search

dfir-iris / iris-web

Collaborative Incident Response platform
GNU Lesser General Public License v3.0
1.08k stars 183 forks source link

Integration with graylog #546

Open Yugnk opened 3 months ago

Yugnk commented 3 months ago

Can I integrate graylog alerts into Iris? Graylog has Custom HTTP Notification, but it asks for API Secret, I was unable to integrate it.

migr19 commented 3 months ago

If you are able to send the alert data in this structure https://docs.dfir-iris.org/_static/iris_api_reference_v2.0.2.html#tag/Alerts/operation/post-case-add-alert API Secret (User API Key) you find at the user configuration: image

Yugnk commented 3 months ago

In the url I put https:///alerts/add/ API KEY I added the API KEY that is in my IRIS profile, but it asks for the API Secret. I don't know if there is another way to configure this notification alert integration. Or if someone has already done the configuration.

graylog_http_notification

migr19 commented 3 months ago

Have you tried to add 1111 for API Secret? You can check how the Web Request is build , if you send it to a dummy webserver, which logs every request and check if everything is in the right format headers and post payload.

jrunu commented 3 months ago

API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.

gbyx3 commented 3 months ago

API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.

This is what I did as well, worked like a charm.

SysAdminSmith commented 1 month ago

API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.

This is what I did as well, worked like a charm.

Are you utilizing https? I am using https with a self-signed cert with DFIR-IRIS (provided by a Windows CA) and can't get Graylog to trust it (despite it being the same CA that signed Graylog's certs).

gbyx3 commented 3 weeks ago

API Key and API Secret are optional fields. You can leave them empty. Add "Authorization: Bearer $token " in the Headers field, replacing $token with the value of the API token for the user you want to use.

This is what I did as well, worked like a charm.

Are you utilizing https? I am using https with a self-signed cert with DFIR-IRIS (provided by a Windows CA) and can't get Graylog to trust it (despite it being the same CA that signed Graylog's certs).

Yes https, but not a self-signed certificate.