====== Graylog ======
* [[https://www.graylog.org/]]
* [[https://www.graylog.org/downloads/]]
===== Operating System Packages =====
* [[https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/operating_system_packages.htm|Operating System Packages]]
[Time]
NTP="ptbtime1.ptb.de"
...
> vi /etc/systemd/timesyncd.conf
> timedatectl set-ntp 0
> timedatectl set-ntp 1
> journalctl --unit=systemd-timesyncd.service
> timedatectl timesync-status
> timedatectl status
> tail /var/log/syslog
May 11 12:06:26 graylog03 systemd-timedated[6955]: Set NTP to enabled (systemd-timesyncd.service).
May 11 12:06:26 graylog03 systemd[1]: Starting Network Time Synchronization...
May 11 12:06:26 graylog03 systemd[1]: Started Network Time Synchronization.
May 11 12:07:18 graylog03 systemd[1]: systemd-timedated.service: Deactivated successfully.
May 11 12:08:29 graylog03 dbus-daemon[606]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.65' (uid=0 pid=7030 comm="timedatectl set-ntp 1 " label="unconfined")
May 11 12:08:29 graylog03 systemd[1]: Starting Time & Date Service...
May 11 12:08:29 graylog03 dbus-daemon[606]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 11 12:08:29 graylog03 systemd[1]: Started Time & Date Service.
May 11 12:08:29 graylog03 systemd-timedated[7031]: Set NTP to enabled (systemd-timesyncd.service).
May 11 12:08:59 graylog03 systemd[1]: systemd-timedated.service: Deactivated successfully.
apt update
apt full-upgrade
apt autoclean
apt autoremove
apt install apt-transport-https wget curl pwgen gnupg
===== Basissystem =====
* [[https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/ubuntu_installation.html|Ubuntu Installation]]
* [[https://opensearch.org/downloads.html]]
Ubuntu 22.04.2 LTS
===== Installation von MongoDB =====
Schlüssel für MongoDB:
> wget -qO- 'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf5679a222c647c87527c2f8cb00a0bd1e2c63c11' | tee /etc/apt/trusted.gpg.d/MongoDB.asc
> wget -qO- 'https://pgp.mongodb.com/server-6.0.asc' | tee /etc/apt/trusted.gpg.d/mongodb-server-6.0.asc
> echo "deb https://repo.mongodb.org/apt/ubuntu $(lsb_release -cs)/mongodb-org/6.0 multiverse" > /etc/apt/sources.list.d/mongodb-org-6.0.list
> apt update
> apt install mongodb-org
MongoDB bootfest machen:
systemctl daemon-reload
systemctl enable mongod.service
systemctl restart mongod.service
systemctl --type=service --state=active | grep -F mongod
service mongod restart
service mongod status
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Hockeypuck 2.1.0-189-g15ebf24
Comment: Hostname:
xsFNBGAsKNUBEAClMqPCvvqm6gFmbiorEN9qp00GI8oaECkwbxtGGbqX9sqMSrKe
AB3sGI7kqG2Fl0K+xmmiq1QDjhNgFDA1jjXq+Bd66RNPtvu747IRxVs+9fX7bk67
8Bruha7U3M5l4193x5oYLlbcZL9aC7RSJE2mggTyS6LarmF6vKQN9LMXDicnageV
KCPpF2i3jkZaGnLPzAisW/pOjPQpWCbatTVqKOKvtOyP3Fz1spYd4obu6ELu1PXa
gmhSfvWJYt1irpchOl29LWZfcmXuJszmb00bqm4gLcK12VrnK191iXv46A8h2hSO
f3eQqrkc+pF/kw4RyG54EV7QtHXyTe9TVCbJUfgtliWIQt/bCoJYfPLHJaWIMs83
bzA6ZvOjCKIfMS0CY5ZJyVaBfiI3wURSjgZIYFZAXVwbreQIfOKKuik7UVVn3xUO
nWpmQ2zyI0W7cJMquxwLNjkI+RckPhIqxWFo5iNSV4v6pzrlHD1WmIfFGBKEn7m+
edwVyHG53fNIFZjxyShO6Pf1vgb9Js/XmXB4lxYnNyx1tB+hQhXTjLlY6N5gPpw5
Z/PWQc7vfYekUZGQMXhTyRxU0QTwmdEeKcb+fb9r23OH59bbAfzE10xTMzhqCd2L
