Using the Goblin
Getting the Goblin
Download the desired binary:
• Docker image: https://gitlab.com/vidaid/ingestor/-/jobs/artifacts/master/raw/dist/docker-goblin.tar.gz?job=docker-publish
• Linux binary: https://gitlab.com/vidaid/ingestor/-/jobs/artifacts/master/raw/dist/goblin_server?job=exe_linux
• Windows binary: https://gitlab.com/vidaid/ingestor/-/jobs/artifacts/master/raw/dist/goblin_server.exe?job=exe_win
To import the docker image, run: docker load -i docker-goblin.tar.gz
On Linux, you will have to mark the file as executable: chmod +x goblin_server.
Running the server
Binary
1. Generate a new private key for the server, and save it to the default config file:
$ ./goblin_server keygen --save
2. Open this config file in a text editor. It’s located at “C:\Users\[username]\AppData\Roaming\atakama\server.cfg” on Windows, and “~/.config/atakama/server.cfg” on Linux.
3. Configure an output type. Here’s an example file:
{ "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----", "output": { "json_file": "/tmp/goblin.log" } }
This will write all events in JSON lines format to /tmp/goblin.log.
Here’s an example for Logstash output, where <endpoint> is the endpoint you configured for your HTTP input plugin:
{ "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----", "output": { "logstash_url": "https://<endpoint>" } }
And finally, for an RFC 3164-compatible syslog server:
{ "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----", "output": { "rfc3164_syslog_url": "https://<ip or hostname>[:port]" } }
Note that if unspecified, the port will default to 514.
4. Get your server’s ID. This will be used when connecting an Atakama instance to the server.
$ ./goblin_server get-id 46e9ceacc26ca48ef8ee90d21b24b2f4
Save this value somewhere you will be able to reference it later.
5. Start the server:
$ ./goblin_server start 20201118-143434: INFO: __main__ - Loading config from '/home/user/.config/atakama/goblin/server.cfg' 20201118-143434: CRITICAL: __main__ - This server's device id is: 46e9ceacc26ca48ef8ee90d21b24b2f4 20201118-143434: INFO: __main__ - Starting server 20201118-143434: INFO: loggoblin.goblin - workstation relay connect: wss://relay.atakama.com:443 20201118-143435: INFO: loggoblin.goblin - Connected to relay server 20201118-143435: INFO: loggoblin.goblin - Goblin startup complete
To exit, just hit Ctrl-C and the server will shut down cleanly.