Graylog is a popular open source log management platform that can be used to consume Forum Sentry logs sent via Remote Syslog policies. This (free) tool can be useful for:
1. Log aggregation across multiple Sentry instances - search one location for runtime events across any number of Sentry instances.
2. Dashboards for monitoring Sentry policies - status codes, services invoked, auth failures, potential attacks, etc.
3. Generating reports and alerts based on Sentry log messages - parse Audit, System, and Access logs in real time for reporting and alerting through Graylog.
This article includes instructions for importing a sample Graylog Content Pack for Forum Sentry. Please note that this Content Pack is provided as a sample only to illustrate how this integration can be accomplished. The sample is easily extended upon.
It is assumed that Graylog is already installed and configured in the environment. For more information on installing Graylog see:
Forum Systems Support is not able to troubleshoot or assist with the configuration of Graylog. For questions on the Graylog product, please check the Graylog Community.
There are 3 simple steps to configuring the Forum Sentry / Graylog integration.
I. Import the Sample Content Pack into Graylog
- Download the content_pack.json file attached to this KB article
- In Graylog, navigate to System>>Content Packs
- Choose 'Import Content Pack'
- Browse to the content_pack.json file downloaded in step 1 and upload it
- The API Security category should now be visible, expand and select 'FS Sentry Content Pack v1.0.1'
- Click the 'Apply Content' button
After the Content Pack is imported, you should verify that the Input, Dashboard, and Stream have all been imported.
II. Configure Forum Sentry Syslog Policies
Create a Remote Syslog policy to align with the Graylog TCP syslog input created when importing the Content Pack. The Syslog policy in Sentry should only have 1 log included, the Access log, with all log levels enabled.
Use the parameters shown in the screen shot below, replacing the Server value with the IP of your Graylog server.
III. Test the Configuration
Send runtime traffic through your Forum Sentry instance. Test multiple services, multiple clients, multiple HTTP methods, etc.
Open the FS Sentry Dashboard in Graylog and the various graphs should start showing data.
You should also search the raw syslog data on the Search page. If you go to the SentryAccessLog input under System>>Inputs, there is an option to show all log messages for the input.
When viewing the filtered logs for the Sentry input, there should be Sentry Access Log specific fields on the left that align with the Extractor associated to the TCP Input in the Content Pack. For instance, you can select method, status, SessionID, etc. to enrich the search results pane.
- Create meaningful graphs and tables for your Dashboard
- Create a new Syslog policy for the Sentry System log (be careful of sensitive data being sent) - consider using a separate TCP input in Graylog to keep them separated for easier searching
- Create a new Syslog policy for the Sentry Audit log
- Create alerts and reports in Graylog based off of the Sentry logs
- Update the Syslog inputs for your environment, consider using TLS
Attached are the latest logging / reporting guides for reference. Linked below is a related KB article.
Best Practices: Important Log Messages