{"id":21134846,"url":"https://github.com/anonymouswp/grayhive","last_synced_at":"2025-04-13T09:33:07.177Z","repository":{"id":153247958,"uuid":"459639816","full_name":"AnonymousWP/Grayhive","owner":"AnonymousWP","description":"A Proof-of-Concept repository for automating Graylog with Terraform and connecting it with The Hive","archived":false,"fork":false,"pushed_at":"2023-07-08T04:57:10.000Z","size":92,"stargazers_count":1,"open_issues_count":1,"forks_count":3,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-27T01:04:04.280Z","etag":null,"topics":["graylog","python","terraform","thehive"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AnonymousWP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-15T15:35:41.000Z","updated_at":"2024-08-26T17:08:05.000Z","dependencies_parsed_at":"2025-01-21T06:40:30.048Z","dependency_job_id":"82cee38e-1fd3-4eb7-bd53-dde708f0aa23","html_url":"https://github.com/AnonymousWP/Grayhive","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnonymousWP%2FGrayhive","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnonymousWP%2FGrayhive/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnonymousWP%2FGrayhive/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnonymousWP%2FGrayhive/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AnonymousWP","download_url":"https://codeload.github.com/AnonymousWP/Grayhive/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248690942,"owners_count":21146233,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["graylog","python","terraform","thehive"],"created_at":"2024-11-20T06:36:56.092Z","updated_at":"2025-04-13T09:33:07.172Z","avatar_url":"https://github.com/AnonymousWP.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Grayhive\n\nA Proof-of-Concept repository for automating Graylog and connecting it with The Hive. **NOTE:** Some Terraform modules, the Docker Compose file, Python script and this README contain empty strings/values, so make sure to fill them in correctly, according to your own situation/environment. Besides: this repository was initially a Proof-of-Concept, so some features (such as sending an alert to The Hive) is done in a basic way to show its purpose/goal. Feel free to create a PR to improve this.\n\n## Stacks\n\nThis repository makes use of a single Terraform stack, namely:\n\n- [graylog](./terraform/graylog)\n\nHowever, you can apply modules to your own liking instead of having to apply them all.\n\n## Used VM configuration\n\nWe're making use of an Ubuntu Minimal 22.04 instance running on a hypervisor.\n\n| Resources | Values |\n| ------ | ------ |\n| CPUs | 4 |\n| Memory | 8GB |\n| Storage | 12GB |\n\n## Set-up and (post)configuration for Graylog\n\n1. Install updates\n\n ```shell\n apt update \u0026\u0026 apt upgrade\n ```\n\n1. Make sure you've installed a text editor (e.g. Nano or Vim). So for example:\n\n ```shell\n apt install nano -y\n ```\n\n1. Change hostname and hosts (otherwise Graylog may not function properly)\n\n ```shell\n nano /etc/hostname\n nano /etc/hosts\n ```\n\n Now reboot to apply the changes.\n\n1. Because it's a bad security practice to execute everything under **root**,\n we'll create our own user.\n\n ```shell\n adduser \u003cuser\u003e\n ```\n\n1. Assign user variable to username\n\n ```shell\n export USER=\"test-user\"\n ```\n\n1. Make user sudo-er\n\n ```shell\n usermod -aG sudo $USER\n ```\n\n1. Move SSH-keys from root to the by you made user and change ownership of the file\n\n ```shell\n cp -R /root/.ssh/ /home/$USER/\n chown -R $USER:$USER /home/$USER/.ssh\n ```\n\n1. Only permit the user you made to login with SSH; disallow root to login with SSH, so change/add the following lines:\n\n ```shell\n nano /etc/ssh/sshd_config\n ```\n\n Change the following lines:\n\n ```shell\n PermitRootLogin no\n AllowUsers test-user\n ```\n\n Restart the service so that the changes take effect\n\n ```shell\n systemctl restart sshd\n ```\n\n1. Now switch to the user you just created\n\n ```shell\n su \u003cusername\u003e\n ```\n\n## Docker Compose\n\nIn this repository we already have created a `docker-compose.yml`. See [here](/docker/graylog5.x/docker-compose.yml) or [here](./docker/graylog4.x/docker-compose.yml) in case you didn't create one yet.\n\n**NOTE**: don't forget to change the values in `docker-compose.yml` and its corresponding `.env` file. Click [here](./docker/graylog5.x/.env) or [here](./docker/graylog4.x/.env) for the `.env` file.