Monitor Microsoft Windows Defender Antivirus with Graylog Part 1

: Travis Nuske; 23 Sep 2022

Guide for deploying Graylog to monitor Microsoft Windows Defender Antivirus on Windows endpoints.

In this multi-part post, I'll outline the steps to monitor and receive notifications of detected malware from your Windows endpoints using Graylog.

What is Graylog?

Graylog is an open source Security Information Event Management (SIEM) that collects logs from your endpoints (and other networked devices), runs analysis on those logs and can present the findings in dashboards and notifications. More information is available on the Graylog Open site

Virtual Machine Installation

At time of writing, the latest version of Graylog (v4.3.6) won't install on Ubuntu 22.04 (Jammy Jellyfish) or higher. Download 20.04.5 (Focal Fossa) from here: https://releases.ubuntu.com/20.04.5/ubuntu-20.04.5-live-server-amd64.iso

This article assumes you've got Hyper-V setup on a Windows PC (Server or Workstation). Open up the Hyper-V Manager, right click your machine and choose New-> Virtual Machine...

On the Before you Begin screen, click Next.

On the Specify Name and Location screen, Give your virtual machine a name, such as Graylog and choose a path to store the virtual machine files. Click Next.

On the Specify Generation screen, choose Generation 2 and click Next.

If you are going to run all the Graylog components on one machine (Graylog, Elasticsearch and MongoDB), I'd recommend starting with at least 4GB of RAM. Once you've got it up and running, you can re-evaluate how much your instance will need to run smoothly. On the Assign Memory screen, specify 4GB or more, disable Dynamic memory and click Next.

On the Configure Networking screen, assign it a connection and click Next.

The amount of storage space Graylog needs is highly variable, depending on how many endpoints you want to monitor, what logs you want to collect and how long you want to retain your logs for. As an example, One site running Graylog with just over 200 windows endpoints generates about 10GB of logs per week. On the Connect Virtual hard Disk screen, choose an appropriate size disk and click Next.

On the Installation Options screen, Choose Install an operating system from a bootable image file and click Browse... Choose the ubuntu-20.04.4-live-server-amd64.iso you downloaded earlier and click Open. Click Next.

On the Completing the New Virtual Machine Wizard screen, click Finish.

Right Click your new virtual machine and choose Connect...

The default Secure Boot options won't allow booting from the Ubuntu install .iso, but we can use secure boot by changing the virtual machine's secure boot template. In the virtual machine connection window, click File -> Settings...

On the Settings screen, click Security. Change the Secure Boot Template to Microsoft UEFI Certificate Authority.

While still in the settings screen, click Processor and change the number of virtual processors to something appropriate for the hardware you are running this virtual machine on. For example, set it to 4 virtual processors and click OK.

On the Virtual Machine Connection screen, click Start.

The installation process will automatically start and after a few moments you will be presented with a Welcome screen. Choose an appropriate language using the arrow keys and press Enter.

Select an appropriate keyboard layout and press Enter.

On the Network Connections screen, I'd recommend setting a static IP address for the network interface. Set an address (or leave it on DHCP) and navigate to Done. Press Enter.

Configure a Proxy if required and press Enter.

Change the Ubuntu Archive mirror if required and press Enter.

On the Installer Update Available screen, Navigate to Update to the new installer and press Enter. Note - If this prompt doesn't appear, your virtual machine may not be able to reach the Ubuntu Archive Mirror chosen in the previous step.

Adjust the storage configuration to your preferences, or leave it on use the entire disk, navigate to Done and press Enter.

Confirm the settings on the Storage Configuration - File System Summary screen, navigate to Done and press Enter.

On the Confirm Destructive Action prompt, navigate to Continue and press Enter.

On the Profile Setup screen, fill out all the fields, navigate to Done and press Enter.

Enter your Ubuntu Advantage token if you've got one, navigate to Done and press Enter.

Select to Install OpenSSH server, navigate to Done and press Enter.

At this point the installation will start - wait until you see the option to Reboot Now. Navigate to Reboot Now and press Enter. Press Enter again at the prompt. The Virtual machine should now reboot.

