Graylog VM Setup – Start to Finish

~ sometechthings ~ Leave a comment

Follow guide here:
http://docs.graylog.org/en/latest/pages/installation/virtual_machine_appliances.html

http://docs.graylog.org/en/1.1/pages/installation/graylog_ctl.html

set ubuntu password:
passwd

Set Static IP:
sudo nano /etc/network/interfaces

auto eth0
iface eth0 inet static
address 192.168.1.200
netmask 255.255.255.0
gateway 192.168.1.1

Update Ubuntu:
sudo aptitude update && sudo aptitude upgrade

sudo graylog-ctl set-email-config [–port= –user= –password=]
sudo graylog-ctl set-admin-password
sudo graylog-ctl set-timezone
sudo graylog-ctl enforce-ssl
example: sudo graylog-ctl set-timezone America/New_York

sudo graylog-ctl reconfigure

login web interface. Add inputs. Point stuff to graylog. Install graylog collector or NX log as needed.

Grow VM disk:
df -h
fdisk -l
pvcreate /dev/sdb
lvdisplay
vgextend graylog-vg /dev/sdb
lvextend -l +100%FREE /dev/graylog-vg/root
resize2fs /dev/graylog-vg/root
df -h

set retention policy
sudo graylog-ctl set-retention –size=1 –indices=100
sudo graylog-ctl reconfigure

100gb of log space now

useful paths:
/opt/graylog/conf/

Since I have only 1 server, I’m configuring it for 1 shard and 0 replicas.
/opt/graylog/conf/graylog.conf
elasticsearch_shards = 1
elasticsearch_replicas = 0
then graylog-ctl restart

To be continued…

troubleshooting:
sudo graylog-ctl tail
watch the messages and look for something wrong

If an index gets corrupted you can manually cycle the deflector.
cron job to email status report from graylog
sudo apt-get install python-pip

Useful Linux Commands

~ sometechthings ~ Leave a comment

Determine Linux Distro and Version

lsb_release -a

and/or

cat /proc/issue

Change permissions on files to 644 and folders to 744

find . -type f | xargs chmod -v 644
find . -type d | xargs chmod -v 744

Install man page
cp manpage.1 /usr/local/share/man/man1
mandb1

Search for pattern in certain filetypes

grep --include=\*.{txt,csv,odt,ods} -rnw 'directory' -e "pattern"

Check if network port is open and listening

netstat -tnlp

use netcat to check if port is open

nc -vvzn IP PORT

Powershell Snippets for System Admins

~ sometechthings ~ Leave a comment

Powershell AD User Management

Delete Disabled AD accounts

Get-ADUser -Filter 'Enabled -eq $false' | Select GivenName
Get-ADUser -Filter 'Enabled -eq $false' | Remove-ADUser -whatif
Get-ADUser -Filter 'Enabled -eq $false' | Remove-ADUser -Confirm

Add Active Directory Module

Import-Module activedirectory

Add User

New-ADUser -SamAccountName "$username" -GivenName "$first" -Surname "$last" -Department "$dept" -Name "First Last" -AccountPassword (ConvertTo-SecureString -AsPlainText "$password" -Force) -CannotChangePassword 1 -ChangePasswordAtLogon 0 -PasswordNeverExpires 1 -Enabled 1 -Path "CN=Users,dc=something,dc=something" -passthru -confirm

Remove local user profile

Get-WmiObject win32_userprofile | where {$_.LocalPath -like "*bert"} | Remove-WmiObject -whatif

Set User’s Password

Set-ADAccountPassword -Identity "$username" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$password" -Force)

Environment Variables

[Environment]::UserName
[Environment]::UserDomainName
[Environment]::MachineName

Delete User

Remove-ADUser -Identity "$username"

Scheduled task to run powershell script

Program/script: powershell -file “pathto.ps1”

Script to restart service if stopped

$serviceName = "Sam Client Control"

If ( (Get-Service $serviceName).Status -ne "Running") {
    Write-Output "$serviceName is stopped. It was started on $(Get-Date)" | Out-File C:\SamSvcRestart_log.txt -Append
    Start-Service $serviceName
}