Graylog

• https://www.graylog.org/
• https://www.graylog.org/downloads/

• Operating System Packages

/etc/systemd/timesyncd.conf

[Time]
NTP="ptbtime1.ptb.de"
...

> vi /etc/systemd/timesyncd.conf
> timedatectl set-ntp 0
> timedatectl set-ntp 1
> journalctl --unit=systemd-timesyncd.service
> timedatectl timesync-status
> timedatectl status
> tail /var/log/syslog 
May 11 12:06:26 graylog03 systemd-timedated[6955]: Set NTP to enabled (systemd-timesyncd.service).
May 11 12:06:26 graylog03 systemd[1]: Starting Network Time Synchronization...
May 11 12:06:26 graylog03 systemd[1]: Started Network Time Synchronization.
May 11 12:07:18 graylog03 systemd[1]: systemd-timedated.service: Deactivated successfully.
May 11 12:08:29 graylog03 dbus-daemon[606]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.65' (uid=0 pid=7030 comm="timedatectl set-ntp 1 " label="unconfined")
May 11 12:08:29 graylog03 systemd[1]: Starting Time & Date Service...
May 11 12:08:29 graylog03 dbus-daemon[606]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 11 12:08:29 graylog03 systemd[1]: Started Time & Date Service.
May 11 12:08:29 graylog03 systemd-timedated[7031]: Set NTP to enabled (systemd-timesyncd.service).
May 11 12:08:59 graylog03 systemd[1]: systemd-timedated.service: Deactivated successfully.

apt update
apt full-upgrade
apt autoclean
apt autoremove
apt install apt-transport-https wget curl pwgen gnupg

• Ubuntu Installation
• https://opensearch.org/downloads.html

Ubuntu 22.04.2 LTS

Schlüssel für MongoDB:

> wget -qO- 'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf5679a222c647c87527c2f8cb00a0bd1e2c63c11' | tee /etc/apt/trusted.gpg.d/MongoDB.asc
> wget -qO- 'https://pgp.mongodb.com/server-6.0.asc' | tee /etc/apt/trusted.gpg.d/mongodb-server-6.0.asc

> echo "deb https://repo.mongodb.org/apt/ubuntu $(lsb_release -cs)/mongodb-org/6.0 multiverse" > /etc/apt/sources.list.d/mongodb-org-6.0.list

> apt update
> apt install mongodb-org

MongoDB bootfest machen:

systemctl daemon-reload
systemctl enable mongod.service
systemctl restart mongod.service
systemctl --type=service --state=active | grep -F mongod
 
service mongod restart
service mongod status

<hidden /etc/apt/trusted.gpg.d/MongoDB.asc>

/etc/apt/trusted.gpg.d/MongoDB.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Hockeypuck 2.1.0-189-g15ebf24
Comment: Hostname: 
 
