Categories
Software

Can I Send Graylog Alerts to Discord?

I’m using Discord to keep up with some technical discussion groups (e.g. TrueNAS and OBS) and I’ve even created a personal Discord server for my family. I’m also running Graylog for log aggregation of my home technology stack (switches, IP phones, Asterisk, Plex, Pihole, Router) and I was wondering if I could create automated alerts from Graylog to my Discord server? It is very timely as Graylog posted a blog entry just this past Friday on how to do this very thing. Now, before we go any further we need to be clear on what is required from a software perspective. You will need a working Graylog server version 4.0 or greater (I’m running version 4.0.5 on FreeBSD) and you will need to install and license the enterprise plug-in so that you can use the correlation engine. Don’t worry, the enterprise Graylog plugin is free for personal use under 5 GB of logs a day (I’m at like 400 Mb’s a day). You will also need a Discord server which are free to setup for personal use. Instructions for setting up Graylog can be found here and here.

Make sure you let your children know what you are up to.

Step 1: Inform Your Children

Children are super curious; they like to know when new network monitoring infrastructure is configured for your home network. I’ve found that a bit of subterfuge throws them off the scent.

Create a new #channel for your alerts

Step 2: In Discord, Setup a New Text Channel for Your Alerts (Optional)

This step is optional but useful if you want to separate alert content from your normal content in Discord. In your Text Channels menu for your Discord server (you must be the server owner or granted admin privs), you can click the plus icon to create a new text channel. I named mine graylog and defined a topic text. Click save. Please notice the Integrations menu item in the above graph. We will click on that next.

Add the Webhook which your Graylog server will call

Step 3: In Discord, Add a Webhook Integration

Within your text channel configuration you will see an Integrations menu item. Click Integrations and then click on Webhooks and New webhook.

You can add a unique icon to the automated messages

In the New Webhook dialog, you can name your webhook. I chose a descriptive name for this but yours can be more generic. Note the Channel the webhook will be in and you can copy the webhook URL (a url encoded string to your server). I got the Graylog icon from their Twitter feed @graylog2 account.

Graylog Event Definitions

Step 4: In Graylog, Add an Event Definition

In the Graylog Alerts menu, click Event Definitions and then the Create Event Definition button. I named my Event “SSHd Logon Open Too Long” to match to Graylog blog video which is linked at the start of this blog post. Click Next. I set the Condition Type to be “Event Correlation” and then set the Correlation rules to follow a sequence of events that are satisfied within 16 min. You can make it more or less but essentially I’m looking for SSH logins for more than 16 min.

The event rules you will correlate

I set Event #1 in the correlation to be the “SSHd Session Open” Event from my alerts. I added Event #2 and set it to “SSHd Session Closed” which SHOULD NOT OCCUR in the next 15 min. This means event #1 will fire and within 15 min a subsequent event #2 will not fire. The definition of those events will be covered later and is outside the scope of this article. click next.

Create a custom event field for the user_name

Step 5: Create Custom Event Field for User Name

Click Add Custom Field in the Fields item of the wizard. Set the name to user_name and click to make this a field key. Set the template to

template: ${source_user_name}

And make sure you do not click the value is required. Click Next.

Setup the Slack Notification (works with Discord as well)

Step 6: Setup the Notification to Discord

In the Notifications wizard item, click on the Add Notification button.

Add Notification dialog

Within Add Notification, you will set a descriptive title and description (I’ve again used the example they discussed in the Graylog blog video). You MUST select Notification type of Slack and you can change the highlight color. In the webhook URL field you will paste the URL copied from Step 3 above. Please append to the end of the Webhook URL “/slack” which will tell Discord this message has been formated for Slack and to handle that format type. You can specify the channel again and the custom message template. You can use your custom user_name filed in the message template. Click on the Execute Test Notification button to verify your test message is logged to Discord. Click Save and wait for your event notifications!

Categories
Software

Upgraded to Graylog 4

FreeBSD package management recently updated their Graylog package from 3.3.0 to 4.0.5 with enterprise plugins! This article is as-of April 2021 and you should upgrade your FreeBSD os or Jail version to 12.2 and upgrade your packages (see below).

[rich@graylog ~]$ uname -a
FreeBSD graylog 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 f2858df162b(HEAD) TRUENAS  amd64

[rich@graylog ~]$ sudo pkg update
Password:
Updating FreeBSD repository catalogue...
[graylog] Fetching packagesite.txz: 100%    6 MiB   3.3MB/s    00:02    
Processing entries: 100%
FreeBSD repository update completed. 30499 packages processed.
All repositories are up to date.