lgSozMBvMmkHb1xs1x6FFuv/U/X7LjHTrHIf4M//DNwdP4l4I1jhPlTAxwARAQAB
zTdNb25nb0RCIDUuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
Z29kYi5jb20+wsF+BBMBAgAoBQJgLCjVAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRCwCgvR4sY8EawdD/0ewkyx3yE99K9n3y7gdvh5+2U8BsqU
7SWEfup7kPpf+4pF5xWqMaciEV/wRAGt7TiKlfVyAv3Q9iNsaLFN+s3kMaIcKhwD
8+q/iGfziIuOSTeo20dAxn9vF6YqrKGc7TbHdXf9AtYuJCfIU5j02uVZiupx+P9+
rG39dEnjOXm3uY0Fv3pRGCpuGubDlWB1DYh0R5O481kDVGoMqBxmc3iTALu14L/u
g+AKxFYfT4DmgdzPVMDhppgywfyd/IOWxoOCl4laEhVjUt5CygBa7w07qdKwWx2w
gTd9U0KGHxnnSmvQYxrRrS5RX3ILPJShivTSZG+rMqnUe6RgCwBrKHCRU1L728Yv
1B3ZFJLxB1TlVT2Hjr+oigp0RY9W1FCIdO2uhb9GImpaJ1Y0ZZqUkt/d9D8U2wcw
SW6/6WYeO7wAi/zlJ25hrBwhxS2+88gM6wJ1yL9yrM9v8JUb7Kq0rCGsEO5kqscV
AmX90wsF2cZ6gHR53eGIDbAJK0MO5RHR73aQ4bpTivPnoTx4HTj5fyhW9z8yCSOe
BlQABoFFqFvOS7KBxoyIS3pxlDetWOSc6yQrvA1CwxnkB81OHNmJfWAbNbEtZkLm
xs2c8CIh2R81yi6HUzAaxyDH7mrThbwX3hUe/wsaD1koV91G6bDD4Xx3zpa9DG/O
HyB98+e983gslg==
=RP+V
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBGIWTroBEADgSBs1z1MC5Hog5yd2wYHskzPE0SOl9LGB35Xhw1894hrKsswp
AS7JnViltXE71iJMoAqepJBvfmZLOyQO0rXcLlHXExK/IctnosRqGQeyLxNZKS0h
e1xQYQrPCWRaHqseYLuJ5wME49aFQ2YS7caFowBvKjsT5AoT7B0uXDp6nHZDUQG2
MBZJqUKziVYYt7PARv81llDNKqPvLDSc2McL/2aa4mNR/pM5r8iQjACbSnj37ERm
zca2gJ0GzCeZSqfmjoF7I6Ez1Nc/2ge1+fZA24pDFg+7W25du3JIqbnpJQAK5TAz
7tVzvEKU8WT9aQW3G1e5ox3YtlRPTSrTxN9dzLh123NGCd0J9a4moFkZIr8HmySd
jkdz4V1pKv9aTOhLjQpF/bhRaUuNuGK7TV7ZzY+PCVE51fmJx2EX4Ck5c6sW03rJ
59KbrxeTq02AcIBTFUY0Mfh7nxvYvwvLI0OKBOqFGXi4hFXpV4uo0rDLe+tGLFDD
+HsajFUUyAlMETE80PXOuTs44TZiW+SGCTyP2Sm8TBIiacSqsGNsryjgEDaIG6c1
FB++njqTfGlyZujamYbF3s3wBK8nDBVRympJcsHjLqUhvbh1Bq4hyF2pxio93SgA
mPEm6kl0KBCqpJNZpAFSVHK8penQtQUa0jFQetYPDUFfgTsg7qdZDQNcUwARAQAB
tDdNb25nb0RCIDYuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
Z29kYi5jb20+iQI+BBMBAgAoBQJiFk66AhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRBqJrGuZMPDiADhEACex1qu1HbVIeBwZO4GYYEc8OpswguI
LvTL1ufWMVbpSFkm0XDzx7JU0SewCEBzr7BTri2zjNaPm7RQHYFl1ztTnNvxrvzu
AUoj/BClAgQXujSuUcEu+uA9pBHObiLHAkYFy61EnKgXu2iTOMn7HqRvjvHZyOnr
5llGG2zUq8YbEVs4GTHVV9CjCWBkf78stdqEAPCH69DtR1Bv2jQfUslVSDKUnluX
feTRDgWXnIKo4ld6EoqtYurIbcJIGvXHbFx90PoZiPJXn+eTY+6HS3I/TXDGAOkF
xkgmVsPWcZvbU0dLXjAiTIADODyiEiZlonrxYXJztIs/KXLl5CnvAEeXKXACbgaN
nuIMKtprtrLvFDpXwfyI90He0Vv8iE1wXSLcuztT5R1h6NmisMz9oRYQL3hqsSEn
TjV+Ko34Kyo459Bs9PhJO0DcZGg+B8iU9TdJgfp1KEs2HJFAueVtYAUJ3y5+UJFn
AkQoD5CC0Y+93z0+nHQPvjyxQ/7swFWNtrumrthcpYbGMIKEWqaQoEz2My5gVXHh
v5pHEXxXiARNe44GsS8r+1DYQypDUAh5Tw9mQRagWuC5Dsaaqob5vCdcFEAgiK5W
a/coP3B6WzUoQE8NKa8qnKDvX5RU0dxG5oUre+PuOwiHpom9G+375YYkwIL9a6pE
RRM5efxf1F532A==
=Cc71
-----END PGP PUBLIC KEY BLOCK-----
----
===== Installation von OpenSearch =====
* **[[https://opensearch.org/downloads.html|Download OpenSearch]]**
* [[https://opensearch.org/verify-signatures.html|PGP Key]]
* [[https://opensearch.org/docs/latest/install-and-configure/install-dashboards/debian/#installing-opensearch-dashboards-from-an-apt-repository|Installing OpenSearch Dashboards from an APT repository]]
OpenSearch-Repo einrichten:
> wget -qO- https://artifacts.opensearch.org/publickeys/opensearch.pgp | tee /etc/apt/trusted.gpg.d/opensearch.asc
> echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-2.x.list
> echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-dashboards-2.x.list
OpenSearch installieren:
> apt update
> apt install opensearch opensearch-dashboards
...
Running OpenSearch Post-Installation Script
### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
### You can start opensearch service by executing
sudo systemctl start opensearch.service
### Create opensearch demo certificates in /etc/opensearch/
See demo certs creation log in /var/log/opensearch/install_demo_configuration.log
opensearch-dashboards (2.7.0) wird eingerichtet ...
Running OpenSearch-Dashboards Post-Installation Script
### NOT starting on installation, please execute the following statements to configure opensearch-dashboards service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable opensearch-dashboards.service
### You can start opensearch-dashboards service by executing
sudo systemctl start opensearch-dashboards.service
...
> less /var/log/opensearch/install_demo_configuration.log
ggf. ist das noch nötig, wenn JAVA nicht gefunden wird:
> export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk/bin/java
> ln -s /usr/share/opensearch/jdk/bin/java /usr/bin/java
OpenSearch bootfest machen:
systemctl daemon-reload
systemctl enable opensearch.service
systemctl start opensearch.service
systemctl daemon-reload
systemctl enable opensearch-dashboards.service
systemctl start opensearch-dashboards.service
ss -antp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 127.0.0.1:5601 0.0.0.0:* users:(("node",pid=4439,fd=18))
...
LISTEN 0 4096 [::ffff:127.0.0.1]:9200 *:* users:(("java",pid=4044,fd=575))
LISTEN 0 4096 [::1]:9200 [::]:* users:(("java",pid=4044,fd=574))
LISTEN 0 4096 [::ffff:127.0.0.1]:9300 *:* users:(("java",pid=4044,fd=571))
LISTEN 0 4096 [::1]:9300 [::]:* users:(("java",pid=4044,fd=570))
ESTAB 0 0 [::ffff:127.0.0.1]:9200 [::ffff:127.0.0.1]:52124 users:(("java",pid=4044,fd=580))
ESTAB 0 0 [::ffff:127.0.0.1]:9200 [::ffff:127.0.0.1]:34464 users:(("java",pid=4044,fd=581))
ESTAB 0 0 [::ffff:127.0.0.1]:9200 [::ffff:127.0.0.1]:52134 users:(("java",pid=4044,fd=585))
^ The following ports need to be open for OpenSearch components. ^^
^ Port number ^ OpenSearch component ^
| 443 | OpenSearch Dashboards in AWS OpenSearch Service with encryption in transit (TLS) |
^ 5601 | OpenSearch Dashboards |
^ 9200 | OpenSearch REST API |
| 9250 | Cross-cluster search |
^ 9300 | Node communication and transport |
| 9600 | Performance Analyzer |
Das soll die Geschwindigkeit steigern:
> swapoff -a
> sysctl vm.max_map_count
> vi /etc/sysctl.conf
vm.max_map_count=262144
> sysctl -p
### Send a request to port 9200:
root@graylog01:~# curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
### Query the plugins endpoint:
root@graylog01:~# curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure
name component version
graylog02 opensearch-alerting 2.7.0.0
graylog02 opensearch-anomaly-detection 2.7.0.0
graylog02 opensearch-asynchronous-search 2.7.0.0
graylog02 opensearch-cross-cluster-replication 2.7.0.0
graylog02 opensearch-geospatial 2.7.0.0
graylog02 opensearch-index-management 2.7.0.0
graylog02 opensearch-job-scheduler 2.7.0.0
graylog02 opensearch-knn 2.7.0.0
graylog02 opensearch-ml 2.7.0.0
graylog02 opensearch-neural-search 2.7.0.0
graylog02 opensearch-notifications 2.7.0.0
graylog02 opensearch-notifications-core 2.7.0.0
graylog02 opensearch-observability 2.7.0.0
graylog02 opensearch-performance-analyzer 2.7.0.0
graylog02 opensearch-reports-scheduler 2.7.0.0
graylog02 opensearch-security 2.7.0.0
graylog02 opensearch-security-analytics 2.7.0.0
graylog02 opensearch-sql 2.7.0.0
> vi /etc/opensearch/opensearch.yml
> vi /etc/opensearch/jvm.options
cluster.name: test-graylog
node.name: ${HOSTNAME}
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
action.auto_create_index: false
plugins.security.disabled: true
----
> service opensearch restart
> service opensearch-dashboards restart
===== Die GrayLog-Installation =====
* [[https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/operating_system_packages.htm|Operating System Packages]]
* [[https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/ubuntu_installation.html|Ubuntu Installation]]
* [[https://go2docs.graylog.org/5-0/setting_up_graylog/web_interface.htm]]
* [[https://go2docs.graylog.org/5-0/setting_up_graylog/web_interface.htm#making-the-web-interface-work-with-load-balancersproxies]]
timedatectl set-timezone CET
timedatectl show
> wget https://packages.graylog2.org/repo/packages/graylog-5.1-repository_latest.deb
> dpkg -i graylog-5.1-repository_latest.deb
> cat /etc/apt/sources.list.d/graylog.list
deb https://packages.graylog2.org/repo/debian/ stable 5.1
> apt update
> apt search graylog
> apt install graylog-server
Das Paket auf "Halt" setzen, damit es nicht versehentlich einem Update unterzogen wird:
apt-mark hold graylog-server
apt-mark showhold | grep -F graylog-server
Das "Halt" entfernen, damit es einem Update unterzogen werden kann:
apt-mark unhold graylog-server
### GrayLog => password_secret
> pwgen -N 1 -s 96
lvZkkRd9G4UzdIzrtEGCFcbj2h6MG43lr0VtxGkJiaUMjybjJE4Rp7RXefx7woHh5i6S4FfsNKE50KkyFHKz7SnnVIjA3XuF
### GrayLog => root_password_sha2
> echo -n "Enter Password: " && head -1 vi /etc/graylog/server/server.conf
password_secret = D24EGFFtVlqhNPXys3UN5E86yceWyAkLpMiDXxAVlVhWKtMBeJFValBbDUg5kmPWJl3wLJr5CqPuYYEpLdtM87wM1sK3m393
root_password_sha2 = 9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af
...
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://0.0.0.0:9000/
...
elasticsearch_hosts = http://0.0.0.0:9200
> systemctl daemon-reload
> systemctl enable graylog-server.service
> service graylog-server start
> ss -antp | grep -F 9000
LISTEN 0 4096 *:9000 *:* users:(("java",pid=2740,fd=57))
===== Die nginx-Installation =====
> apt install nginx-full
> vi /etc/nginx/sites-available/rev_graylog.conf
> ln -s /etc/nginx/sites-available/rev_graylog.conf /etc/nginx/sites-enabled/rev_graylog.conf
> rm /etc/nginx/sites-enabled/graylog.conf
server
{
listen 80 default_server;
server_name graylog01;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
proxy_pass http://0.0.0.0:9000;
}
}
----
> service nginx restart
> service mongod restart
> service opensearch restart
> service opensearch-dashboards restart
> service graylog-server restart
> less /var/log/graylog-server/server.log
> less /var/log/opensearch/test-graylog.log