Monday, 8 September 2014
Thursday, 3 July 2014
Syslog server with Graylog2
Previously I have used various types of syslog server, such as WhatsUpGold, ManageEngine, rSyslog (into text files) and LogAnalyzer. Each of these had their merits, however I recently stumbled upon Graylog2 and wanted to give it a try.
I have decided to move from RHEL to Debian moving forward, several reasons for that but at the end of the day just a personal preference. Therefore the guide below is Debian based, however can be easily adapted to any distro.
I installed this on a VM, using 2 vCPU cores and 4GB RAM (3 would suffice), and 50GB HDD (20GB would suffice)...let's begin:
Install packages
apt-get install -y openjdk-7-jre-headless pwgen mongodb vim curl
Configure the database
mongo
use admin
db.addUser('admin', '<admin password>')
db.auth('admin', '<admin password>')
use graylog2
db.addUser('grayloguser', '<graylog password>')
db.auth('grayloguser', '<graylog password>')
exit
Install and configure ElasticSearch
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.10.deb
dpkg -i elasticsearch-0.90.10.deb
echo 'cluster.name: graylog2' >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart
Install Graylog2 (http://graylog2.org/download)
cd /opt
wget https://github.com/Graylog2/graylog2-server/releases/download/0.20.3/graylog2-server-0.20.3.tgz
tar xvf graylog2-server-0.20.3.tgz
ln -s /opt/graylog2-server-0.20.3 /opt/graylog2-server
cp /opt/graylog2-server/graylog2.conf.example /etc/graylog2.conf
Generate a secret for the config (96 char)
pwgen -s 96|head -1
Generate a password for the admin user
echo -n p4ssw0rd | shasum -a 256
Add these to the Graylog2 config file
vim /etc/graylog2.conf
Alternatively use these commands to do it automatically
sed -ie "s/^password_secret =$/password_secret = `pwgen -s 96|head -1`/g" /etc/graylog2.conf
sed -ie "s/^root_password_sha2 =$/root_password_sha2 = `echo -n p4ssw0rd|sha256sum|awk '{print $1}'`/g" /etc/graylog2.conf
Create an init script
vim /etc/init.d/graylog2
---Copy below this line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts GrayLog2
# Description: Starts GrayLog2 using start-stop-daemon
### END INIT INFO
NAME=graylog2
GL_HOME=/opt/graylog2-server
GL_PID=/var/run
CMD=$1 start() {
echo "Starting $NAME ..."
java -jar $GL_HOME/graylog2-server.jar &
}
stop() {
PID=`cat $GL_PID/$NAME.pid`
echo "Stopping $NAME ($PID) ..."
kill $PID
}
restart() {
echo "Restarting graylog2-server ..."
stop
start
}
case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage $0 {start|stop|restart}"
RETVAL=1
esac
---End---
chmod 755 /etc/init.d/graylog2
update-rc.d graylog2 defaults
/etc/init.d/graylog2 start
Install Graylog2 web interface
cd /opt
wget https://github.com/Graylog2/graylog2-web-interface/releases/download/0.20.3/graylog2-web-interface-0.20.3.tgz
tar xvf graylog2-web-interface-0.20.3.tgz
ln -s /opt/graylog2-web-interface-0.20.3 /opt/graylog2-web-interface
Enter the secret created previously into the config file (/opt/graylog2-web-interface/conf/graylog2-web-interface.conf)
Alternatively use this command to do it automatically
sed -ie "s/^application.secret=\"\"/application.secret=\"`grep ^password_secret /etc/graylog2.conf|awk '{print $3}'`\"/g" conf/graylog2-web-interface.conf
Configure the REST URI
vim /opt/graylog2-web-interface/conf/graylog2-web-interface.conf
graylog2-server.uris="http://127.0.0.1:12900/"
Or automatically...
sed -ie "s/^graylog2-server.uris=\"\"/graylog2-server.uris=\"http:\/\/127.0.0.1:12900\/\"/g" conf/graylog2-web-interface.conf
Create an init script
vim /etc/init.d/graylog2
---Copy below line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2-web-interface
# Required-Start: $graylog2
# Required-Stop: $graylog2
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts graylog2-web-interface
# Description: Starts graylog2-web-interface using start-stop-daemon
### END INIT INFO
NAME=graylog2-web-interface
GL_HOME=/opt/graylog2-web-interface/bin
GL_PID=/var/run
CMD=$1
start() {
echo "Starting $NAME ..."
$GL_HOME/graylog2-web-interface &
}
stop() {
PID=`cat $GL_PID/$NAME.pid`
echo "Stopping $NAME ($PID) ..."
kill $PID
}
restart() {
echo "Restarting $NAME..."
stop
start
}
case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage $0 {start|stop|restart}"
RETVAL=1
esac
---End---
chmod 755 /etc/init.d/graylog2-web-interface
update-rc.d graylog2-web-interface defaults
/etc/init.d/graylog2-web-interface start
Fire up a browser and navigate to your graylog2 installation:
https://ipofserver:9000
Login with the admin account and the p4ssw0rd you created previously.
Configure your devices to send syslogs to this new server, and then instruct graylog2 to listen for the relevant incoming logs via
System > Inputs
Syslog UDP > Launch new input
Personally I use the following settings:
allow_override_date: true
port: 514
bind_address: 0.0.0.0
store_full_message: true
recv_buffer_size: 1048576
force_rdns: true
Finally, and because I only had a handful of devices and couldn't be bothered to create the DNS/rDNS, I simply added the hostnames of the devices to the hosts file to make navigating the logs a little easier.
