Setting up a multi-tiered log infrastructure Part 6 -- Graylog Setup

Linux, Logging, Security, Sys Admin

Additional setup for master node

Setup graylog-server on master node

Install instructions from http://docs.graylog.org/en/2.2/pages/installation.html

Setup Note: This deployment is not using a prebuilt rpm package, many of the next steps will be moving files, creating directories, creating additional files, and setting up the proper permissions on the linux command line. An rpm package is available but because when this guide for first written, the RPM only had support for openjdk v1.7.0, I choose to go this route.

Manual install steps

Change to root ’s home directory

cd /root

Download the latest version of graylog

wget https://packages.graylog2.org/releases/graylog/graylog-2.2.2.tgz

Extract the tar archive, which should result in a folder at the following path /root/graylog-2.2.2

tar -xvf graylog-2.2.2.tgz

Create directory /etc/graylog/server

mkdir -p /etc/graylog/server

Move the example config to /etc/graylog/server/

mv /root/graylog-2.2.2/graylog.conf.example /etc/graylog/server/server.conf

Set up a user and group for the graylog-server user

  • groupadd -r graylog
  • useradd -r -c "Graylog server" -s /sbin/nologin -g graylog -m -d /var/lib/graylog-server graylog

Create an application log directory at /var/log/graylog/server and set ownership

  • mkdir -p /var/log/graylog/server
  • chown graylog:graylog /var/log/graylog/server

Create a journal directory at /var/lib/graylog-server/journal and set ownership (you can put this on a different disk too)

  • mkdir -p /var/lib/graylog-server/journal
  • chown graylog:graylog /var/lib/graylog-server/journal

Move the extracted directory to /opt and set correct ownership

  • mv /root/graylog-2.2.2 /opt/graylog-server
  • chown -R graylog:graylog /opt/graylog-server

Create empty files that will contain configuration settings (see Setup Note for link to contents)

  • touch /etc/graylog/server/log4j2.xml
  • touch /etc/graylog/server/node-id
  • touch /etc/sysconfig/graylog-server
  • touch /opt/graylog-server/bin/graylog-server
  • touch /usr/lib/systemd/system/graylog-server.service

Set modes on the empty files

  • chmod 644 /etc/graylog/server/log4j2.xml
  • chmod 644 /etc/graylog/server/node-id
  • chmod 644 /etc/init.d/graylog-server
  • chmod 755 /opt/graylog-server/bin/graylog-server
  • chmod 644 /usr/lib/systemd/system/graylog-server.service

Set ownership on the empty files

  • chown root:root /etc/graylog/server/log4j2.xml
  • chown graylog:graylog /etc/graylog/server/node-id
  • chown root:root /etc/init.d/graylog-server
  • chown root:root /opt/graylog-server/bin/graylog-server
  • chown root:root /usr/lib/systemd/system/graylog-server.service

Remove the control script that comes with the tarball and the log dir

  • rm /opt/graylog-server/bin/graylogctl
  • rm -r /opt/graylog-server/log

Setup Note: Remember to copy the appropriate content into the proper files if doing a manual install.

Path: /etc/sysconfig/graylog-server graylog-server systemconfig

Path: /usr/lib/systemd/system/graylog-server.service graylog-server.service

Path: /opt/graylog-server/bin/graylog-server graylog-server control

Path: /etc/graylog/server/log4j2.xml log4j2.xml

Update the Graylog configuration file

Setup Note: If you read the config file, there is mention of a program named pwgen. Since this setup is based off a CentOS minimal install, guess what isn’t there? If you want to use the pwgen program, it can be found in the epel repos.

Setup EPEL repo and install pwgen

  • yum install epel-release.noarch
  • yum install pwgen

Edit the graylog server config

vi /etc/graylog/server/server.conf

Change the setting for node_id_file

set node\_id\_file = /etc/graylog/server/node-id

Change the setting for password_secret

set password_secret = random string > 64 characters or output of pwgen -N 1 -s 96

sed -i.bak "s/.\*password\_secret =.\*/password\_secret = \pwgen -N 1 -s 96`/g " /etc/graylog/server/server.conf`

Change the setting for root_password_sha2

set root\_password\_sha2 = echo -n Pa$$w0rd | sha256sum | awk '{print $1} '

sed -i.bak "s/.\*root\_password\_sha2 =.\*/root\_password\_sha2 = \echo -n Pa$$w0rd | sha256sum | awk ‘{print $1}’`/g" /etc/graylog/server/server.conf`

Change the setting for root_timezone

Set root_timezone="whatever your timezone is"

Change setting for plugin_dir

set plugin_dir = /opt/graylog-server/plugin

Change setting for elasticsearch_config_file

set elasticsearch\_config\_file = /etc/elasticsearch/elasticsearch.yml

Change setting for elasticsearch_replicas

set elasticsearch_replicas = 1

Change setting for elasticsearch_cluster_name

set elasticsearch_cluster_name = same as previously setup cluster.name: graylog

Setup Note: the default configuration is set up for multicast. If you would like to disable multicast make the next two changes.

Change the setting for discovery.zen.ping.multicast.enabled

uncomment discovery.zen.ping.multicast.enabled: false

Change the setting for discovery.zen.ping.unicast.hosts

set discovery.zen.ping.unicast.hosts: [ “node-master- hostname”] this should be set to the name of the node that will function as the master node.

Verify the setting for elasticsearch_node_master and elasticsearch_node_data****

elasticsearch_node_master = false

elasticsearch_node_data = false

Change setting for message_journal_dir

set message_journal_dir = /var/lib/graylog-server/journal

Change setting for mongodb_uri (with auth enabled)

set mongodb_uri = mongodb://gluser:Pa$$word@localhost:27017/graylog

Change setting for content_packs_dir

set content_packs_dir = /opt/graylog-server/data/contentpacks

Configure firewalld rules

Now that the config file is edited, let ’s make some firewall rule changes. If for some reason you aren’t using a firewall then you can skip this.

Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)

Create a new service file for our graylog node

vi /etc/firewalld/services/gl-transport.xml

Use this as the contents for gl-transport.xml


  
    gl-transport
    transport for graylog internal elasticsearch nodes.

Permanently create an selinux context label

semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/gl-transport.xml

Apply the new selinux label

restorecon -vF /etc/firewalld/services/gl-transport.xml

Add rich rules to allow connections from other nodes. (this should be the list of all elasticsearch nodes that need to talk with each other)

firewall-cmd --zone=internal --add-rich-rule="rule family="ipv4" source address="xxx.xxx.xxx.xxx/32" service name="gl-transport" accept" --permanent

Reload the current firewall config

firewall-cmd --reload

Check the interface and verify the services

firewall-cmd --zone=internal --list-services

Verify the config

Set graylog to start on boot

systemctl enable graylog-server.service

Start graylog

systemctl start graylog-server.service