Fortigate Log monitoring with Wazuh-manager

 參考自 https://github.com/wazuh/wazuh-kibana-app/issues/1884

 

架構說明

FTG-VM(.254)(syslog)

                                 --->Wazuh(.160)(Rsyslog)

                                                                      --->Wazuh-Agent(localfile)

                                                                                                             --->Wazuh(WEB UI)

==================================

vi /etc/rsyslog.conf 

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

if $fromhost-ip startswith '192.168.100.254' then /tmp/forti/syslog.log

& ~

==================================

vi /var/ossec/etc/ossec.conf 

  <localfile>

    <log_format>syslog</log_format>

    <location>/tmp/forti/syslog.log</location>

  </localfile>

===================================

Demo

Graylog 4.2 on Rocky Linux

 安裝 SOP 參考自 https://tech.davidfield.co.uk/graylog-4-x-on-rhel-8-for-log-monitoring/

使用軟體如下:

[root@rocky8 ~]# cat /etc/redhat-release 

Rocky Linux release 8.6 (Green Obsidian)

[root@rocky8 ~]# 

[root@rocky8 ~]# rpm -qa | grep elasticsearch 

elasticsearch-oss-7.10.2-1.x86_64

[root@rocky8 ~]# rpm -qa | grep mongodb

mongodb-org-server-4.2.20-1.el8.x86_64

mongodb-org-shell-4.2.20-1.el8.x86_64

mongodb-org-4.2.20-1.el8.x86_64

mongodb-org-tools-4.2.20-1.el8.x86_64

mongodb-org-mongos-4.2.20-1.el8.x86_64

[root@rocky8 ~]# rpm -qa | grep graylog

graylog-integrations-plugins-4.3.0-8.noarch

graylog-server-4.3.0-8.noarch

===============================================

測試架構

FTG-VM(192.168.100.254)--->RockyLinux(.160)---->GrayLog 4.2

syslog UDP 514------------------>Rsyslog UDP 514---->Graylog Syslog 8888

 vi /etc/rsyslog.conf

# Provides UDP syslog reception

# for parameters see http://www.rsyslog.com/doc/imudp.html

module(load="imudp") # needs to be done just once

input(type="imudp" port="514")

*.* @192.168.100.160:8888;RSYSLOG_SyslogProtocol23Format

=====================

# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.

# Generate one by using for example: pwgen -N 1 -s 96

# ATTENTION: This value must be the same on all Graylog nodes in the cluster.

# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)

password_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Create one by using for example: echo -n yourpassword | shasum -a 256

# and put the resulting hash value into the following line

root_password_sha2 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

vi /etc/graylog/server/server.conf

root_timezone = Asia/Taipei

http_bind_address = 0.0.0.0:9000

password_secret =

root_password_sha2 =

DEMO

卡關處-待研究

Marketplace

https://github.com/seanthegeek/graylog-fortigate-cef

以前的 Lab http://xrcd2.blogspot.com/2016/07/graylog2.html

CentOS 7 XFS Disk Extending

 yum install cloud-utils-growpart gdisk -y

growpart /dev/sdb 1

xfs_growfs /bricks/brick1

===============================

[root@fsb ~]# yum install cloud-utils-growpart gdisk -y

.........

Installed:

  cloud-utils-growpart.noarch 0:0.29-5.el7                                                               

Complete!

[root@fsb ~]# fdisk -l 

Disk /dev/sda: 64.4 GB, 64424509440 bytes, 125829120 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x000646df

   Device Boot      Start         End      Blocks   Id  System

/dev/sda1   *        2048     2099199     1048576   83  Linux

/dev/sda2         2099200   125583359    61742080   8e  Linux LVM

Disk /dev/sdb: 8589 MB, 8589934592 bytes, 16777216 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x329dce28

   Device Boot      Start         End      Blocks   Id  System

/dev/sdb1            2048     8388607     4193280   83  Linux

Disk /dev/mapper/centos-root: 59.1 GB, 59055800320 bytes, 115343360 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk /dev/mapper/centos-swap: 4160 MB, 4160749568 bytes, 8126464 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

