Applocker is a great tool to improve your security and Application Control but this is only one part of the solution that can use it efficient.
Previous week explain How to install and configure Applocker to improve Application Control & Security
Unfortunately Applocker create Logs in every Workstation or Server which applied.
How can have manage all of these Logs when you have 30 users and 10 Servers or more?.
How can read Event Logs of Applocker one by one.
The answer is YOU CAN'T and you never know what's going on
So here comes the second part which is the solution to collect and Centralize Applocker Logs in one place.
Today i will explain how can collect the Applocker Logs in one place with the Graylog which is an Open Source Log Management.
Graylog you can use it free with up to 5GB Logs per Day.
The article include the following paragraphs
- How to Create the Virtual Machine in HYPER-V from HYPER-V Manager
- How to create the Virtual Machine in HYPER-V with Powershell
- How to install Centos 7 in HYPER-V
- How to configure network settings of Centos 7 VM
- How to install Graylog in Centos 7
- How to Configure Graylog to accept Windows Event Logs of Applocker
So let's start !!!!
I wrote lot of articles for HYPER-V and you can find instructions of How can create a Virtual Machine.
But because never wrote how can create a virtual machine for linux i would like to repeat all the steps
- Open HYPER-V Manager
- Click New --- Virtual Machine
- Click Next
- Select the name of the VM and where will be store.Click Next
- Select Generation 2
- Select the RAM that you want to give.
- Keep the default settings. Click Next.
- Select Attach a Virtual Disk Later.Click Next
- Click Finish
- Now select the new VM. Click Settings from the right side.
- Click in Processor.Increase to 2
- Select SCSI Controller
- Select Hard Drive. Click Add
- Click New.
- Click Next
- Select Fixed Size.Click Next
- Type the name and the location for the virtual disk.Click Next
- Type the size that you want for the Virtual Disk.Click Next
- Click Finish and Wait.
You can create a new VM from Powershell with the following commands
new-vm -vmname logsrv01 -Path "F:\HYPER-V" -Generation 2 -memorystartupbytes 4GB
and the virtual disk with the following command
NewVHD -Path "f:\hyper-v\logsrv01\logsrv01.vhdx" -SizeBytes 40GB -fixed
Now go in Settings and configure the Processor, RAM ,Security and add the Virtual Hard disk which create.
After create and configure the VM it's time to setup the Centos 7 before setup the Graylog.
- From the VM Setting select SCSI Controller
Select DVD Drive.Click Add
Select the iso for Centos 7
- Select Security
- Change to Microsoft UEFI Certificate Authority.
- Start the VM
- When boot select Install Centos 7
- Select the Language during the installation process
- Click in the Installation Destination
- Click on Virtual Disk. Click Done
- Now click Begin Installation.
- When the installation finish give a password to the root password
- Wait a few minutes and that's it.
You have create the VM with Centos 7 and now we must configure the network settings of the Centos 7
The following steps describe how to configure the Ip Address , Default Gateway and DNS Server.
Depends on your network you must do the appropriate configuration in your Firewalls to connected in your Lan and give access in the Internet.
- First of all we must configure to give a static ip address.
- Login with the root user and type the following command to go in the appropriate path.
- Now type ls and identify the file ifcfg-eth0
- Type vi ifcfg-eth0
- Click in button i to start edit the file and do the following changes
- IPADDR = with the ipaddress that you want
- Now type : and wq to save the file
- Change the default gateway
- Type vi /etc/sysconfig/network
- Type i to edit the file
- Add the lines
- HOSTNAME=whatever name you want
- GATEWAY=your gateway
- Once again type : and wq to save the file
- Let's go to configure and the DNS
- Type vi /etc/resolv.conf
- Type i to edit
- Add the lines
nameserver <your DNS Server>
type : and wq to save the file
- Now type /etc/init.d/network restart to restart the network service
If you have done all the appropriate configurations try to ping from another pc in the same subnet to verify that all it's ok.
The installation of Graylog is straightforward if all the above steps are completed successful
Before start i recommend to connect with SSH from a putty for better management.
You can find all the steps of how can install Graylog in Centos 7 from Graylog Documentation
But i prefer to write down all the steps here
For the Graylog you must install the following
- Login in Centos 7 with the root user
- Install the java with the following command
sudo yum install java-1.8.0-openjdk-headless.x86_64
How to install MongoDB for the Graylog
- Type the following command to edit the file and add the repository
- Add the following
[mongodb-org-4.0] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
- Save and exit from file
- Type the following command to install the Mongodb
sudo yum install mongodb-org.