\n\n1. Verify you have Docker Compose installed\n\n ```shell\n sudo docker-compose -v\n ```\n\n1. If you don't have Docker Compose installed, install it\n\n \u003chttps://docs.docker.com/compose/install/\u003e\n\n1. Execute the following to start the containers in the background\n\n ```shell\n sudo docker-compose up -d\n ```\n\n Note: execute this command in the directory where the\n docker-compose.yml file is located!_\n\n1. Create input to test if log messages are received\n\n Navigate to \u003chttp://HOSTNAME:9000/system/inputs\u003e and launch a RAW/Plaintext TCP input with the following values:\n\n - Enter the desired settings\n - Click save\n\n1. In case you don’t have netcat installed yet, enter the following command:\n\n ```shell\n sudo apt install netcat\n ```\n\n We can then send a plaintext message by entering the following command:\n\n ```shell\n sudo echo 'First log message' | nc \u003cfully qualified domain name of the machine\u003e 5555\n ```\n\n1. See if sent log data is present on the Graylog server\n\n Go back to \u003chttp://HOSTNAME:9000/system/inputs\u003e and click “Show received messages”.\n\n The page should look similar to this (and most importantly, contain the log message):\n\n ![Result](https://user-images.githubusercontent.com/50231698/141489725-450e7992-9b6b-4031-a75a-b5ebd8cec227.png)\n\n### Cleaning up\n\n1. In case you want to start all over again regarding containers (e.g. for testing purposes), you can use [this script](/docker/graylog5.x/clean_start.sh), which stops the containers, then deletes them, including the images, networks and volumes.\n\n## The Hive\n\nThe Python scripts used come from [Recon InfoSec](https://github.com/ReconInfoSec/graylog2thehive). They have also written [a blog](https://blog.reconinfosec.com/integrating-graylog-with-thehive/) about it. Credits to them for making these scripts.\n\n**NOTE:** following/executing the next steps assume that the Dockerfile is already on the server. It's also recommended to execute the steps as sudo'er.\n\n1. Configure SSL certificate paths in `app.py`, or comment out all context lines if not using SSL\n\n1. Set your values like API key, Hive URL and Graylog URL in [the .env file](./graylog2thehive/.env)\n\n1. **Optional:** `app/__init__.py`, configure any other IP, hash, URL, or filename fields in place of src_ip and dst_ip to include them as artifacts/observables in your alert\n\n1. Run the [Dockerfile](./graylog2thehive/Dockerfile): `docker build -t graylog2thehive .`\n\n1. Runs at \u003chttps://0.0.0.0:5000\u003e, accepts POST requests\n\n - Point your Graylog HTTP Notification to \u003chttps://[YOURSERVER\u003e]:5000/create_alert_http (see `/terraform/the_hive/terraform.tfvars` for the value). You can find the IP-address of your Docker Graylog container by using\n\n ```shell\n sudo docker inspect \u003ccontainerID\u003e\n ```\n\n1. Run the Docker container with the image you just built: `docker run -dp 5000:5000 graylog2thehive`\n\n1. Check whether it runs correctly or not: `docker ps -a`\n\n - If not, run `docker logs \u003ccontainerID\u003e`\n\n## Terraform modules\n\nThis Proof-of-Concept uses the following Terraform provider: \u003chttps://registry.terraform.io/providers/zahiar/graylog/latest/docs\u003e. In order to execute all modules, do the following:\n\n1. Switch to the corresponding directory to execute the first stack\n\n ```shell\n cd terraform/graylog\n ```\n\n1. To make sure you'll push the correct configuration, check all values and attributes within the modules, such as putting the `web_endpoint_uri` in [graylog.tf](/terraform/graylog/graylog.tf#L11). It should look similar to `http://\u003cdomain-name-or-IP:9000/api\u003e`\n\n1. In the same directory, you have to install the provider, which you can do by the following\n\n ```shell\n terraform init\n ```\n\n1. Now you have to validate whether the modules are written correctly\n\n ```shell\n terraform validate\n ```\n\n1. In order to see what will be applied once you run `terraform apply`, you have to run the following command:\n\n ```shell\n terraform plan\n ```\n\n1. Last but not least, we're now going to apply the actual modules to the server\n\n ```shell\n terraform apply\n ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanonymouswp%2Fgrayhive","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanonymouswp%2Fgrayhive","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanonymouswp%2Fgrayhive/lists"}