[root@fsb ~]# fdisk -l /dev/sdb

Disk /dev/sdb: 8589 MB, 8589934592 bytes, 16777216 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk label type: dos

Disk identifier: 0x329dce28

   Device Boot      Start         End      Blocks   Id  System

/dev/sdb1            2048     8388607     4193280   83  Linux

[root@fsb ~]# fdisk -l /dev/sdb1

Disk /dev/sdb1: 4293 MB, 4293918720 bytes, 8386560 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

[root@fsb ~]# lsblk /dev/sdb

NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sdb      8:16   0   8G  0 disk 

└─sdb1   8:17   0   4G  0 part /bricks/brick1

[root@fsb ~]# growpart /dev/sdb 1

CHANGED: partition=1 start=2048 old: size=8386560 end=8388608 new: size=16775135 end=16777183

[root@fsb ~]# df

Filesystem              1K-blocks    Used Available Use% Mounted on

devtmpfs                  1996168       0   1996168   0% /dev

tmpfs                     2013060       0   2013060   0% /dev/shm

tmpfs                     2013060   12284   2000776   1% /run

tmpfs                     2013060       0   2013060   0% /sys/fs/cgroup

/dev/mapper/centos-root  57643520 5305684  52337836  10% /

/dev/sdb1                 4183040   33232   4149808   1% /bricks/brick1

/dev/sda1                 1038336  299836    738500  29% /boot

fsb:/glustervol1.tcp      4183040   75064   4107976   2% /gluster/lock

tmpfs                      402612       0    402612   0% /run/user/0

[root@fsb ~]# df -h

Filesystem               Size  Used Avail Use% Mounted on

devtmpfs                 2.0G     0  2.0G   0% /dev

tmpfs                    2.0G     0  2.0G   0% /dev/shm

tmpfs                    2.0G   12M  2.0G   1% /run

tmpfs                    2.0G     0  2.0G   0% /sys/fs/cgroup

/dev/mapper/centos-root   55G  5.1G   50G  10% /

/dev/sdb1                4.0G   33M  4.0G   1% /bricks/brick1

/dev/sda1               1014M  293M  722M  29% /boot

fsb:/glustervol1.tcp     4.0G   74M  4.0G   2% /gluster/lock

tmpfs                    394M     0  394M   0% /run/user/0

[root@fsb ~]# xfs_growfs /bricks/brick1

meta-data=/dev/sdb1              isize=512    agcount=4, agsize=262080 blks

         =                       sectsz=512   attr=2, projid32bit=1

         =                       crc=1        finobt=0 spinodes=0

data     =                       bsize=4096   blocks=1048320, imaxpct=25

         =                       sunit=0      swidth=0 blks

naming   =version 2              bsize=4096   ascii-ci=0 ftype=1

log      =internal               bsize=4096   blocks=2560, version=2

         =                       sectsz=512   sunit=0 blks, lazy-count=1

realtime =none                   extsz=4096   blocks=0, rtextents=0

data blocks changed from 1048320 to 2096891

[root@fsb ~]# df -h

Filesystem               Size  Used Avail Use% Mounted on

devtmpfs                 2.0G     0  2.0G   0% /dev

tmpfs                    2.0G     0  2.0G   0% /dev/shm

tmpfs                    2.0G   12M  2.0G   1% /run

tmpfs                    2.0G     0  2.0G   0% /sys/fs/cgroup

/dev/mapper/centos-root   55G  5.1G   50G  10% /

/dev/sdb1                8.0G   33M  8.0G   1% /bricks/brick1

/dev/sda1               1014M  293M  722M  29% /boot

fsb:/glustervol1.tcp     8.0G  115M  7.9G   2% /gluster/lock

tmpfs                    394M     0  394M   0% /run/user/0

[root@fsb ~]#