begin_index: “0”

  2. Name: Extract Involve IPs Description: Type: Split & Index Source Field: message New Field: src_and_dst_IP Configuration:

    • index: “2”
    • split_by: “{TCP}”

  3. Name: Source IP with Port Description: Type: Split & Index Source Field: src_and_dst_IP New Field: src_IP Configuration:

    • index: “1”
    • split_by: “->”

  4. Name: Destination IP Description: Type: Split & Index Source Field: src_and_dst_IP New Field: dst_IP Configuration:

    • index: “2”
    • split_by: “->”

  5. Name: Replace Destination IP Description: Type: Split & Index Source Field: dst_IP New Field: dst_IP Configuration:

    • index: “1”
    • split_by: “:”

  6. Name: Remove Port from Source IP Description: Type: Split & Index Source Field: src_IP New Field: src_IP Configuration:

    • index: “1”
    • split_by: “:”

  7. Name: Source Geolocation Description: Type: LookUP Table Source Field: src_IP New Field: src_geolocation Configuration:

    • lookup_table_name: “GeoLocation”

  8. Name: VPN Username and IP Description: Type: Split & Index Source Field: message New Field: userIP_and_Name Configuration:

    • index: “2”
    • split_by: “:”

  9. Name: User and Remote IP Description: Type: Split & Index Source Field: message New Field: username Configuration:

    • index: “1”
    • split_by: “:”

  10. Name: VPN Username Description: Type: Split & Index Source Field: username New Field: username Configuration:

    • index: “1”
    • split_by: “/”

  11. Name: VPN User IP Description: Type: Split & Index Source Field: username New Field: vpnIP Configuration:

    • index: “2”
    • split_by: “/”

  12. Name: Replace VPN User IP Description: Type: Split & Index Source Field: userIP_and_Name New Field: vpnIP Configuration:

    • index: “2”
    • split_by: “/”

  13. Name: VPN User Location Description: Type: LookUP Table Source Field: vpnIP New Field: vpn_location Configuration:

    • lookup_table_name: “GeoLocation”

8.4.2   8.4.2   Network

  1. S

8.4.3   8.4.3   Servers

tocdepth:1

Note

This technote is not yet published.

Hierarchical instructions for graylog deployment over GKE and all configurations for dashboards, extractors and lookup tables