A Powershell Module for Graylog3 generated from it's swagger api data.
PoC-stage so a lot is going to change! Also a majority of the cmdlets is untested so take that into consideration. But everything I've tried so far has worked.
Also, the code is not cleaned up yet and so far it's just a PoC.
But there's a lot of content already in the docs!
Wanted to learn how to generate functions with Powershell code for another future project.
Invoke-RestMethod https://github.com/AlexAsplund/PSGraylog/releases/download/0.0.3/PSGraylog-0.0.3.zip -OutFile .\PSGraylog-0.0.3.zip
Expand-Archive -Path .\PSGraylog-0.0.3.zip -DestinationPath <your module dir>
Easiest way is to use Set-GLApiConfig
and your regular graylog credentials. This will set the global variables GLApiUrl
and GLCredential
$MyCreds = Get-Credential
# Set global variables
Set-GLApiConfig -ApiUrl 'https://graylog.contoso.com/api' -Credential $MyCreds
You can also use a token:
# This creates a credential object with "abcdefgh12345" as username and "token" as password.
$TokenCredential = Convert-GlTokenToCredential -Token abcdefgh12345
# Set global variables
Set-GLApiConfig -ApiUrl 'https://graylog.contoso.com/api' -Credential $TokenCredential
Some rudimentary documentation is included in most cmdlets: Get-Help Get-GLCluster
All the Get-GL*
-commands are pretty straight forward. And if parameters are needed they're pretty self explaining.
On my todo-list is to use the type information and such from the swagger data and refine it even more.
Remember that this by default only returns the first 150 messages. So here we're going to fetch the first 2000 from the last hour (3600s)
$Result = Find-GLSearchRelativeSearchRelative -Query "winlogbeat_winlog_event_data_TargetUserName:waldo" -Range 3600 -Limit 2000
$Result.messages
The Body parameter must be a [PSCustomObject]
Right now the documentation on how to structure the body-object is available in your api-docs (http://your-graylog/api/api-docs)
First of, we need to get the StreamId
and ConditionId
(done quickly using Get-GLAlertConditionsAll
)
$StreamId = "0000000000000001"
$ConditionId = "4cb87ce0-eaba-4b3f-ada4-a7610c4be28f"
# Object to update the AlertCondition with
$UpdateObject = [PSCustomObject]@{
title = 'My Test Condition'
type = 'messagecount'
parameters = [PSCustomObject]@{
query = "winlogbeat_winlog_event_data_SubjectUserName:hacker"
}
}
# Update the AlertCondition
Update-GLStreamAlertConditions -StreamId $StreamId -ConditionId $ConditionId -Body $UpdateObject
# *Returns the AlertConditionObject*
This should be pretty universal for all Update/Set/New commands with the body parameter.
A Powershell module to interact with Graylog
Install-Module psake,pester,platyps
Author: Alex Asplund https://automativity.com