Graylog: Syslog aggregation for free?

Welcome back! Today, I’ll be discussing one of my favorite homelab projects: Graylog.

Graylog is a free for personal use syslog aggregator. What does that mean? Well, we’ll start with syslogs. Syslogs are system log messages that various operating systems use to document what is happening with the system. This includes Linux syslog (/var/log/syslog) and Windows Event Logs for both server and home editions of Windows. These come in handy when troubleshooting issues or when you need to check specific time frames to see what a system was doing. But, this requires going into each system individually to read these; If there’s an issue affecting multiple systems, you’ll need to check out each system and correlate time frames to troubleshoot. Enter Graylog.

Graylog allows us a way to receive all syslogs from across a single or multiple networks. In the case of my homelab I run about 25 virtual machines of Windows and Linux varieties. Trying to nail down an issue across multiple servers can be a bit of a pain, but with Graylog I can see everything in one spot. But that’s just scratching the surface.

One of the most powerful functions of Graylog is the ability to set rules depending on messages it receives from your systems. Want to look out for DCHP releases to see if anything is talking on the network that shouldn’t be? Set up a rule for DHCP renewals to email you when something requests one. Want to know if someone escalates to Admin in Windows? Build a system event log to do just that. It’s incredible, really, that this software is free.

I’m currently running Graylog Enterprise as my daily intake of messages is well below the 2GB/Day maximum even with ~25 systems sending logs and doing routine maintenance across the systems (which can sometimes cause quite a lot of messages if it’s been a while before doing updates). The dashboard I run is a saved search for the past 12 hours and you can have it automatically refresh to keep an eye on it (I’m a huge sucker for dashboards):

Keeping this up also allows me to see if there’s anything sending a larger than normal amount of messages. I had a situation one time where my DNS server (PiHole) was being bombarded by a smart home device and I was able to see this from the dashboard and reboot the device to fix the issue.

So yeah, I dig it. Graylog is super neat, the searches are extremely fast even for large amounts of data and deploying it on Ubuntu only takes an afternoon’s worth of work for someone with limited Linux knowledge. It’s also neat that they allow some Enterprise features for the free version if you’re under a set limit of messages per day, allowing me to test this further on my Homelab before potentially using this for a real production environment. Overall: 9/10, would install and use again.

Thanks for reading! I hope you enjoyed my post and keep checking back for more information and projects. Cheers!

Apache issues when upgrading from 20.04LTS >> 22.04LTS

Been a while since I posted! I recently began an upgrade project for my Linux virtual machines which ranged from 14.04 to 17.04. The goal was to get everything on 22.04LTS. One of the issues I ran into (3 times so far) is with Apache not working:

apache2: Syntax error on line 146 of /etc/apache2/apache2.conf: Syntax error on line 3 of /etc/apache2/mods-enabled/php7.4.load: Cannot load /usr/lib/apache2/modules/libphp7.4.so

After some google searching, I came across the below fix which hopefully helps others too:

#Disable old php 7.4
sudo a2dismod php7.4

#Enable php 8.1 
sudo a2enmod php8.1

#Bounce Apache
systemctl restart apache2

This has worked on three systems so far all moving from 20.04 LTS to 22.04 LTS. Hopefully someone else finds this helpful!

Project: NAS backups share using Windows/Backblaze personal

There’s two types of people: Those who have backups, and those who will lose data. Several years ago I had a raid card failure on a RAID 5 array (three disks) that lost about 5~ TB of data. Of this, about 1.5 was completely irreplaceable data, things as far back as high school projects. After this, I went into backup mode and always had redundant copies both locally and online (cloud based). At this point I’ve made a pretty solid system for handling this across multiple systems. Lemme walk you through it.

The idea was this: How can I make this easy and simple enough (once configured) that I won’t ever forget to make sure my items are backed up. So here’s how I went about this: Backblaze and a Windows 10 as a share drive.

Backblaze home is a cheap 6 bucks a month for UNLIMITED backups. You can’t beat this cost. I went and built a Windows 10 Pro virtual machine on my ESXI host with the below specs:

  • 6 vCPU cores
  • 8GB RAM
  • 2TB disk space

Now, this may seem a bit overkill but with a large amount of backups, the VM may use a significant amount of RAM and CPU resources to compress and transmit the data. I then took a folder (in this case just on my desktop for ease of use when RDP’d into the system) and set it as a network share for only my user account.

Here’s the trick: Now that this is a shared folder, I can mount it as a network drive on ANY computer on my network. This allows multiple PCs to backup to one account. Neat, eh? Going from this approach, I also set up a couple BAT (Windows Batch script) files to backup my cloud accounts (Dropbox, Nextcloud, Google Drive) to this NAS as well on a daily Task Schedule set to run every night on my desktop. This allows me to have all my files I send to this server updated to the cloud and have redundant copies of any of the important files off my local PCs.

I went a step further from this and also added a BAT script onto the backups system to send to my local unRAID server for a redundant copy of data, and also perform weekly syncs to a normally disconnect external hard drive. The reason for this being disconnected is for a worst case scenario: Cryptoware or entire deletion of my files which is then synced online and to unraid. Having the disconnected external will allow most of my files to be recovered.

Hopefully this encourages others to tinker with this. Backups are important and you may not realize what you’ll lose until suddenly they’re gone; Backups of your video games from early 2000’s that are no longer hosted for instance and all data is now gone. Cheers and happy home labbing.

Crypto Game Rules

To make a new receiving address:
 
Launch new application. It should sync in a couple seconds.
 