xsFNBGAsKNUBEAClMqPCvvqm6gFmbiorEN9qp00GI8oaECkwbxtGGbqX9sqMSrKe
AB3sGI7kqG2Fl0K+xmmiq1QDjhNgFDA1jjXq+Bd66RNPtvu747IRxVs+9fX7bk67
8Bruha7U3M5l4193x5oYLlbcZL9aC7RSJE2mggTyS6LarmF6vKQN9LMXDicnageV
KCPpF2i3jkZaGnLPzAisW/pOjPQpWCbatTVqKOKvtOyP3Fz1spYd4obu6ELu1PXa
gmhSfvWJYt1irpchOl29LWZfcmXuJszmb00bqm4gLcK12VrnK191iXv46A8h2hSO
f3eQqrkc+pF/kw4RyG54EV7QtHXyTe9TVCbJUfgtliWIQt/bCoJYfPLHJaWIMs83
bzA6ZvOjCKIfMS0CY5ZJyVaBfiI3wURSjgZIYFZAXVwbreQIfOKKuik7UVVn3xUO
nWpmQ2zyI0W7cJMquxwLNjkI+RckPhIqxWFo5iNSV4v6pzrlHD1WmIfFGBKEn7m+
edwVyHG53fNIFZjxyShO6Pf1vgb9Js/XmXB4lxYnNyx1tB+hQhXTjLlY6N5gPpw5
Z/PWQc7vfYekUZGQMXhTyRxU0QTwmdEeKcb+fb9r23OH59bbAfzE10xTMzhqCd2L
lgSozMBvMmkHb1xs1x6FFuv/U/X7LjHTrHIf4M//DNwdP4l4I1jhPlTAxwARAQAB
zTdNb25nb0RCIDUuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
Z29kYi5jb20+wsF+BBMBAgAoBQJgLCjVAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRCwCgvR4sY8EawdD/0ewkyx3yE99K9n3y7gdvh5+2U8BsqU
7SWEfup7kPpf+4pF5xWqMaciEV/wRAGt7TiKlfVyAv3Q9iNsaLFN+s3kMaIcKhwD
8+q/iGfziIuOSTeo20dAxn9vF6YqrKGc7TbHdXf9AtYuJCfIU5j02uVZiupx+P9+
rG39dEnjOXm3uY0Fv3pRGCpuGubDlWB1DYh0R5O481kDVGoMqBxmc3iTALu14L/u
g+AKxFYfT4DmgdzPVMDhppgywfyd/IOWxoOCl4laEhVjUt5CygBa7w07qdKwWx2w
gTd9U0KGHxnnSmvQYxrRrS5RX3ILPJShivTSZG+rMqnUe6RgCwBrKHCRU1L728Yv
1B3ZFJLxB1TlVT2Hjr+oigp0RY9W1FCIdO2uhb9GImpaJ1Y0ZZqUkt/d9D8U2wcw
SW6/6WYeO7wAi/zlJ25hrBwhxS2+88gM6wJ1yL9yrM9v8JUb7Kq0rCGsEO5kqscV
AmX90wsF2cZ6gHR53eGIDbAJK0MO5RHR73aQ4bpTivPnoTx4HTj5fyhW9z8yCSOe
BlQABoFFqFvOS7KBxoyIS3pxlDetWOSc6yQrvA1CwxnkB81OHNmJfWAbNbEtZkLm
xs2c8CIh2R81yi6HUzAaxyDH7mrThbwX3hUe/wsaD1koV91G6bDD4Xx3zpa9DG/O
HyB98+e983gslg==
=RP+V
-----END PGP PUBLIC KEY BLOCK-----

</hidden>

<hidden /etc/apt/trusted.gpg.d/mongodb-server-6.0.asc>

/etc/apt/trusted.gpg.d/mongodb-server-6.0.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
 