GrayLog Installation

Now that the virtual machine is up and running, it's time to install the Graylog components. At this point, you can either log into the virtual machine from a console in the Hyper-V manager, or you can connect the the server from another machine using SSH. If you are on a windows machine, I'd recommend using PuTTY to remotely connect to the virtual machine using SSH. If using PuTTY, enter the IP address of the Graylog virtual machine into the Host Name field, leave the Port on 22 and click Open.

Log in with the admin credentials you set during the setup steps earlier. To make sure the latest versions of installed packages, run an update and upgrade:

sudo apt-get update && apt-get upgrade

Once the upgrade is complete, it's time to start install the Graylog components.

Before the components of Graylog are installed, there are a few prerequisites that need to be installed beforehand. Run this command to install the required prerequisites:

sudo apt-get install apt-transport-https openjdk-17-jre-headless uuid-runtime pwgen

Install MongoDB

Graylog uses MongoDB as it's database - to install MongoDB, run the following commands:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org

Once installed, set MongoDB to automatically start when the Graylog server is booted by running these commands:

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl --type=service --state=active | grep mongod

Install Elasticsearch

Elasticsearch is the search and analytics engine that will process your logs - install Elasticsearch by running the following commands:

wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
sudo apt-key add myKey
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch-oss

Once installed, the Elasticsearch configuration needs to be modified to set the correct cluster name and prevent automatically creating indexes. To do this run these commands:

sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: false
EOT

Once that's done, start Elasticsearch and set it to automatically start on system boot:

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch

Install Graylog

Now that the database and search components are installed, you can install Graylog by running:

wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
sudo dpkg -i graylog-4.3-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

Configure Graylog

Before starting the Graylog service, you need to configure a few basic settings in the config file first. The Graylog config file is located here:

/etc/graylog/server/server.conf

The first thing you'll need is a random string of characters to encrypt the passwords used in Graylog. To generate the string:

pwgen -N 1 -s 96

Copy the output to the clipboard - if you are using PuTTY, just highlight the output with the mouse, this will copy it to the clipboard automatically

Open up the config file with a text editor:

sudo vim /etc/graylog/server/server.conf

Type i to change to edit mode, scroll down to the line password_secret = and paste the random string copied earlier. If using PuTTY, you can quickly paste the clipboard text by right-clicking your mouse.

Save the .conf and exit the editor by pressing the Esc key, then type

:wq

You also need to generate a password hash for your admin account; run this code:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

At the prompt, enter the password you'd like to use to login to the Graylog web interface. Copy the output to the clipboard again, and re-open the .conf file with the text editor:

sudo vim /etc/graylog/server/server.conf

Switch to insert mode again by pressing i and scroll down to root_password_sha2 =. Paste the password hash you copied to the clipboard by right-clicking.

A little further down in the file is root_timezone = UTC. I suggest changing this to your local time zone - you can see a list of valid time zones here: https://www.joda.org/joda-time/timezones.html

Scroll down a little further and adjust the http_bind_address = 127.0.0.1:9000 to the IP address of your Graylog server.

Commit those changes and exit the editor by pressing Esc and type

:wq

Graylog is configured to use 1GB of RAM initially; you may find that once you are collecting logs from more than a few endpoints, 1GB wont be enough and will drastically slow down the sever. I'd recommend bumping this up:

sudo vim /etc/default/graylog-server

Type i to change to edit mode, and change

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"

GRAYLOG_SERVER_JAVA_OPTS="-Xms3g -Xmx3g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"

Now that the basic configuration is done, start the Graylog service and set Graylog to automatically start on bootup:

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog

Test login to Graylog server

Now that all the installation and basic config is done, Graylog should be up and running! Fire up a web browser on your computer and open

http://<GrayLog Server IP address>:9000

You should be presented with the Welcome to Graylog page

Sign in with the username admin and the password you entered when creating the password hash. You'll be presented with the Graylog Getting Started page.

Optionally, I'd recommend setting an A record for the Graylog server in your DNS so you can log in using a hostname rather than an IP address. This will also help when configuring the agents in the next step.

Great! In part 2, we'll setup your windows endpoints to send their logs into Graylog, create a dashboard & define alerts for detected malware and configure automatic email notifications for those malware detections.