- After finish the installation run the following commands to start the Mongodb automatically during the boot of operating system
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl start mongod.service
sudo systemctl --type=service --state=active | grep mongod
How to install Elasticsearch
Graylog can be used with Elasticsearch. Follow the steps to install the open source version of Elasticsearch
- Install the Elastic GPG key with the following command
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
- Edit the repository file
- Add the following content in the repository file
[elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
- Install the elasticsearch with the following command
sudo yum install elasticsearch-oss
- After finish the installation modify the elastic search configuration file with the following command
- Set the cluster name to graylog and uncomment the action.auto_create_index: false
- Save and exit from file
- Type the following commands to start the Elasticsearch
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch
How to install Graylog
We are in the final step which must install Graylog.
Type the following commands to install Graylog repository configuration and Graylog application with the Enterpise plugin that we need to archive the Logs
- sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.2-repository_late…
- sudo yum update && sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
How to edit the Configuration file of Graylog
You must be very careful here because if you miss something the Graylog will not start
- Graylog to start we must change the configuration file
- Type the following command to edit the file
- Find the password_secret and the root_password_sha2
- Add a password in the password_secret base on the instruction of the configuration file
- Run the following command to create the root_password_sha2 and add in the file.
- Note that the password that you will give before create the root_password_sha2 you will use it to connect in the Web Portal when the Graylog will start.
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
- Find and uncomment http_bind_address
- Type the ip address which use for the Graylog
- Save and exit from the file
- The last step to enable Graylog during the operating system startup
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog
Configure Sellinux and firewall for the Graylog
Base on the Graylog Documentation you must enter the following command to the web server to access the network but never works for me
sudo setsebool -P httpd_can_network_connect 1
To verify that Graylog is up and running i was follow the steps
- Disable the selinux
- Restart the operating system
- From your pc i open the Graylog from Web browser in the address http:///<Ip Address of Graylog>:9000
- If working then you must see something like this
- If you can't open the Web Page then the most common problem is to the firewall of the Centos
- To check the status of the firewall type the following command
systemctl status firewalld
- If it's active stop the firewall and open the Graylog from your Web Browse to verify that is active.
systemctl stop firewalld
- If the problem resolved then you must create rule in the firewall to publish the http.
We are almost in the end.
We have setup Graylog and configure it to has access in the Web Page.
So let's finis it.
How to find Api token for the Agent installation
- Open Graylog from your Web Browser
- Click on System/Authentication
- In the Administrator click Edit Tokens
- Type a Token Name and click Create Token.
- Uncheck the Hide Token and copy the token to use it in the installation of Graylog Sidecar
How to install Graylog Sidecar agent
This is the agent that must be setup in every Workstation/Server that want to collect Event Logs.
- Download the sidecar from here
- Start the installation in one of the Servers or Workstation that you have already execute Applocker
- The installation it's the common steps of every Wizard.
- The only thing that you must know is in the following step
- Url Address:Change only the ip address with the ip address of your Graylog Server
- Api token: Describe where you can find in the above instruction
- After finish the installation open a command prompt as Administrator and run the following commands to create and start the Service of the agent
- "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
- "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start
- Now go in Graylog System --Sidecar and verify that the server appear
How to collect Logs from Workstations or Servers
After finish with the above steps you must create the Sidecar in the Graylog to accept the Logs from the Workstation or Servers
- Go in System --- Sidecar
- Click Configuration
- Click Create Configuration
- Type a prefer name.
- Click in Collector and select winlogbeat on Windows
- In the Configuration change the hosts with the ip address of the Graylog Server
- Also add the following line to collect and the logs for the Applocker
- name: Microsoft-Windows-AppLocker/EXE and DLL
- In this line you can add any type of the Event Logs just to write the Log Name.
- In this article you explain how can collect Applocker logs.
- If you want to add more Event Logs then just decide what Logs you want and add the Log Name in the winogbeat configration.
- Click Update.
- Click Overview and you must see the Name of the Windows that you have install the agent.
- Click Manage Sidecar
- Check the winlogbeat.
- From the right side click in configuration and select the configuration which create before.
- Click Confirm
- Wait few minutes and click Show messages to verify that Grayog collect the Event Logs from your Workstation or Server
- From now on all the Event Logs will be collected here if it's not block any firewall the connection.
It will take sometime to finish but now you can collect Event Logs from your Windows Server and any other Device in your network.
Have a nice weekend!!