Click “File” > “Receiving Addresses”.
 
In the new windows, click “New” and enter a label of your choosing (this doesn’t matter, I just use localhost).
 
Hit OK and send this to me so I can sync these between everyone.
 
 
Address book
 
Click on “File” > “Sending Addresses” to pull this up
 

 

Coin links:

Windows: https://aasullivan.com/pub/euthoniscoin-qt.7z
Linux: https://aasullivan.com/pub/euthoniscoin-qt-linux.tar.gz

 

How to earn coin:

  • Each user will start with 1000 EC (EuthonisCoin) paid out of the vault.
  • Every Thursday, get 100 (maybe 1000 if I can mine enough in between) when you sign on to play or hang out. Every game we play on Thursday after 7PM with 2 or more people: Additional 100 Coin.
  • Any time we’re playing with 3 or more people, earn the same as Thursdays (If I’m not around, keep track and I’ll send the coins when possible)

Wagers can be made or can “pay off” players for certain fun (IE Pay Chwaee 100 Coin to skip his next turn in worms; Pay 500 Coin to reverse your keyboard or controller while playing).

 

Ongoing rules/ideas:

  • 100 coin: whoever can complete an objective first in KF2 (all other players pay 10 to this person)
  • 500 coin: take a drink/hit.
  • 1000 coin: talk in a funny accent until a round is over/Say a certain word in every sentence
  • 1000 coin: skip turn in Worms
  • 2000 coin: only use one type of unit in SC2
  • 2500 coin: only use starting weapons in KF2
  • 2500 coin: skip one entire hole in Golf
  • 5000 coin: reverse keyboard/controller for the round/match

 

Addresses:
Aaron: 8ZpPdqSQ7S45XuH3EGAqpSKrmmX7UtkVZs // (subject to change, hasn’t recovered yet)
Andrew: 8MY2tYd2rF7jUEfgoCzMLMxgGwzzhT6EXU
Billy: 8LcFH7VkCsys3a3AUjdMaAdTbjTMLjxfGf
Brit: 8RDmxuasLqsSmhKeZ3MYspBav7JdDndnwH // (subject to change, hasn’t recovered yet)
Chwaee: 8aWBYf2zNT66Wf2gQsPBBGpbQtz41EwpjR
euthonis: 8bNLSb41YW45FfLDfm8kRTjwBNM2WVbZVG
Kuabarra: 8UPiUfx4zoHoxNDBeegBoCaDnbcbzkMdNC
John: 8Kb3NLNQzyaFRuJ976P63Vr9Pok2SdUr8A // (subject to change, hasn’t recovered yet)

 

Other ideas:

  • Lottery: Donate coins to a pool as a reward for something (maybe winning Golf after skipping a hole? Most kills in KF2 while only using starting weapon?). Could also dump a bonus from the mining system to someone as well.
Clearing old instance of EuthonisCoin:
 
  • Make sure the application is closed.
  • Delete former application and/or folder containing it
  • Hit buttons: “WIN + R” OR hit the start menu, type “run”, Enter
  • Enter %APPDATA% and press OK
  • Delete folder “EuthonisCoin”
  • Close explorer window and relaunch application and it should connect once more and update.

COVID-19

Stay home, be safe, use this time to learn how to network and video conference and be sure to check in with loved ones frequently. It’s going to be a wild couple of months. Do your part to help.

2020 BSIDESROC load out!

Welcome to 2020. This year, we have BSIDESROC coming up in late March and, with a few of us hoping to compete and learn, I’ve adjusted my hacking kit and tools a little for this.

First things first, the rig: a Dell Precision M4800. This monster is perfect for VMs, compiling code (Arduino much?), and just a general work horse for travel. The machine is a Quad-core i7 (4C/8T) with 16GB of RAM and a 1TB SSD. I have two VMs specifically for this: One with Kali (latest rolling release) and ParrotOS which has grown on me quite a lot with its attractive GUI and driver support, especially with the Alfa chipsets.

For the kit: I’m using a SwissGear low key airport backpack that allows scanning without removing the laptop. It’s flat black, no obvious markers or anything that stands out; Grey man approach is key in any place as a hacker/pentester. I’m using an Alfa AWUS036NH 2W Wifi adapter for the packet injection and long range Wifi testing and monitoring. This has proven again and again to offer exceptional range with 2.4GHz bands and has been a go-to now for a while. I also bring an Alfa AC1900 WiFi Adapter as a backup if needed, but with the quad antenna layout, it tends to be far from discreet when using in public. Also in the pack are multiple flash drives, small screwdriver set and my Raspberry Pi loadout.

The Raspberry Pi’s are going to be a new thing this year. One, a PiratePi, is specifically set up for people to tinker, upload files onto and just general sh*tpost on and mess with. This unit is running another Alfa AWUS036NH for a massive upgrade in range; In testing, I could walk several houses away and still connect without issues. I also have something I stumbled on fairly recently: A “pwnagotchi” Pi Zero W unit that collects data on local networks with an AI driven system. This AI self learns and adjusts to local networks and is just a wonder to monitor and watch as it works. Both of these with a battery bank will be running on a Grid-It organizer, here:

Once I swap the case for the Pi Zero for one with a proper heatsink, this will easily fit in my pack and can run for over 30 hours at a time.

I absolutely cannot wait for this year and will hopefully be able to compete with the CTF tournament as well. Hopefully more information and photos coming in the future. Thanks for reading!