Thursday 3 July 2014

Syslog server with Graylog2

Previously I have used various types of syslog server, such as WhatsUpGold, ManageEngine, rSyslog (into text files) and LogAnalyzer. Each of these had their merits, however I recently stumbled upon Graylog2 and wanted to give it a try.

I have decided to move from RHEL to Debian moving forward, several reasons for that but at the end of the day just a personal preference. Therefore the guide below is Debian based, however can be easily adapted to any distro.


I installed this on a VM, using 2 vCPU cores and 4GB RAM (3 would suffice), and 50GB HDD (20GB would suffice)...let's begin:

Install packages
apt-get install -y openjdk-7-jre-headless pwgen mongodb vim curl

Configure the database
mongo
   use admin
   db.addUser('admin', '<admin password>')
   db.auth('admin', '<admin password>')
   use graylog2
   db.addUser('grayloguser', '<graylog password>')
   db.auth('grayloguser', '<graylog password>')
   exit

Install and configure ElasticSearch
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.10.deb
dpkg -i elasticsearch-0.90.10.deb
echo 'cluster.name: graylog2' >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart

Install Graylog2 (http://graylog2.org/download)
cd /opt
wget https://github.com/Graylog2/graylog2-server/releases/download/0.20.3/graylog2-server-0.20.3.tgz
tar xvf graylog2-server-0.20.3.tgz
ln -s /opt/graylog2-server-0.20.3 /opt/graylog2-server
cp /opt/graylog2-server/graylog2.conf.example /etc/graylog2.conf

Generate a secret for the config (96 char)
pwgen -s 96|head -1

Generate a password for the admin user
echo -n p4ssw0rd | shasum -a 256

Add these to the Graylog2 config file
vim /etc/graylog2.conf

Alternatively use these commands to do it automatically
sed -ie "s/^password_secret =$/password_secret = `pwgen -s 96|head -1`/g" /etc/graylog2.conf
sed -ie "s/^root_password_sha2 =$/root_password_sha2 = `echo -n p4ssw0rd|sha256sum|awk '{print $1}'`/g" /etc/graylog2.conf

Create an init script
vim /etc/init.d/graylog2

---Copy below this line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts GrayLog2
# Description: Starts GrayLog2 using start-stop-daemon
### END INIT INFO 
NAME=graylog2
GL_HOME=/opt/graylog2-server
GL_PID=/var/run
CMD=$1 start() { 
     echo "Starting $NAME ..."
     java -jar $GL_HOME/graylog2-server.jar &
}
stop() {
     PID=`cat $GL_PID/$NAME.pid`
     echo "Stopping $NAME ($PID) ..."
     kill $PID
}
restart() {
     echo "Restarting graylog2-server ..."
     stop
     start
}
case "$CMD" in
     start)
          start 
          ;;
     stop)
          stop
          ;;
     restart)
          restart
          ;;
*)
          echo "Usage $0 {start|stop|restart}"
          RETVAL=1
esac
---End---

chmod 755 /etc/init.d/graylog2
update-rc.d graylog2 defaults
/etc/init.d/graylog2 start

Install Graylog2 web interface
cd /opt
wget https://github.com/Graylog2/graylog2-web-interface/releases/download/0.20.3/graylog2-web-interface-0.20.3.tgz
tar xvf graylog2-web-interface-0.20.3.tgz
ln -s /opt/graylog2-web-interface-0.20.3 /opt/graylog2-web-interface

Enter the secret created previously into the config file (/opt/graylog2-web-interface/conf/graylog2-web-interface.conf)
Alternatively use this command to do it automatically

sed -ie "s/^application.secret=\"\"/application.secret=\"`grep ^password_secret /etc/graylog2.conf|awk '{print $3}'`\"/g" conf/graylog2-web-interface.conf

Configure the REST URI
vim /opt/graylog2-web-interface/conf/graylog2-web-interface.conf
graylog2-server.uris="http://127.0.0.1:12900/"

Or automatically...
sed -ie "s/^graylog2-server.uris=\"\"/graylog2-server.uris=\"http:\/\/127.0.0.1:12900\/\"/g" conf/graylog2-web-interface.conf


Create an init script
vim /etc/init.d/graylog2

---Copy below line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2-web-interface
# Required-Start: $graylog2
# Required-Stop: $graylog2
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts graylog2-web-interface
# Description: Starts graylog2-web-interface using start-stop-daemon
### END INIT INFO
NAME=graylog2-web-interface
GL_HOME=/opt/graylog2-web-interface/bin
GL_PID=/var/run
CMD=$1
start() {
     echo "Starting $NAME ..."
     $GL_HOME/graylog2-web-interface &
}
stop() {
     PID=`cat $GL_PID/$NAME.pid`
     echo "Stopping $NAME ($PID) ..."
     kill $PID
}
restart() {
     echo "Restarting $NAME..."
     stop
     start
}
case "$CMD" in
     start)
          start
          ;;
     stop)
          stop
          ;;
     restart)
          restart
          ;;
*)
          echo "Usage $0 {start|stop|restart}"
          RETVAL=1
esac
---End---

chmod 755 /etc/init.d/graylog2-web-interface
update-rc.d graylog2-web-interface defaults
/etc/init.d/graylog2-web-interface start


Fire up a browser and navigate to your graylog2 installation:
https://ipofserver:9000
Login with the admin account and the p4ssw0rd you created previously.

Configure your devices to send syslogs to this new server, and then instruct graylog2 to listen for the relevant incoming logs via
System > Inputs
Syslog UDP > Launch new input

Personally I use the following settings:
allow_override_date: true
port: 514
bind_address: 0.0.0.0
store_full_message: true
recv_buffer_size: 1048576
force_rdns: true

Finally, and because I only had a handful of devices and couldn't be bothered to create the DNS/rDNS, I simply added the hostnames of the devices to the hosts file to make navigating the logs a little easier.

Enjoy a fast, stable, open-source syslog server!



Posted by at

1 comment:

  1. Anonymous3 July 2014 at 15:22

    What a lovely and colourful presentation. Well done to you my friend. Salutes from Afghanistan.

    ReplyDelete

Subscribe to: Post Comments (Atom)