K3G Solutions

=================Pré Requisito p/ Instalação==============

4gb de RAM mínimo

4 núcleos mínimo

320 ou 500g de armazenamento

Centos 7
============ INSTALAR O JAVA=============

sudo yum install java-1.8.0-openjdk-headless.x86_64

===================== Instalar o EPEL==================

sudo yum install epel-release

sudo yum install pwgen

=====================instalar o NANO centos7=============

yum install nano

====================== MongoDB =================

Adicionar arquivo mongoDB

nano /etc/yum.repos.d/mongodb-org.repo

[mongodb-org-4.0]

name=MongoDB Repository

baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/

gpgcheck=1

enabled=1

gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

instalar versão mais recente 

sudo yum install mongodb-org

executar últimas etapas para iniciar o MongoDB

$ sudo systemctl daemon-reload

$ sudo systemctl enable mongod.service

$ sudo systemctl start mongod.service

================ Elasticsearch ==================

instale a chave Elastic GPG e adicione o arquivo de repositório com o seguinte conteúdo:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

nano /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-6.x]

name=Elasticsearch repository for 6.x packages

baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum

gpgcheck=1

gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch

enabled=1

autorefresh=1

type=rpm-md

seguido pela instalação da última versão com
sudo yum install elasticsearch-oss

Certifique-se de modificar o arquivo de configuração  Elasticsearch 
nano/etc/elasticsearch/elasticsearch.yml

cluster.name: graylog

action.auto_create_index: false

Depois de modificar a configuração, você pode iniciar o Elasticsearch:

$ sudo systemctl daemon-reload

$ sudo systemctl enable elasticsearch.service

$ sudo systemctl restart elasticsearch.service

=================Graylog ===========

Agora instale a configuração do repositório Graylog 

$ sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm

$ sudo yum install graylog-server

Siga /etc/graylog/server/server.conf adicione password_secrete root_password_sha2. Essas configurações são obrigatórias e sem elas, o Graylog não será iniciado!

password_secret pwgen -N 1 -s 96

root_password_sha2: https://passwordsgenerator.net/sha256-hash-generator/

Adicionar as senhas : nano /etc/graylog/server/server.conf

Alterar IP da linha Default pro Padrão Graylog: 

#Default 172.30.0.128:9000

httpd_bind_address = 172.30.0.128:9000

O último passo é ativar o Graylog durante a inicialização do sistema operacional:

$ sudo systemctl daemon-reload

$ sudo systemctl enable graylog-server.service

$ sudo systemctl start graylog-server.service

Acessar via web 
http://172.30.0.128:9000

Login; admin

Senha : que foi gerada como sha2

"pppoe,ppp,info " AND * AND ": disconnected"

("wireless" AND ": disconnected, ") "sent deauth" "disassociated" "deauthenticated" "expired node"

ospf AND neighbor

"interface, info"

=================== input Raw UDP==================

{

  "extractors": [

    {

      "title": "Ubiquiti Wireless",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "",

      "extractor_config": {

        "grok_pattern": "%{DATA}Expired node:%{MAC}"

      },

      "condition_type": "none",

      "condition_value": ""

    }

  ],

  "version": "2.3.1"

}

================== Input UDP======================

{

  "extractors": [

    {

      "title": "Desconexão - Mikrotik",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "message",

      "extractor_config": {

        "grok_pattern": "wireless,info %{MAC}@%{DATA:Interface}: disconnected, %{DATA}"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "Desconexão - Mikrotik - data from unknown device",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "message",

      "extractor_config": {

        "grok_pattern": "wireless,info %{DATA:Interface}: data from unknown device %{MAC}, sent deauth"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "Falha Login - Mikrotik Winbox",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "",

      "extractor_config": {

        "grok_pattern": "system,error,critical login failure for user %{USERNAME:login} from %{IP:origem} via winbox"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "OSPF - State Change",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "message",

      "extractor_config": {

        "grok_pattern": "route,ospf,info OSPFv2 neighbor %{IPV4}: state change from %{DATA:state1} to %{DATA:state2}"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "Desconexão - Intelbras 2",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "message",

      "extractor_config": {

        "grok_pattern": "%{DATA} station %{MAC} deauthenticated, reason %{NUMBER}"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "Desconexão - Intelbras",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "message",

      "extractor_config": {

        "grok_pattern": "%{DATA} station %{MAC} disassociated, reason=%{NUMBER}"

      },

      "condition_type": "string",

      "condition_value": "disassociated, reason"

    },

    {

      "title": "Desconexão - PPPoE",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "message",

      "extractor_config": {

        "grok_pattern": "pppoe,ppp,info <%{DATA:USERNAME}>: disconnected"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "DNS_INCORRETO",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "",

      "extractor_config": {

        "grok_pattern": "firewall,info DNS_INCORRETO dstnat: in:<%{DATA:USERNAME}> %{DATA}"

      },

      "condition_type": "none",

      "condition_value": ""

    },

    {

      "title": "Login Incorreto",

      "extractor_type": "grok",

      "converters": [],

      "order": 0,

      "cursor_strategy": "copy",

      "source_field": "message",

      "target_field": "",

      "extractor_config": {

        "grok_pattern": "pppoe,ppp,error <%{DATA}>: user %{DATA:USERNAME} authentication failed"

      },

      "condition_type": "none",

      "condition_value": ""

    }

  ],

  "version": "2.3.1"

}