mQINBGIWTroBEADgSBs1z1MC5Hog5yd2wYHskzPE0SOl9LGB35Xhw1894hrKsswp
AS7JnViltXE71iJMoAqepJBvfmZLOyQO0rXcLlHXExK/IctnosRqGQeyLxNZKS0h
e1xQYQrPCWRaHqseYLuJ5wME49aFQ2YS7caFowBvKjsT5AoT7B0uXDp6nHZDUQG2
MBZJqUKziVYYt7PARv81llDNKqPvLDSc2McL/2aa4mNR/pM5r8iQjACbSnj37ERm
zca2gJ0GzCeZSqfmjoF7I6Ez1Nc/2ge1+fZA24pDFg+7W25du3JIqbnpJQAK5TAz
7tVzvEKU8WT9aQW3G1e5ox3YtlRPTSrTxN9dzLh123NGCd0J9a4moFkZIr8HmySd
jkdz4V1pKv9aTOhLjQpF/bhRaUuNuGK7TV7ZzY+PCVE51fmJx2EX4Ck5c6sW03rJ
59KbrxeTq02AcIBTFUY0Mfh7nxvYvwvLI0OKBOqFGXi4hFXpV4uo0rDLe+tGLFDD
+HsajFUUyAlMETE80PXOuTs44TZiW+SGCTyP2Sm8TBIiacSqsGNsryjgEDaIG6c1
FB++njqTfGlyZujamYbF3s3wBK8nDBVRympJcsHjLqUhvbh1Bq4hyF2pxio93SgA
mPEm6kl0KBCqpJNZpAFSVHK8penQtQUa0jFQetYPDUFfgTsg7qdZDQNcUwARAQAB
tDdNb25nb0RCIDYuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
Z29kYi5jb20+iQI+BBMBAgAoBQJiFk66AhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRBqJrGuZMPDiADhEACex1qu1HbVIeBwZO4GYYEc8OpswguI
LvTL1ufWMVbpSFkm0XDzx7JU0SewCEBzr7BTri2zjNaPm7RQHYFl1ztTnNvxrvzu
AUoj/BClAgQXujSuUcEu+uA9pBHObiLHAkYFy61EnKgXu2iTOMn7HqRvjvHZyOnr
5llGG2zUq8YbEVs4GTHVV9CjCWBkf78stdqEAPCH69DtR1Bv2jQfUslVSDKUnluX
feTRDgWXnIKo4ld6EoqtYurIbcJIGvXHbFx90PoZiPJXn+eTY+6HS3I/TXDGAOkF
xkgmVsPWcZvbU0dLXjAiTIADODyiEiZlonrxYXJztIs/KXLl5CnvAEeXKXACbgaN
nuIMKtprtrLvFDpXwfyI90He0Vv8iE1wXSLcuztT5R1h6NmisMz9oRYQL3hqsSEn
TjV+Ko34Kyo459Bs9PhJO0DcZGg+B8iU9TdJgfp1KEs2HJFAueVtYAUJ3y5+UJFn
AkQoD5CC0Y+93z0+nHQPvjyxQ/7swFWNtrumrthcpYbGMIKEWqaQoEz2My5gVXHh
v5pHEXxXiARNe44GsS8r+1DYQypDUAh5Tw9mQRagWuC5Dsaaqob5vCdcFEAgiK5W
a/coP3B6WzUoQE8NKa8qnKDvX5RU0dxG5oUre+PuOwiHpom9G+375YYkwIL9a6pE
RRM5efxf1F532A==
=Cc71
-----END PGP PUBLIC KEY BLOCK-----

</hidden>

---

• Download OpenSearch
• PGP Key
• Installing OpenSearch Dashboards from an APT repository

OpenSearch-Repo einrichten:

> wget -qO- https://artifacts.opensearch.org/publickeys/opensearch.pgp | tee /etc/apt/trusted.gpg.d/opensearch.asc

> echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-2.x.list
> echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-dashboards-2.x.list

OpenSearch installieren:

> apt update
> apt install opensearch opensearch-dashboards
...
Running OpenSearch Post-Installation Script
### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch.service
### You can start opensearch service by executing
 sudo systemctl start opensearch.service
### Create opensearch demo certificates in /etc/opensearch/
 See demo certs creation log in /var/log/opensearch/install_demo_configuration.log
opensearch-dashboards (2.7.0) wird eingerichtet ...
Running OpenSearch-Dashboards Post-Installation Script
### NOT starting on installation, please execute the following statements to configure opensearch-dashboards service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch-dashboards.service
### You can start opensearch-dashboards service by executing
 sudo systemctl start opensearch-dashboards.service
...