Enjoy a fast, stable, open-source syslog server!
I have decided to move from RHEL to Debian moving forward, several reasons for that but at the end of the day just a personal preference. Therefore the guide below is Debian based, however can be easily adapted to any distro.
I installed this on a VM, using 2 vCPU cores and 4GB RAM (3 would suffice), and 50GB HDD (20GB would suffice)...let's begin:
Install packages
apt-get install -y openjdk-7-jre-headless pwgen mongodb vim curl
Configure the database
mongo
use admin
db.addUser('admin', '<admin password>')
db.auth('admin', '<admin password>')
use graylog2
db.addUser('grayloguser', '<graylog password>')
db.auth('grayloguser', '<graylog password>')
exit
Install and configure ElasticSearch
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.10.deb
dpkg -i elasticsearch-0.90.10.deb
echo 'cluster.name: graylog2' >> /etc/elasticsearch/elasticsearch.yml
/etc/init.d/elasticsearch restart
Install Graylog2 (http://graylog2.org/download)
cd /opt
wget https://github.com/Graylog2/graylog2-server/releases/download/0.20.3/graylog2-server-0.20.3.tgz
tar xvf graylog2-server-0.20.3.tgz
ln -s /opt/graylog2-server-0.20.3 /opt/graylog2-server
cp /opt/graylog2-server/graylog2.conf.example /etc/graylog2.conf
Generate a secret for the config (96 char)
pwgen -s 96|head -1
Generate a password for the admin user
echo -n p4ssw0rd | shasum -a 256
Add these to the Graylog2 config file
vim /etc/graylog2.conf
Alternatively use these commands to do it automatically
sed -ie "s/^password_secret =$/password_secret = `pwgen -s 96|head -1`/g" /etc/graylog2.conf
sed -ie "s/^root_password_sha2 =$/root_password_sha2 = `echo -n p4ssw0rd|sha256sum|awk '{print $1}'`/g" /etc/graylog2.conf
Create an init script
vim /etc/init.d/graylog2
---Copy below this line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts GrayLog2
# Description: Starts GrayLog2 using start-stop-daemon
### END INIT INFO
NAME=graylog2
GL_HOME=/opt/graylog2-server
GL_PID=/var/run
CMD=$1 start() {
echo "Starting $NAME ..."
java -jar $GL_HOME/graylog2-server.jar &
}
stop() {
PID=`cat $GL_PID/$NAME.pid`
echo "Stopping $NAME ($PID) ..."
kill $PID
}
restart() {
echo "Restarting graylog2-server ..."
stop
start
}
case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage $0 {start|stop|restart}"
RETVAL=1
esac
---End---
chmod 755 /etc/init.d/graylog2
update-rc.d graylog2 defaults
/etc/init.d/graylog2 start
Install Graylog2 web interface
cd /opt
wget https://github.com/Graylog2/graylog2-web-interface/releases/download/0.20.3/graylog2-web-interface-0.20.3.tgz
tar xvf graylog2-web-interface-0.20.3.tgz
ln -s /opt/graylog2-web-interface-0.20.3 /opt/graylog2-web-interface
Enter the secret created previously into the config file (/opt/graylog2-web-interface/conf/graylog2-web-interface.conf)
Alternatively use this command to do it automatically
sed -ie "s/^application.secret=\"\"/application.secret=\"`grep ^password_secret /etc/graylog2.conf|awk '{print $3}'`\"/g" conf/graylog2-web-interface.conf
Configure the REST URI
vim /opt/graylog2-web-interface/conf/graylog2-web-interface.conf
graylog2-server.uris="http://127.0.0.1:12900/"
Or automatically...
sed -ie "s/^graylog2-server.uris=\"\"/graylog2-server.uris=\"http:\/\/127.0.0.1:12900\/\"/g" conf/graylog2-web-interface.conf
Create an init script
vim /etc/init.d/graylog2
---Copy below line---
#!/bin/bash
### BEGIN INIT INFO
# Provides: graylog2-web-interface
# Required-Start: $graylog2
# Required-Stop: $graylog2
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts graylog2-web-interface
# Description: Starts graylog2-web-interface using start-stop-daemon
### END INIT INFO
NAME=graylog2-web-interface
GL_HOME=/opt/graylog2-web-interface/bin
GL_PID=/var/run
CMD=$1
start() {
echo "Starting $NAME ..."
$GL_HOME/graylog2-web-interface &
}
stop() {
PID=`cat $GL_PID/$NAME.pid`
echo "Stopping $NAME ($PID) ..."
kill $PID
}
restart() {
echo "Restarting $NAME..."
stop
start
}
case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage $0 {start|stop|restart}"
RETVAL=1
esac
---End---
chmod 755 /etc/init.d/graylog2-web-interface
update-rc.d graylog2-web-interface defaults
/etc/init.d/graylog2-web-interface start
Fire up a browser and navigate to your graylog2 installation:
https://ipofserver:9000
Login with the admin account and the p4ssw0rd you created previously.
Configure your devices to send syslogs to this new server, and then instruct graylog2 to listen for the relevant incoming logs via
System > Inputs
Syslog UDP > Launch new input
Personally I use the following settings:
allow_override_date: true
port: 514
bind_address: 0.0.0.0
store_full_message: true
recv_buffer_size: 1048576
force_rdns: true
Finally, and because I only had a handful of devices and couldn't be bothered to create the DNS/rDNS, I simply added the hostnames of the devices to the hosts file to make navigating the logs a little easier.
Enjoy a fast, stable, open-source syslog server!
Subscribe to:
Posts (Atom)