Setting up a multi-tiered log infrastructure Part 3 -- System Build

Linux, Logging, Security, Sys Admin

Partitioning layout

Setup Note: The partition layout for elasticsearch nodes may vary depending on how much data storage is needed. It makes sense to create mount points with the idea they may grow in the future.

Worksheet for estimating proper sizing that can be helpful https://community.graylog.org/t/sizing-estimator/644

For ES data nodes, ES master node, and rsyslog storage node

/dev/sda1            mount on /boot     500MB
vg_local-lv_swap     swap partition     1024MB (up to twice size of installed RAM)
vg_local-lv_root     mount on /         minimum 10240MB (10GB)
vg_local-lv_home     mount on /home     minimum 15360MB (15GB), expandable
vg_local-lv_tmp      mount on /tmp      minimum 1024MB (1GB)
vg_local-lv_usr      mount on /usr      minimum 4096MB (4GB)
vg_local-lv_var      mount on /var      minimum 8000MB (8GB), expandable

For rsyslog aggregator nodes (Optional)

/dev/sda1            mount on /boot       500MB
vg_local-lv_swap     1024MB             up to twice size of installed RAM
vg_local-lv_root     mount on /         minimum of 8192MB
vg_local-lv_home     mount on /home     minimum of 10240MB up to whatever size
vg_local-lv_tmp      mount on /tmp      minimum of 1024MB
vg_local-lv_usr      mount on /usr      minimum of 4096MB
vg_local-lv_var      mount on /var      minimum of 8000MB up to whatever size

For OSSEC node (Optional)

/dev/sda1            mount on /boot     500MB
vg_local-lv_swap     1024MB             up to twice size of installed RAM
vg_local-lv_root     mount on /         minimum of 8192MB
vg_local-lv_home     mount on /home     minimum of 10240MB up to whatever size
vg_local-lv_tmp      mount on /tmp      minimum of 1024MB
vg_local-lv_usr      mount on /usr      minimum of 4096MB
vg_local-lv_var      mount on /var      minimum of 8000MB up to whatever size

Install prerequisite apps

Setup Note: Some services should be available on the network such as a timeserver and DNS services otherwise, some assumptions made throughout this document will not be correct. It should also be noted that turning off SElinux and the firewall is not necessary for any part of this guide.

Install perl

yum install perl

Install helpful utilities

  • yum install wget
  • yum install lsof
  • yum install mlocate
  • yum install deltarpm
  • yum install sudo
  • yum install policycoreutils-python
  • yum install yum-utils

Install rsyslog

Everything on one line

yum install perl wget lsof mlocate deltarpm sudo policycoreutils-python yum-utils rsyslog

Setup time services client

Upgrade aand Reboot

  • yum update
  • shutdown -r now