Awesome
Graylog Alert Gateway
Web based application designed to integrate graylog with different IRP systems.
Description
This application allows you to deliver graylog alert data to the following irp systems:
And to Telegram (Optional)
Environment
This app has been tested with the following versions:
- Python 3.9
- Graylog 4.2.2
- TheHive4 4.1.16
Setup
Native
- Create non root user:
sudo adduser --disabled-password gateway && \
sudo su - gateway
- Checkout the code:
git clone git@github.com:malinkinsa/graylog-alert-gateway.git
- Setup Virtual Environment:
virtualenv --python=python3 gateway-env && \
source gateway-env/bin/activate
- Install python requirements:
pip3 install --no-cache-dir --upgrade pip --user && \
pip3 install --no-cache-dir -r requirements.txt --user
- Setup the app via config.ini:
vi graylog-alert-gateway/config.ini
-
Logout from user gateway
-
Create init.d file:
sudo vi /etc/systemd/system/graylog-alert-gateway.service
[Unit]
Description=graylog-alert-gateway
After=multi-user.target
[Service]
Type=idle
ExecStart=/home/gateway/gateway-env/bin/python3 /home/gateway/graylog-alert-gateway/launch.py
# Connects standard output to journal
StandardOutput=journal
# Connects standard error to journal
StandardError=journal
[Install]
WantedBy=multi-user.target
- Reload init.d configuration:
sudo systemctl daemon-reload
- Launch app:
sudo systemctl start graylog-alert-gateway.service
Docker & Docker-compose
Pre-built
Supported tags
latest
- Pull image:
docker pull malinkinsa/graylog-alert-gateway:latest
- Download and configure
config.ini:
wget https://raw.githubusercontent.com/malinkinsa/graylog-alert-gateway/master/config.ini && \
vi vonfig.ini
- Start docker container:
docker run -d \
--name graylog-alert-gateway \
-v config.ini:/opt/graylog-alert-gateway/config.ini \
-p 8000:8000 \
malinkinsa/graylog-alert-gateway:latest
Your own
- Checkout the code:
git clone git@github.com:malinkinsa/graylog-alert-gateway.git
- Configure
config.ini:
cd graylog-alert-gateway && \
vi config.ini
- Build your own container:
docker build -t name:tag .
- Start docker container:
docker run -d \
--name graylog-alert-gateway \
-p 8000:8000 \
name:tag
Graylog notification channel
- Create new Graylog Notification channel:
Graylog -> Alert -> Notifications -> Create Notification - Settings:
- Specify title;
- Notification Type: HTTP Notification;
- URL: Add URL there application work; For example:
http://emaxple.com:8000/input/ - Add this URL to Graylog whitelist or disable whitelist in
System -> Configurations -> URL Whitelist Configuration
- Add this Notification channel to Event Definition;
- Fields, what you are specified in
Fieldsblock of your Event Definition will be artifacts in IRP system;
To Do
- Readme about graylog setup;
- Sentry support;
- Readme about modules:
- stream_resolver;
- telegram
- Docker support;
- README about Setup;
- Native;
- Dockerized;