Best SIEM Dashboards - Grafana Install and Dashboard Creation

Your videos are amazing. We would love to see mode videos about Opensearch like building a SOC stack.

I guess your audience would love a tutorial like that as we don't have it here yet I guess.

dotcaodin

Hi Taylor, thanks for the awesome video, Grafana is much faster since its written in GOlang which is complied to machine language same level as C++ in terms of operation speed
Product that are also written in go is Docker and kubernetes, i personally ditched Kibana because of the speed Grafana have to offer, and the fact that you are not entitled only to use ES or OS, BTW there is kind of new log indexer from grafan called LOKI which offer less costly index size and suppose to be much faster.
Thanks

tbaror

Thank you so much, I learned a lot from your channel!

ak

Thanks so much for this series, especially with the effort of releasing it at a consistent schedule. I know we aren't there yet but is there any reason why you choose Cassandra as oppose to other DB like mongoDB got backend storage?

exosfear

Hey thanks for the video.
I can’t get any sysmon event 3 for some reason. Tried different configurations of sysmon. Any ideas?

eliasantoniadis

You will likely get an error regarding g2 processing due to incorrect time format within every log that's placed. it'll look something like this

gl2_processing_error
Replaced invalid timestamp value in message with current time - Value caused exception: Invalid format: is malformed at "T16:56:53.307-0400".

Make a new pipeline and use this rule and it'll fix it.

rule "parse custom timestamp"
when
has_field("timestamp")
then
let new_date = parse_date(to_string($message.timestamp),
set_field("timestamp", new_date);
end

jimskyboy

Hi Taylor,

Firstly, amazing videos.

I can't get the geolocation to work on Geomap. If I use country code - it says "Unable to find location fields" when location mode is set to Auto.

monkinsane

How would you setup agent -> squid proxy -> destination -> port?

dannyvillazon

Hey taylor thanks for your videos they are amazing.
I have a question about grafana and graylog configuration.
I’m having issue in my grafana saying “Elasticsearch: error Bad Gateway”
I’m using graylog and elastic search in a same machine and grafana in another and i can’t connect them?

oolyo

your videos are amazing, I've followed your steps, and I'm getting a bad gateway in Grafana!!! How i can solve this issue, do i have to change wazuh SSL certificates?

hussainblackdrag

Trying to follow along in my lab, how many servers are you using now 2? 1 for Wazuh-Indexer, Graylog and Grafana and 1 for Wazuh Manager? I realize there would be separate servers and a cluster for Wazuh-Indexer in a large production environment.

enderst

Hi taylor, when i load the sankey panel. It shows error that p is not a function. How to fix this?

joelnicholasfrancis

First of all thank you very much! Your videos are very helpful and really amazing!
I need to ask for your help, because I can't find any event id 3 log in graylog or in wazuh discovery.
I can see that logs in event viewer and I cheeked few times configuration for groups, checked if sysmon installed with correct configs by extracting config from test pc by Sysmon64.exe -c and comparing it with config provided by Olaf, but still can't find any event id 3 log in graylog or in wazuh discovery panel.
Can you please point where I can found the root of the issue, or maybe someone already faced to the similar issue and able to solve it?
Will very grateful for any help.

ArmAikido

Help me,
I had problems when installing Worldmap Panel. I am using grafana v11. In the grafana plugin the worldmap panel option didn't appear, and finally I installed it using the CLI. I have followed these steps, but when searching the worldmap panel I couldn't find it.
Is there a problem with the grafana version?

harumin

Future person. If you’re watching and following along, chances are great that nothing works(there most have been a lot of editing magic by the creator to make everything seem to work) all the time you have/will spend on this “demo” is probably better spent with trusted accounts managers on buying a reliable solution.

JuanDuarte_

We are very interested that graylog can replace filebeat and send data to Wazuh index, and we are also very happy with the application of grafana dashboard. But we also want to keep the image of wazuh kibana, but we don't know how to generate wazuh indices (Just like wazuh-alerts-4.x-2022.*) from graylog. I don't know how to coexist(grafana dashboard & wazuh kibana dashboard)?

daijahn

how can i make a dashboard with grafana for shadow server?

Deezeone

Many thanks Taylor really, I don't know what to say to thank you!
I have this error message after enabling Geo-Location Processor, appreciate your advice.
gl2_processing_error
Replaced invalid timestamp value in message with current time - Value caused exception: Invalid format: is malformed at "T09:32:13.933-0400"

ahmedmaghraby

can you share the tutoriel commands thanks

mohamedalisahnoun

Terrible time with these Grafana visualizations (Grafana version 10).
*Disclaimer: I stoopit. Worldmap or whatever is gone -- integrated directly into Grafana as Geomap.

I'm still pondering the Sankey. I have the data coming in just fine (verified by clicking the "table view" on). The graph however is blank with an error of, "g is not a function". "g is not a function" is apparently a Grafana error that doesn't necessarily reflect anything to do with the actual error (cascading up the error stack and finally, if nothing catches the real error, it spills out as the 'g is not a function' error -- at least that's what I gather). It therefore has not been resolved (github issue lists it and the response was that there's no real data to know where to begin the troubleshooting), and indeed may well be Grafana more than the plugin. That said, maybe you'll get lucky (whoever you are).

Next:
Geomap wouldn't map a location. This is due to it not seeing relevant fields. In Graylog, after discovering one can't use Extractors because Geo Location processor needs the processed stream that has already done the extracting, turns out one needs a lookup table (faster anyway, I think). This link is your friend here:


...I wanted destination mapped, so change that accordingly in the rule if that's your case. When creating the pipeline to use the pipeline rule, easy enough but go to System/Pipelines -> Pipelines and create a new one. Link the Wazuh stream, edit Stage 0 and add the pipeline rule you expertly crafted and save. Done. Then configure Geomap in Grafana to use your query by setting the Data dropbox correctly ("A" is the name of your query likely if you didn't rename it), Location Mode to "Lookup", and then you *should* see your pipeline rule field listed in the "Lookup field" box. Gazetteer = Countries. Styles Size = Count (the metric from the query). Should work (fingers crossed).

fuzzyEuclid