[rich@graylog ~]$ pkg search graylog
graylog-4.0.5_2         Tool for centralized log collection

[rich@graylog ~] sudo pkg install graylog

Now Graylog software is written in Java and distributed as JAR (Java ARchive) files so you really don’t need to wait for FreeBSD packaging to upgrade your server. In fact, just a few weeks before I wrote this I had upgraded the server manually by downloading the latest Graylog Jars from graylog.org website and putting them in the appropriate server directory. This works but was very manual and could be prone to error. The FreeBSD package automates everything and makes it simple I will not discuss my manual upgrade process and suggest to you to just use the official package noted above (v4.0.5). I even applied the FreeBSD package over my manual upgrade and it handled everything gracefully (by backing up the jars I placed as .prev versions).

There are numerous enhancements to Graylog and the software pkg upgrade process was relatively straight forward. PLEASE NOTE that I had to upgrade Elasticsearch to either version 6 or 7 (I was on version 5). This is noted in the FreeBSD graylog-4.0.5_2 pkg release notes that you must upgrade Elasticsearch (it doesn’t tell you how).

If you attempt to start the graylog service on your FreeBSD instance without first upgrading Elasticsearch and you are running version 5 or below then the web interface will fail to start and the graylog server will repeatedly log an error connecting to Elasticsearch.

If you have data in your Elasticsearch version 5 instance and you use FreeBSD package manager to install elasticsearch6 then it will upgrade the binaries and remove the elesticsearch5 package. It left the data intact in my experiance and I had to do a bit of editing of the elasticsearch config yaml file to start the new elasticsearch6 instance. The edits were very minor. I essentially had my old version 5 yaml config file up and diffed it against the new version 6 example and updated accordingly. I didn’t take notes of my edits but again they were version small.

You may also need to update your graylog config xml file although your mileage might vary. The connection details to elasticsearch changes slightly from my version 5 to version 6 so I had to edit in graylog config.

I restarted the graylog service again and tailed the /var/log/graylog/server.log to verify that it successfully restarted. I was able to login again to the web interface and verified none of my data was lost and that my graylog server was healthy. I took an immediate archive of the data to compressed gzip tar file just in case. The reader will note I took a backup after the upgrade not before… I should have taken a backup before if I was being truly risk averse as a rollback option. tsk, tsk on me…

New Graylog Features of Note

Dark Interface Mode

Slack & Discord Notification Support (I’ve discussed Discord Notifications in another post)

Categories
Life in lockdown Software

Linux Speedrun of Mega Man 2 streamed on Twitch

So I finally set myself up on Twitch tonight and streamed for an hour of Mega Man 2; I had zero viewers… Listen, I wasn’t expecting a following and primarily I did it to push myself. I’m using a 100% open-source platform for twitch streaming using OBS (open broadcast system studio) running on Pop OS Linux. I’m using an open source live split software called flitter. It’s within an xTerm (don’t use alpha channel enabled terms in OBS) and it uses a simple text file for configuration. I’m using Higan for my NES/Famicom emulator with a rom of Mega Man 2 that runs at 60 frames per second. And I have a camera on me while I’m playing to capture the reactions. All on one computer (not a particularly powerful one btw) running Linux and streaming the output to Twitch. I now have one follower, my son.

My son imparted some of his hard earned wisdom on Streaming to me. He said make sure your audio quality is good. Get a good mic, test the levels and make sure I’m speaking over the game (but you can still hear the game audio). He said this is really important. The video can be sorta crappy but the audio quality better be good. He recommended a few good quality mic’s and he uses an external audio mixer to set the mic levels. He also recommended I record, not stream for the first few sessions and then watch it back to make sure it sounds and looks good.

Why am I doing this? A few reasons. One, I like Mega Man 2 and the challenge of playing it well and getting a decent speedrun appeals to me. I’ve watched some of top speedruns and they so some crazy stuff. Two, I want to prove that you don’t need Windows 10 to do streaming/speedrunning — Linux and open source software is perfectly viable for Twitch streaming. Three, I wanted to prove to Cam that he can do all his creation/streaming/broadcasting if he switched to Linux. What do you think? Any games you’d like me to play? Leave a comment to let me know. My Twitch handle is rpavlovsky but I might change it, I don’t know…

Categories
Life in lockdown Weather

Houston Blizzard + Back Online

So much has happened in the last few weeks. Texas was hit with the worst snowstorm I think in recorded history. The snow in Houston didn’t look that bad via photographs but trust me. It was icy, heavy sleet and snow — not that fluffy stuff you ski on. Of course it cause havoc on our electrical grid and our water pipes. Thankfully all in my neighborhood are well and the weather is now in the 70’s! I’ll post a few more pictures when I have some time.

