Skip to content

Instantly share code, notes, and snippets.

@adiberr

adiberr/graylog-dpi.md

Last active August 13, 2024 01:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save adiberr/db7d26c9775c20ea868fb666dabe4064 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save adiberr/db7d26c9775c20ea868fb666dabe4064 to your computer and use it in GitHub Desktop.
Download ZIP
Edgerouter X DIY DPI with Graylog
Raw
graylog-dpi.md

Optional : Setup an Ubuntu VM in Proxmox

https://gist.github.com/adiberr/1d9e3b2551bd8eae11c8bda809c7d183

Install Docker and Docker Compose

for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

sudo newgrp docker
sudo usermod -aG docker $USER

groups

Start Graylog

sudo timedatectl set-timezone Africa/Casablanca

sudo apt-get install git

cd ~
git clone https://github.com/lawrencesystems/graylog.git
cd graylog

echo -n YourPrivateSecurePassword | shasum -a 256

docker compose up -d

Setup Syslog UDP Input

Configure Edgerouter X to send logs

GeoIP Lookup

Download GeoIP MaxMind City Database :

curl -O -J -L -u YOUR_ACCOUNT_ID:YOUR_LICENSE_KEY 'https://download.maxmind.com/geoip/databases/GeoIP2-City-CSV/download?suffix=zip'

Replace ACCOUNT_ID and LICENSE_KEY with your own values. dev.maxmind.com

Port Lookup

IP Lookup

Pipeline Configuration

Order Creation Rule

rule "GeoIP Lookup Rule"
when
  has_field("edgeos_ipv4_src")
then
  let geo = lookup("geoip-lookup", to_string($message."edgeos_ipv4_src"));
  set_field("src_ip_geolocation", geo["coordinates"]);
  set_field("src_ip_geo_country_code", geo["country"].iso_code);
  set_field("src_ip_geo_country_name", geo["country"].names.en);
  set_field("src_ip_geo_city_name", geo["city"].names.en);
end

Dashboard Example

Resources : Lawrence Systems, docker docs, mikeder/edgerouter-graylog-extractors, dev.maxmind.com, graylog.org

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment