GrayLog Server
- Installation & Configuration
- Linux Logs
- Windows Logs
- Alerts
- Reverse Proxy
- Firewall
Installation & Configuration
GrayLog Installation on Ubuntu
Before installing Graylog Server , MongoDB and ElasticSearch has to be installed . These are prerequisites for the installation of Graylog Server. To install the MongoDB and ElasticSearch use the following commands in Ubuntu.
MongoDB Installation :
- $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
- $ echo “deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse” | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
- $ sudo apt-get update
- $ sudo apt-get install -y mongodb-org
Enable MongoDB:
- $ sudo systemctl daemon-reload
- $ sudo systemctl enable mongod.service
- $ sudo systemctl restart mongod.service
- $ sudo systemctl --type=service --state=active | grep mongod
ElasticSearch Installation :
- $ wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
- $ sudo apt-key add myKey
- $ echo “deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
- $ sudo apt-get update && sudo apt-get install elasticsearch-oss
Configuration:
Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog and uncomment action.auto_create_index: false to enable the action:
- $ sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
- cluster.name: graylog
- action.auto_create_index: false
- EOT
Enable ElasticSearch:
- $ sudo systemctl daemon-reload
- $ sudo systemctl enable elasticsearch.service
- $ sudo systemctl restart elasticsearch.service
- $ sudo systemctl --type=service --state=active | grep elasticsearch
GrayLog Installation:
Now GrayLog Server is ready for installation as both of the prerequisites are installed and working. Following commands will help to install GrayLog Server.
- $ wget https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.deb
- $ sudo dpkg -i graylog-4.0-repository_latest.deb
- $ sudo apt-get update && sudo apt-get install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
If you do not want the Integrations Plugins or the Enterprise Plugins installed, then simply run
- sudo apt-get install graylog-server
GrayLog Configuration:
The configuration file is located in /etc/graylog/server/server.conf. Read the configuration file and make the changes accordingly. Additionally add password_secret and root_password_sha2 as these are mandatory and Graylog will not start without them. To create your root_password_sha2 run the following command:
- $ echo -n “Enter Password: " && head -1 </dev/stdin | tr -d ‘\n’ | sha256sum | cut -d” " -f1
To be able to connect to Graylog you should set http_bind_address to the public host name or a public IP address of the machine you can connect to. To check the IP address of the machine use the following command.
- $ ip address
The last step is to enable Graylog during the operating system’s startup and verify it is running.
- $ sudo systemctl daemon-reload
- $ sudo systemctl enable graylog-server.service
- $ sudo systemctl start graylog-server.service
- $ sudo systemctl --type=service --state=active | grep graylog
Linux Log Configuration
In order to configure Graylog Server to start collecting syslog, we have to perform the following steps using GrayLog Web Interface.
- Go to System/Inputs tab and select Inputs.
- Select the type of log that needs to be recorded using the dropdown menu.
- Select Syslog UDP option using dropdown.
- Click on Launch New Input, a new dialog box containing several options appears on the screen.
- Enter the Port, IP address (if required to bind to specific ip address) and Title.
- Press Save in order to save the settings for recording syslogs…
Windows Log Configuration
In the GrayLog Web Interface, you will follow the same steps as of the Linux Log Configuration however, instead of Syslog UDP you must select GELF UDP.
In order to send Microsoft Windows logs to GrayLog Server, Nxlog is required. Nxlog Community Edition is an open source software. It is the log collector of choice for thousands of users collecting logs on Microsoft Windows and GNU/Linux.
Nxlog Community Edition can be downloaded from the official website of Nxlog.
After installing Nxlog Community Edition on Windows, a readme.txt will be displayed to the user. This readme.txt contains the path to the configuration file of the Nxlog. The configuration file can be found at the following path in Windows : C:\Program Files (x86)\nxlog\conf\nxlog.conf. This file can be opened in notepad for making any change. After opening the file, following configurations are required to be made in the file for logs to be collected by Graylog Server.
<Extension _gelf>
Module xm_gelf
</Extension>
<Input win>
Module im_msvistalog
</Input>
<Output graylog>
Module om_udp
Host your-Graylog-IP-address
Port port-configured-on-web-interface-for-collecting-windows-logs
OutputType GELF
</Output>
<Route graylog_route>
Path win => graylog
</Route>
Alerts
GrayLog Web Interface offers user three types of Alert behaviors : Alerts, Events and Notifications. Alerts can be configured using web interface. Following steps can be used to configure alerts.
- Select Alerts Tab.
- Click on “Event Definitions”.
- Select “Create Event Definition”
- Enter the specific values for the GrayLog to look for events.
- Enter all the required fields as per the requirements.
- After entering all the field, Select “Done” to save the Alert Configuration.
Reverse Proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the reverse proxy server itself. The proxy can be configured using three tools : NGINX , Apache (httpd) and HAProxy. All three of these have different configuration settings, however I will explain about the configuration settings of Apache.
Proxy web interface and API traffic using HTTP:
server
{
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name graylog.example.org;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For KaTeX parse error: Double subscript at position 12: proxy_add_x_̲forwarded_for; …server_name/;
proxy_pass http://web-interface-ip-address:9000;
}
}
As the url graylog.example.org is not available in dns, it will give an error right now if entered in the browser or used with curl command. Thus, you should modify the /etc/hosts file in order to reach this url. In the file add the following line:
your-graylog-ip-address graylog.example.org
After adding this line containing the ip address of the graylog server and the url for it, it will work fine.
Firewall
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. ufw provides a framework for managing netfilter, as well as a command-line interface for manipulating the firewall. In Order to allow GrayLog Server to collect the logs with active firewall, the ports that are being used must be entered as allowed ports for communication in the rules of the Firewall.
- sudo ufw default deny incoming
- sudo ufw default allow outgoing
These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users.
To configure your server to allow incoming SSH connections, you can use this command:
- sudo ufw allow ssh
Allowing Other Connections:
For Graylog to work properly, we need to allow the default port of Graylog Server. Following ports are required for Graylog Server.
ComponentsPortGrayLog (web interface/API)9000(tcp)GrayLog to ElasticSearch9200(tcp)ElasticSearch node communication9300(tcp)MongoDB27017(tcp)
Along with these ports, the ports that are configured in the logging configurations must also be added to the rules to allow the Graylog Server to communicate with the machines in order to collect logs.
- sudo ufw allow your-port-number
For Specific IP Addresses:
- sudo ufw allow from ip-address
This Document is written and compiled by Mohammad Salahuddin Kurd