Graylog Setup (SEC 350) - Chromosom3/TechNotes GitHub Wiki

For this lab, we will be setting up Graylog. When working on this I followed the documentation found here to set up everything.

The first thing we are going to want to do is to install Java Open JDK. In this lab, we will be using version 11. To install run sudo yum install java-11-openjdk-headless.x86_64 -y. Once that is installed we will want to add the MongoDB repository to yum. To do this run sudo vi /etc/yum.repos.d/mongodb-org.repo then enter the following into the file:

[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc

Now that the repository is set up we can use yum to install the package. Run sudo yum install mongodb-org -y to install MongoDB.

Now that we have MongoDB installed let's set up the service. Run the following commands to enable, start, and check on the service.

sudo systemctl daemon-reload
sudo systemctl enable mongod.service --now
sudo systemctl status mongod

You should see something like this.

MongoDB

Two dependencies down! Time to get the third and final one setup. We will now need to add the Elastic Search repo to the system. To do this run the following commands:

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
sudo vi /etc/yum.repos.d/elasticsearch.repo

In the new file that was created paste the following information.

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Now that we have the repository setup let's install Elastic Search with sudo yum install elasticsearch-oss -y. Once installed we will need to configure Elastic Search. Edit the configuration file with sudo vi /etc/elasticsearch/elasticsearch.yml. You want to change the cluster.name value to graylog and append action.auto_create_index: false to the end of the file. See the images below for an example of how it should look.

Elastic Cluster

Elastic Auto Index

Now that we have finished setting up Elastic Search lets enable and start the service. Use the following commands to accomplish this, note you don’t need the last one. The last command is just for verifying the service is working.

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch --now
sudo systemctl status elasticsearch

See the example output below.

Elastic Status

Finally, we are done with dependencies! Let's install Graylog. We have two options here. We can either install Graylog with the additional enterprise and integrations plugins to just by itself. For this lab I choose to install Graylog with all the plugins. To do that run the below commands.

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.rpm
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y

If you don’t want the plugins just run sudo yum install graylog-server -y. Now that we have the package installed let's configure the Graylog config, use sudo vi /etc/graylog/server/server.conf to edit the file. We will need to adjust the password_secret, root_password_sha2, and the http_bind_address values. See the images below for some examples on how to do that. The documentation in the configuration file is pretty self-explanatory.

password_secret

Password 1

root_password_sha2

Password 2

http_bind_address

Bind Address

We are now ready to start the Graylog server! Run the following commands to get the service running.

sudo systemctl daemon-reload
sudo systemctl enable graylog-server --now
sudo systemctl status graylog-server

Graylog Service

Since Graylog has a web interface we want to access remotely we will need to open ports on our firewall. Use the following commands to open the ports and confirm that they are open.

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Firewall 1

We can finally navigate to 172.16.50.5:9000 to manage Graylog. Log in with the username admin and whatever you set the root_password_sha2 value to. Once you are logged in we will configure Graylog to get syslog information. To do this select System then Inputs.

Graylog 1

From here select Syslog UDP from the drop-down list, then select Launch new Input.

Graylog 2

Configure the new input with the options shown in the two images below.

Graylog 3

Graylog 4

When you are done it should look something like this.

Graylog 5

We need Graylog to receive the Syslog logs on the new port (1514). That means we need to open that port in the firewall. Use the following command to achieve this.

sudo firewall-cmd --add-port=1514/udp --permanent
sudo firewall-cmd --reload

Let’s update a client to send logs to the new Graylog server. On web01 lets edit the configuration and change the port the logs are sent to. Run sudo vi /etc/rsyslog.d/sec350.conf and add :1514 after the IP address. It should look something like the image below.

Web01

Don’t forget to restart rsyslog on the client machine.

sudo systemctl restart rsyslog

Make sure to click the play button to have logs shown on the dashboard screen. If you don’t hit play the logs won’t update as they come in.

Graylog 6