Graylog VM Setup – Start to Finish

Follow guide here:

set ubuntu password:

Set Static IP:
sudo nano /etc/network/interfaces

auto eth0
iface eth0 inet static

Update Ubuntu:
sudo aptitude update && sudo aptitude upgrade

sudo graylog-ctl set-email-config [–port= –user= –password=]
sudo graylog-ctl set-admin-password
sudo graylog-ctl set-timezone
sudo graylog-ctl enforce-ssl
example: sudo graylog-ctl set-timezone America/New_York

sudo graylog-ctl reconfigure

login web interface. Add inputs. Point stuff to graylog. Install graylog collector or NX log as needed.

Grow VM disk:
df -h
fdisk -l
pvcreate /dev/sdb
vgextend graylog-vg /dev/sdb
lvextend -l +100%FREE /dev/graylog-vg/root
resize2fs /dev/graylog-vg/root
df -h

set retention policy
sudo graylog-ctl set-retention –size=1 –indices=100
sudo graylog-ctl reconfigure

100gb of log space now

useful paths:

Since I have only 1 server, I’m configuring it for 1 shard and 0 replicas.
elasticsearch_shards = 1
elasticsearch_replicas = 0
then graylog-ctl restart

To be continued…

sudo graylog-ctl tail
watch the messages and look for something wrong

If an index gets corrupted you can manually cycle the deflector.
cron job to email status report from graylog
sudo apt-get install python-pip

Useful Linux Commands

Determine Linux Distro and Version

lsb_release -a


cat /proc/issue

Change permissions on files to 644 and folders to 744

find . -type f | xargs chmod -v 644
find . -type d | xargs chmod -v 744

Install man page
cp manpage.1 /usr/local/share/man/man1

Search for pattern in certain filetypes

grep --include=\*.{txt,csv,odt,ods} -rnw 'directory' -e "pattern"

Check if network port is open and listening

netstat -tnlp

use netcat to check if port is open

nc -vvzn IP PORT

Powershell Snippets for System Admins

Powershell AD User Management

Delete Disabled AD accounts

Get-ADUser -Filter 'Enabled -eq $false' | Select GivenName
Get-ADUser -Filter 'Enabled -eq $false' | Remove-ADUser -whatif
Get-ADUser -Filter 'Enabled -eq $false' | Remove-ADUser -Confirm

Add Active Directory Module

Import-Module activedirectory

Add User

New-ADUser -SamAccountName "$username" -GivenName "$first" -Surname "$last" -Department "$dept" -Name "First Last" -AccountPassword (ConvertTo-SecureString -AsPlainText "$password" -Force) -CannotChangePassword 1 -ChangePasswordAtLogon 0 -PasswordNeverExpires 1 -Enabled 1 -Path "CN=Users,dc=something,dc=something" -passthru -confirm

Remove local user profile

Get-WmiObject win32_userprofile | where {$_.LocalPath -like "*bert"} | Remove-WmiObject -whatif

Set User’s Password

Set-ADAccountPassword -Identity "$username" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$password" -Force)

Environment Variables


Delete User

Remove-ADUser -Identity "$username"

Scheduled task to run powershell script

Program/script: powershell -file “pathto.ps1”

Script to restart service if stopped

$serviceName = "Sam Client Control"

If ( (Get-Service $serviceName).Status -ne "Running") {
    Write-Output "$serviceName is stopped. It was started on $(Get-Date)" | Out-File C:\SamSvcRestart_log.txt -Append
    Start-Service $serviceName