Setting up Graylog Server

graylog | sidecar

tested on debian/buster

Requirements

some RAM for Java Elastic Search and graylog (say at least 4 G) and prevent OOM from kicking in against graylog-server

and a few packages

apt update && apt dist-upgrade
apt install apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen dirmngr gnupg wget

MongoDB

grab the latest repository – whoops you might prefer 4.2 not 5.0 to avoid the need for the AVX cpu flag

ver=4.2
wget -qO - https://www.mongodb.org/static/pgp/server-$ver.asc | apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/$ver main" \
    > /etc/apt/sources.list.d/mongodb-org.list
apt update && apt install mongodb-org

Elastic Search

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" \
    > /etc/apt/sources.list.d/elastic-7.x.list
apt update && apt install elasticsearch-oss

mv -i /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.dist
grep -vE '^#|^$' /etc/elasticsearch/elasticsearch.yml.dist > /etc/elasticsearch/elasticsearch.yml
vi /etc/elasticsearch/elasticsearch.yml

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
cluster.name: graylog
action.auto_create_index: false

Graylog install

grab the latest release

wget https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.deb
dpkg -i graylog-4.2-repository_latest.deb && apt update

CE

apt-get install graylog-server

EE (with Integration and Enterprise plug-ins)

apt install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

Graylog setup

# cluster secret
pwgen -N 1 -s 96

# graylog root password hash
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

mv /etc/graylog/server/server.conf /etc/graylog/server/server.conf.dist
grep -vE '^#|^$' /etc/graylog/server/server.conf.dist > /etc/graylog/server/server.conf
vi /etc/graylog/server/server.conf

password_secret = ...
root_password_sha2 = ...

http_bind_address = 0.0.0.0:9000
http_publish_uri = http://buster:9000/

Ready to go

systemctl daemon-reload

systemctl enable mongod.service
systemctl enable elasticsearch.service
systemctl enable graylog-server.service

systemctl restart mongod.service
systemctl restart elasticsearch.service
systemctl restart graylog-server.service

systemctl status mongod.service
systemctl status elasticsearch.service
systemctl status graylog-server.service

systemctl list-unit-files | grep mongo
systemctl list-unit-files | grep elastic
systemctl list-unit-files | grep gray

Tuning

create an input method

System / Beats

Beats > Launch new input

Global
name beats
bind 0.0.0.0
port 5044

also create a Sidecar configuration to grab the log files with. change log location and target listener

System / Sidecars

New Collector Configuration

name filebeat-linux
collector filebeat on Linux

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
- input_type: log
  paths:
    - /var/log/*log
    - /var/log/*/*log
  type: log
output.logstash:
   hosts: ["buster:5044"]
path:
  data: /var/lib/graylog-sidecar/collectors/filebeat/data
  logs: /var/lib/graylog-sidecar/collectors/filebeat/log

now go create a token for some collectors to reach the server

http://buster:9000/

admin / THE PASSWORD YOU HASHED

System / Sidecars

create token
token name: sidecar-token

Troubleshooting

[ 1971.055116] traps: mongod[5894] trap invalid opcode ip:563d57433dfa sp:7ffef60befe0 error:0 in mongod[563d5345e000+5111000]

[ 2020.756627] traps: mongod[5902] trap invalid opcode ip:5557272e8dfa sp:7ffee02b83f0 error:0 in mongod[555723313000+5111000]

==> your cpu is too old? revert back to mongodb v4.2

Resources

DEBIAN INSTALLATION https://docs.graylog.org/v1/docs/debian

INITIAL CONFIGURATION https://docs.graylog.org/v1/docs/configure

CONFIGURING GRAYLOG https://docs.graylog.org/docs/configuring-graylog

SENDING IN LOG DATA https://docs.graylog.org/v1/docs/sending-data

INGEST SYSLOG https://docs.graylog.org/v1/docs/syslog

EXTRACTORS https://docs.graylog.org/v1/docs/extractors

PROCESSING PIPELINES https://docs.graylog.org/v1/docs/processing-pipelines

download

https://packages.graylog2.org/packages

troubles

https://www.mongodb.com/community/forums/t/mongodb-5-0-cpu-intel-g4650-compatibility/116610

https://stackoverflow.com/questions/3758301/trap-invalid-opcode-rip-rsp


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | NU | HTML5
Copyright © 2022 Pierre-Philipp Braun