Logging changes: new hdd, removed ideapad instance, graylog

2025-04-15 11:50:46 -07:00 · 2025-04-15 11:50:46 -07:00 · 8125fe2bd2
commit 8125fe2bd2
parent 575ced3c41
3 changed files with 18 additions and 7 deletions
--- a/config/assets/suricata.yaml
+++ b/config/assets/suricata.yaml
@ -31,7 +31,7 @@ vars:
    TEREDO_PORTS: 3544
    SIP_PORTS: "[5060, 5061]"

-default-log-dir: /home/logging/logs
+default-log-dir: /mnt/logs/suricata
 classification-file: /etc/suricata/classification.config
 reference-config-file: /etc/suricata/reference.config
 default-rule-path: /etc/suricata/rules
@ -58,12 +58,14 @@ outputs:
  - eve-log:
      enabled: yes
      filetype: regular
-      filename: eve.json
+      filename: eve-%Y-%m-%d.json
+      rotate-interval: day
      types:
        - alert:
            tagged-packets: yes
        - http:
            extended: yes
+            dump-all-headers: both
        - http2
        - dns:
            enabled: yes
@ -94,7 +96,7 @@ outputs:
        - smtp

  - pcap-log:
-      enabled: yes
+      enabled: no
      filename: log.pcap
      limit: 1gb
      max-files: 200
--- a/config/logging.nix
+++ b/config/logging.nix
@ -99,10 +99,6 @@
            targets = [ "192.168.100.12" ];
            labels.instance = "r730xd-idrac";
          }
-          {
-            targets = [ "192.168.100.20" ];
-            labels.instance = "ideapad";
-          }
          {
            targets = [ "192.168.100.21" ];
            labels.instance = "r330-proxmox";
@ -189,12 +185,20 @@
    ];
  };

+  services = {
+    graylog.enable = true;
+    mongodb.enable = true;
+    opensearch.enable = true;
+  };
+
+
  systemd.services.suricata = {
    description = "Suricata IDS/IPS";
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      type = "simple";
      User = "logging";
+      ExecStartPre = "/run/current-system/sw/bin/ip link set enp6s19 up";
      ExecStart = "${pkgs.suricata}/bin/suricata -c /etc/suricata.yaml -i enp6s19";
      Restart = "on-failure";
      CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
--- a/hardware/logging.nix
+++ b/hardware/logging.nix
@ -24,6 +24,11 @@
      options = [ "fmask=0022" "dmask=0022" ];
    };

+  fileSystems."/mnt/logs" = {
+    device = "/dev/disk/by-uuid/08247ec2-8e83-4bb0-b9fe-9e2a7ce3fe6c";
+    fsType = "ext4";
+  };
+
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking