README.md

Graylog Alert Gateway

Web based application designed to integrate graylog with different IRP systems.

• Graylog Alert Gateway
  • Description
  • Environment
  • Setup
    • Native
    • Docker & Docker-compose
      • Pre-built
      • Your own
  • Graylog notification channel
  • To Do

Description

This application allows you to deliver graylog alert data to the following irp systems:

• TheHive4

And to Telegram (Optional)

Environment

This app has been tested with the following versions:

• Python 3.9
• Graylog 4.2.2
• TheHive4 4.1.16

Setup

Native

• Create non root user:

sudo adduser --disabled-password gateway && \
sudo su - gateway

• Checkout the code:

git clone [email protected]:malinkinsa/graylog-alert-gateway.git

• Setup Virtual Environment:

virtualenv --python=python3 gateway-env && \
source gateway-env/bin/activate

• Install python requirements:

pip3 install --no-cache-dir --upgrade pip --user && \
pip3 install --no-cache-dir -r requirements.txt --user

• Setup the app via config.ini:

vi graylog-alert-gateway/config.ini

• Logout from user gateway

• Create init.d file:

sudo vi /etc/systemd/system/graylog-alert-gateway.service

[Unit]
Description=graylog-alert-gateway
After=multi-user.target

[Service]
Type=idle
ExecStart=/home/gateway/gateway-env/bin/python3 /home/gateway/graylog-alert-gateway/launch.py

# Connects standard output to journal
StandardOutput=journal

# Connects standard error to journal
StandardError=journal

[Install]
WantedBy=multi-user.target

• Reload init.d configuration:

sudo systemctl daemon-reload

• Launch app:

sudo systemctl start graylog-alert-gateway.service

Docker & Docker-compose

Pre-built

Supported tags

latest

• Pull image:

docker pull malinkinsa/graylog-alert-gateway:latest

• Download and configure config.ini:

wget https://raw.githubusercontent.com/malinkinsa/graylog-alert-gateway/master/config.ini && \
vi vonfig.ini

• Start docker container:

docker run -d \
--name graylog-alert-gateway \
-v config.ini:/opt/graylog-alert-gateway/config.ini \
-p 8000:8000 \
malinkinsa/graylog-alert-gateway:latest

Your own

• Checkout the code:

git clone [email protected]:malinkinsa/graylog-alert-gateway.git

• Configure config.ini:

cd graylog-alert-gateway && \
vi config.ini

• Build your own container:

docker build -t name:tag . 

• Start docker container:

docker run -d \
--name graylog-alert-gateway \
-p 8000:8000 \
name:tag

Graylog notification channel

• Create new Graylog Notification channel: Graylog -> Alert -> Notifications -> Create Notification
• Settings:
  • Specify title;
  • Notification Type: HTTP Notification;
  • URL: Add URL there application work; For example: http://emaxple.com:8000/input/
  • Add this URL to Graylog whitelist or disable whitelist in System -> Configurations -> URL Whitelist Configuration
• Add this Notification channel to Event Definition;
• Fields, what you are specified in Fields block of your Event Definition will be artifacts in IRP system;

To Do

• Readme about graylog setup;
• Sentry support;
• Readme about modules:
  • stream_resolver;
  • telegram
• Docker support;
• README about Setup;
  • Native;
  • Dockerized;