I lost power along with most Texans for large parts of early last week. Power has been stable since last Thursday. The last snow and ice melted last Saturday (so it was on the ground for a good 5 days). The worst days for me were Tuesday and Wednesday when we have the rolling power outages.

Ella enjoying a boogie board style toboggan at the nearby park.

Lastly, I needed to update my SSL cert for this website which I’ve now done. Silly me for taking so long to do that; I had a bit on my plate.

Categories
Animals Life in lockdown

Horse Riding Lessons

A new year of horse riding lessons for Ella. I decided to bring along the Canon DSLR’s with a standard lens and the telephoto and challenge myself to shoot in Manual (M) mode. The cameras were my EOD 50D and EOS 30D cameras that I purchased from Goodwill (secondhand). It was dark in the barn which is no problem for the human eye but quite a challenge for the budding photographer.

Canon EOD 30d, f/7.1, 1/100 shutter and 800 ISO, no flash.
Walking out to the parade grounds.
Ms. Amy on Joker; he wasn’t feeling very well.
Focused.
Waiting for her turn
Rode with bridle and a bit today
Trotting over some obstacles
Categories
Life in lockdown

The Last Day of 2020

As I type this, 2020 is approximately 11 hours from finishing (at least in my part of the world). My upstairs air conditioner decided to fail in the last few days of the year and guess what? It’s not under warranty. Effe you 2020! Ugh.

Here is hoping for a brighter 2021; I mean it’s always darkest before the dawn, right!?!

Categories
Software

The “Christmas Star”

<from NASA>Skywatchers are in for an end-of-year treat. What has become known popularly as the “Christmas Star” is an especially vibrant planetary conjunction easily visible in the evening sky over the next two weeks as the bright planets Jupiter and Saturn come together, culminating on the night of Dec. 21.</NASA>

Full story https://www.nasa.gov/feature/the-great-conjunction-of-jupiter-and-saturn

This photo was taken with my Canon 50D using a 300mm lens. I’m not super knowledgeable on all things Camera. The full RAW image is huge, this is a small export of it taken from my front porch in Cypress, Texas.

Categories
Life in lockdown

Messing Around with Digital Cameras

I setup a photo studio in my office. I have a green screen, Cameron’s recording lights and the Cannon 50d on a tripod tethered to my computer. It’s a complex setup. I’m using FOSS called entangle (to capture) and the Gimp with Darkroom plug-in to open the Canon RAW image files. I’m learning about f-stop and ISO speed. It’s all complex and I’m out of my depth a bit but it’s fun. It’s been a while since I’ve messed around with Adobe Photoshop. I’m trying to relearn a skill on Gimp and it’s a bit different. I’ll get the hang of it sooner or later.

With better lighting
future music star?
I was still, she moved fast
what a ham.
Categories
Software

Reporting Network Threats with Graylog

In an average 5 min time-span my network firewall is scanned about 25-50 times (+/-). It is scanned from all over the world including Morocco, Hong Kong, Los Angeles, Moscow, Beijing and London (to name a few). I’m sure sophisticated and not-so-sophisticated hackers are using VPN’s or TOR to show they are in another location or to hide their tracks. What are they trying to accomplish? Well, basically, they are checking if any doors are unlocked to try and get access or information. In computer network security this means network services are running either unlocked, unprotected or protected with weak or known passwords. Most folks would be unaware in such a circumstance to poor network security until they get hacked. Some folks purposely leave hosts exposed with services to capture details on hacker methods (those are called honeypots). I noticed that I have a lot of port scanning of 1433 (MS Sql Server), 21 (FTP), 22 (SSH) and 23 (Telnet) among many others. If those ports are listened to by a service on my home network that is exposed to the general internet then these scans will pick that up and essentially report back that I have a running service. Additionally, they could be trying known generic passwords or any security vulnerabilities.

This report was generated with live syslog data from my wifi router which is being ingested by Graylog and processing done on the router log messages to lookup any known threats. These threat and Geo Location lookups are built-in features of Graylog.

More detail on how to set this up on your own Graylog instance can be found at https://www.graylog.org/post/integrating-threat-intelligence-into-graylog-3 and https://www.graylog.org/post/how-to-set-up-graylog-geoip-configuration

I found a useful blog that identified items to check when setting this up.

