Install Graylog Docker

This guide shows you how to quickly set up and get started with Nzyme and Graylog version 2.3.2 using Docker. In this tutorial I’m using Mac OS but Docker can be install on any platform. For testing purposes, I’d recommend using Kali Linux or any Debian based distro on where Nzyme sensor is installed.

  1. May 18, 2021 Server installation: (Docker container) -Increase vm.maxmapcount (needed for elastic search) Graylog Configuration: -Create API Token: login to graylog- System/Authentication - Sidecars - Create or reuse a token for the graylog-sidecar user - Create token - Copy to clipboard (SideCarToken) -Create Beats.
  2. Apr 09, 2019 Docker made things super easy if you are curious about a new open source tool to try and even use it with isolated installations on your machine. In this article, I’ll show quick steps to install and give graylog a try with a simple nodejs application to send logical errors to graylog instance. 1) Copy the Continue reading 'Quick and dirty set up Graylog in 5 minutes with docker'.
Install graylog docker for windows

What is it?#

The output logs ran awhile while Graylog, MongoDB, and Elastisearch did their setup work. At the end of it, though, it did eventually become available (took about a full two minutes). Until it was ready, though, I saw the same response that you did.

Nzyme collects 802.11 management frames directly from the air and sends them to a Graylog (Open Source log management) setup for WiFi IDS, monitoring, and incident response. It only needs a JVM and a WiFi adapter that supports monitor mode. Way more information is available on wtf.horse and GitHub.

In a real world scenario users would want to use an additional WWAN or LTE network interface, for when a LAN isn’t reachable or unavailable. Below demonstrates a simple network diagram that has two devices running nyzme, both have a number of network interfaces for collecting wireless traffic and communicating back to the centralised server.

This is how I would picture a simple network architecture:

Overview#

Setup Graylog Docker

A review of necessary steps. This guide can be applied to any Operating System running Docker software.

  • Installing Docker and using a docker-compose.yml configuration file that contains defined services (Graylog, MongoDB, ElasticSearch), networks and volumes.
  • Setting up a new GELF input through the Graylog web interface.
  • Setting up and deploying a Nzyme sensor.

Docker#

Docker provides containers and images that make it really easy to install and configure Graylog server. Mongo Database and ElasticSearch are both required by Graylog. Rather than installing by hand we could define them in our docker-compose.yml file. It’s also important to use the right software version, as Graylog is picky on what version is used. Without specifying the version, it’ll use the latest which in some cases isn’t a good idea.

Download and install docker: https://www.docker.com

A quick note on software versions:

  • MongoDB 3.0.15
  • ElasticSearch 5.5.2
  • Graylog 2.3.2

Network ports:

  • 514 - Syslog UDP/TCP
  • 9000 - Graylog Web Interface
  • 12201 - GELF TCP/UDP

Docker-Compose file#

Start container#

Simply save the above docker-compose.yml file to your Containers directory and type in a terminal:docker-compose up. This may take a bit of time as Docker downloads and installs the containers for the first time. Once completed on another tab you can check with: docker container list.

Graylog Web Interface#

Graylog

Once Docker has finishes loading up, you can access the Graylog Web Interface. By default the server listens on port 9000 which is accessible both through localhost address and your system’s LAN IP address.

Install Graylog Docker Windows 7

Default Web Interface Username and Password: admin:admin

To add a new GELF input simply Navigate to: System > Inputs. As shown:

And from the drop-down menu select GELF TCP and hit Launch new input. You’ll then be asked to enter a title. More options are available like enabling TLS for transmitting logs securely, however since this is a quick guide it won’t be required.

Connection Test#

Before continuing it’s a good idea to test whether the newly created input is actually accepting our entries. To do this you could run netcat from a terminal:

There now should be a new entry in http://127.0.0.1:9000/sources.

A more realistic approach would be doing the same test but from another computer on the same network, simply replace the IP address to your current system’s (where Docker is installed) address. Be sure to allow or disable firewall rules on TCP port 12201. As with Mac OS, the firewall will block incoming connections.

Nzyme#

Now that our centralised Graylog server is ready. It’s time to set up Nzyme. Nzyme runs on Java and thus requires a Java Runtime environment. Both the OpenJDK or the Oracle JDK versions of Java 7 or 8 work well.

Check whether Java is installed:java -version

To install OpenJDK Java 8:sudo apt-get install openjdk-8-jdk

Download and Install#

Download the most recent build from the Releases page. At the time of writing the latest version was (v0.2). The use of deb package for Raspberry Pi or other Debian based distributions is strongly encouraged. However, the Jar file should work fine too.

Free

Install Graylog Docker Windows 10

Install package with dpkg tool: sudo dpkg -i nzyme-0.2.deb

Once installed the package creates multiple files and directories:

  • /etc/nzyme/ - configurations with an automatically generated sample
  • /var/log/nzyme/nzyme.log - a log file for info/error information.
  • /usr/share/nzyme/ - contains the actual Jar file and symlinks

An example of nzyme.conf file:

All that needs to be changed is the interface device, if you’re using something other than wlan0, and graylog_addresses which corresponds to the graylog server address. You can also change channels to suite your country’s regulatory standards. The channels will hop on both 2.4GHz and 5GHz frequencies.

To start, stop, or check status about the service:

Docker
  • sudo systemctl start nzyme
  • sudo systemctl stop nzyme
  • sudo systemctl status nzyme

Install Graylog Docker Windows

To enable the service to start automatically on boot: sudo systemctl enable nzyme

Sample Output#

Example of Graylog running for :

Install Graylog Docker For Windows

Notes#

When navigating through the Graylog Web Interface, there may be some warning messages: “Could not update field graph data” or “Updating field graph data failed”. I think those are down to the ElasticSearch configuration, which others have also experienced: community.graylog.org. You could change the update rate to every 30 minutes.

A big thanks to Lennart Koopmann for creating and sharing this useful wireless tool.