DefCon 28 — Opening Day
Gary here.
Blue Team Village, it’s me, Gary. I stole the car and drove to Vegas to surprise everyone.
Guess what? You’re not here. Thanks for letting me know the conference is virtual this year.
You’re off the hook, though, because I also stole Lennart’s Amex. I used it to get myself a suite at Caesar’s Palace with high-speed internet. I had breakfast and a nap and still got online by 9:02.
Guys, you need a new playlist. Say the word and I’ll share my kitten-party mix on Spotify.
Opening Day Highlights
Opening day was filled with excellent demonstrations of all the tools useful for OpenSOC. I started the day with Graylog: An Introduction Into OpenSOC CTF Tools. Okay, might be a little bit biased, but Lennart’s dive into Graylog (the Dashboard came to me in a dream BTW) was great. 1000+ people on that stream.
Def Con Opening Day Questions
A lot of follow up questions on the Graylog Channel. I’ve posted a few highlights below and added my own commentary (“From Gary” in parenthesis) when there is something to add to the answer. (Note the questions are copied from the channel with no editing.)
Q: can graylog send sms/email/phone notifications for alerts?
A: yes
(From Gary: Here’s an introduction to alerts, and if you don’t like to read, check out this video.)
Q: How does the log aggregation actually work with graylog? Loki for example uses promtail to push the logs to the server – does graylog have a push or pull-approach here?
A: _lennart
@n3tb4dg3r both! you can send it messages with collectors or directly from syslog deaemons or network appliances but it can also collect metrics from certain sources directly
(From Gary: Here’s a bit more detail on Graylog log aggregators.)
Q: @_lennart is there an integration of Graylog with TheHive Project? It’s an integration I was looking forward to try in the near future”
A: @Kerub You can learn how to integrate Graylog with @TheHive_Project in this blog from @Recon_Infosec @shortxstack https://blog.reconinfosec.com/integrating-graylog-with-thehive/
Q: @_lennart Are there any big differences I’d notice moving from open source to free Enterprise? I’ve been running an instance that only ingests a few MB/day.
A:@iSpotix Yes, lots of extra features in the Enterprise version. Here is a feature by feature comparison of open source v/s enterprise – https://www.graylog.org/products/open-source-vs-enterprise
Q: Is Graylog going to migrate to ElasticSearch 7? Because ElasticSearch 6 ends it support on Nov 2020, when ElasticSearch 8 is going to be out
A: You heard it here. Graylog v4.0, releasing in late September / early October, will support Elasticsearch 7.
Caption the photo.
Here’s my first entry. Keep those captions coming even though I’ll probably win.
It’s a Wrap Until Tomorrow
Before I open the Miller Lite…
Someone said this year is all about “the new hacked normal.” Looks like it.
Don’t forget a wise person once said, “Time spent with cats is never wasted.” Drop in the Graylog channel. You might even find me there. But now, I need another nap.
See you Friday!
PS: Graylog is hiring! Looking for Senior Cloud Engineers and a Senior Customer Support Engineer. Remote positions in the US & Germany. More info here: https://www.graylog.org/careers
Special preference if you have a cat… JK.
About the Author
Gary is a cat, which considering you’re reading this on the Graylog blog, makes complete sense. Gary is best known for dreaming up cool new features for Graylog while resting on Lennart Koopmann’s lap. He’s also known for sunbathing, bird watching, and swatting at the occasional piece of string. Gary enjoys napping, as should all right-thinking people. He’s agreed to stay mostly awake during Defcon 28 to write daily reports about the conference.