  1. Check your processing order, your order is wrong, if you use pipeline rules. Please move your Message Filter chain before Pipeline Processor.
  2. Check if your geoip lookup table works. Put a internet ip address to section Test Lookup in field Key, and it should return GEO information.
  3. If not, check your data adaptor if you use correct Database type for your downloaded file. I use GeoLite2-City.mmdb and Database type: City Database. If you use only Country database, change correct type.
  4. Best is to put MaxDB databases to /etc/graylog/server directory, check if graylog service can read file.
  5. You need extracted field with ip addresss, for example src_ip with only ip adresses to use in lookup table. I couldn’t see any ip field in your fields screenshot. So create extractor or pipeline rule for ip field extraction first.
  6. You can use geo ip lookup table in several parts: Extractor, Converter, Decorator or Pipeline Rule.
  7. There is no special geoip map icon in field.
  8. If you want to create World Map widget, create widget from field src_ip_geo_location (or Show top values) and change Visualization type to World Map.
  9. If you use Selinux (CentOS, RHEL) try to disable to check, if it’s not blocking access to geoip db file.

The full thread is available here https://community.graylog.org/t/geo-ip-not-working/14846/8

Categories
Software

Building your own Alexa skill using AWS Lambda and Python (Part 1)

While I resisted the pull of the ‘smart speaker’ for a little while, I have to admit having Amazon Music and an Echo has been one of the most enjoyable things I’ve bought for myself over the past couple of years. Maybe it’s my age, but voice activation still seems very cool to me, but I’m middle aged, quite often tired and like most adults, I have a lot of dull stuff to do in my life. ‘Aha…… Katie, why not automate away that toil……’

So yes, that’s why I thought it would be fun (and help me reawaken some tech skills) to build my own app. Of course, their is info out there already on this, but I found a lot of it stopped a bit short, or jumped right into the code writing. So here’s my write up of the first part of it which is the basic interaction between you and Alexa. After that I’ll do write ups of how to use lambda a bit more to actually have functionality.

You will need:

  • A developer account for the Alexa Skills Kit (ASK)/ Alexa Developer Console. developer.amazon.com
  • An AWS account: aws.amazon.com . You can get an account with a free tier to use AWS lambda assuming you don’t exceed 1 million requests a month. (You’ll need to provide a payment method to get the account)
  • Some basic python coding skills
  • A brilliant idea!

Alexa Developer Console

This is where you create the voice interaction model. It’s a web based IDE- nothing to download, and it has it’s own test environment. I used the following tutorial, but I found it simpler to write up my own notes.

Here’s my translation of the Alexa terms:

  1. A name for your skill ie. ” Alexa, open <insert cool name here>”- that’s the invocation name. I recommend making it simple as you may forget it….. I did, more than once.
  2. Intents could be translated as ‘functions’ of the app. With utterances being the phrases you may say, to initiate those ‘functions’.
  3. Within the utterances, you can set variables- which translates as ‘slots’. You can set the available value of the slot.
  4. Set your endpoint- ie. link it to the code in AWS Lamda

Example:

Invocation: Bin check

Intents: Check_next

Utterance: When is the next {bin_type} collection

Intent Slots: bin_type

Slot Type: waste_type with user utterances: garden waste; rubbish etc.

Once you have it all set up you’ll need to ‘build model’.

But really, that won’t do anything on it’s own. That’s where lambda comes in.

To get ready for the next bit I recommend going to the Endpoint menu to show your ‘Skill ID’ which you’ll need for later:

AWS Lambda:

For this I assume you’ve set up an AWS account and are on the Lambda service.

Firstly, You’re going to need to create a new function.

Choose a name (I went for ‘Bins’), and choose the language in which you’ll write the function. I went for Python and left the default IAM selection.

Now press ‘Create function’.

Once created you’ll see the IDE with the following at the top. This is how you link it to the ASK work you did earlier. At the following :

Click “Add trigger”. You want to choose “Alexa Skills Kit”

The following should appear and you can add the Skill ID I highlighted earlier. Click Add.

You now want to do the reverse. At the top right of the functions screen you should see the following. Copy this ready to link it back.

Right. Now back to the ASK console. Back to the Endpoints section and copy and past your function ID in. Notice you have regional options if perhaps in your Alexa skill, a reference to pants might warrant a different response if your end user is in the UK or the US………

Save the end points and …. ta da……. you’ve linked your alexa skill to a function! Sure it doesn’t do anything yet….. but hey. That’s part 2…..