G DATA Business Solutions: SIEM Plugin Configuration Graylog

Graylog is an open source programme that can process many log formats.

With the help of this guide, you can use the Telegraf service to pass G DATA Management Server security events to your Graylog server (output).

This guide assumes that the inbound configuration and the G DATA Management Server configuration have already been done.

Plugin Configuration

  1. Create a new data input in Graylog.

  2. Enter your data in the Editing Input UDP GELF overview.
    Select 12201 as port.

Telegraf Configuration

As an alternative to points 1 to 4, you can download here a telegraf.conf prepared for Graylog.

Unzip the .zip file and replace the file telegraf.config in the directory

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf

with the file from the downloaded zip file.

However, as shown in the example under point 3, you must still replace the IP in the file with the IP of your Grylog server.

Then go directly to point 5.

1.

Open the Telegraf configuration file with an editor:

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf/telegraf.config with an editor.

2.

Delete all existing lines in the OUTPUTPLUGINS block (see screenshot under point 3)

3.

Add the following lines to telegraf.config. Replace the IP 127.0.0.1 given in the example, with the IP of your Graylog server.

[[outputs.graylog]]
## UDP endpoint for your graylog instances.
servers = ["127.0.0.1:12201"]

This is what the finished block looks like:

95%

4.

Save the file.

5.

Create a new telegraf service, using the customized telegraf.conf.

Related Chapters:

→ Configure ManagementServer and Telegraph for SIEM