Adding a centralized logging server

Using the Goblin

Getting the Goblin

Download the desired binary:

•    Docker image: https://gitlab.com/vidaid/ingestor/-/jobs/artifacts/master/raw/dist/docker-goblin.tar.gz?job=docker-publish 

•    Linux binary: https://gitlab.com/vidaid/ingestor/-/jobs/artifacts/master/raw/dist/goblin_server?job=exe_linux

•    Windows binary: https://gitlab.com/vidaid/ingestor/-/jobs/artifacts/master/raw/dist/goblin_server.exe?job=exe_win


To import the docker image, run: docker load -i docker-goblin.tar.gz

On Linux, you will have to mark the file as executable: chmod +x goblin_server.

Running the server

Binary

1. Generate a new private key for the server, and save it to the default config file:
$ ./goblin_server keygen --save

2. Open this config file in a text editor. It’s located at “C:\Users\[username]\AppData\Roaming\atakama\server.cfg” on Windows, and “~/.config/atakama/server.cfg” on Linux.

3. Configure an output type. Here’s an example file:

{
        "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
        "output": {
            "json_file": "/tmp/goblin.log"
        }
}


This will write all events in JSON lines format to /tmp/goblin.log.


Here’s an example for Logstash output, where <endpoint> is the endpoint you configured for your HTTP input plugin:

{
    "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
    "output": {
        "logstash_url": "https://<endpoint>"
    }
}



And finally, for an RFC 3164-compatible syslog server:

{
    "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
    "output": {
        "rfc3164_syslog_url": "https://<ip or hostname>[:port]"
    }
}


Note that if unspecified, the port will default to 514.

4.    Get your server’s ID. This will be used when connecting an Atakama instance to the server.

$ ./goblin_server get-id

46e9ceacc26ca48ef8ee90d21b24b2f4


   

Save this value somewhere you will be able to reference it later.

5. Start the server:

$ ./goblin_server start

20201118-143434: INFO: __main__ - Loading config from '/home/user/.config/atakama/goblin/server.cfg'
20201118-143434: CRITICAL: __main__ - This server's device id is: 46e9ceacc26ca48ef8ee90d21b24b2f4
20201118-143434: INFO: __main__ - Starting server
20201118-143434: INFO: loggoblin.goblin - workstation relay connect: wss://relay.atakama.com:443
20201118-143435: INFO: loggoblin.goblin - Connected to relay server
20201118-143435: INFO: loggoblin.goblin - Goblin startup complete


To exit, just hit Ctrl-C and the server will shut down cleanly.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.