> less /var/log/opensearch/install_demo_configuration.log

ggf. ist das noch nötig, wenn JAVA nicht gefunden wird:

> export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk/bin/java
> ln -s /usr/share/opensearch/jdk/bin/java /usr/bin/java

OpenSearch bootfest machen:

systemctl daemon-reload
systemctl enable opensearch.service
systemctl start opensearch.service
 
systemctl daemon-reload
systemctl enable opensearch-dashboards.service
systemctl start opensearch-dashboards.service
 
ss -antp
 
State    Recv-Q Send-Q Local Address:Port       Peer Address:Port        Process
LISTEN   0      511             127.0.0.1:5601             0.0.0.0:*     users:(("node",pid=4439,fd=18))
...
LISTEN   0      4096   [::ffff:127.0.0.1]:9200                   *:*     users:(("java",pid=4044,fd=575))
LISTEN   0      4096                [::1]:9200                [::]:*     users:(("java",pid=4044,fd=574))
LISTEN   0      4096   [::ffff:127.0.0.1]:9300                   *:*     users:(("java",pid=4044,fd=571))
LISTEN   0      4096                [::1]:9300                [::]:*     users:(("java",pid=4044,fd=570))
ESTAB    0      0      [::ffff:127.0.0.1]:9200  [::ffff:127.0.0.1]:52124 users:(("java",pid=4044,fd=580))
ESTAB    0      0      [::ffff:127.0.0.1]:9200  [::ffff:127.0.0.1]:34464 users:(("java",pid=4044,fd=581))
ESTAB    0      0      [::ffff:127.0.0.1]:9200  [::ffff:127.0.0.1]:52134 users:(("java",pid=4044,fd=585))

Das soll die Geschwindigkeit steigern:

> swapoff -a

> sysctl vm.max_map_count
> vi /etc/sysctl.conf
vm.max_map_count=262144
> sysctl -p

### Send a request to port 9200:
root@graylog01:~# curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
 
### Query the plugins endpoint:
root@graylog01:~# curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure
name      component                            version
graylog02 opensearch-alerting                  2.7.0.0
graylog02 opensearch-anomaly-detection         2.7.0.0
graylog02 opensearch-asynchronous-search       2.7.0.0
graylog02 opensearch-cross-cluster-replication 2.7.0.0
graylog02 opensearch-geospatial                2.7.0.0
graylog02 opensearch-index-management          2.7.0.0
graylog02 opensearch-job-scheduler             2.7.0.0
graylog02 opensearch-knn                       2.7.0.0
graylog02 opensearch-ml                        2.7.0.0
graylog02 opensearch-neural-search             2.7.0.0
graylog02 opensearch-notifications             2.7.0.0
graylog02 opensearch-notifications-core        2.7.0.0
graylog02 opensearch-observability             2.7.0.0
graylog02 opensearch-performance-analyzer      2.7.0.0
graylog02 opensearch-reports-scheduler         2.7.0.0
graylog02 opensearch-security                  2.7.0.0
graylog02 opensearch-security-analytics        2.7.0.0
graylog02 opensearch-sql                       2.7.0.0

> vi /etc/opensearch/opensearch.yml
> vi /etc/opensearch/jvm.options

<hidden /etc/opensearch/opensearch.yml>

/etc/opensearch/opensearch.yml

cluster.name: test-graylog
node.name: ${HOSTNAME}
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
action.auto_create_index: false
plugins.security.disabled: true

</hidden>

---

> service opensearch restart
> service opensearch-dashboards restart

• Operating System Packages
• Ubuntu Installation
• https://go2docs.graylog.org/5-0/setting_up_graylog/web_interface.htm
• https://go2docs.graylog.org/5-0/setting_up_graylog/web_interface.htm#making-the-web-interface-work-with-load-balancersproxies

timedatectl set-timezone CET
timedatectl show

> wget https://packages.graylog2.org/repo/packages/graylog-5.1-repository_latest.deb
> dpkg -i graylog-5.1-repository_latest.deb

> cat /etc/apt/sources.list.d/graylog.list
deb https://packages.graylog2.org/repo/debian/ stable 5.1

> apt update
> apt search graylog
> apt install graylog-server

Das Paket auf "Halt" setzen, damit es nicht versehentlich einem Update unterzogen wird:

apt-mark hold graylog-server
apt-mark showhold | grep -F graylog-server

Das "Halt" entfernen, damit es einem Update unterzogen werden kann:

apt-mark unhold graylog-server

### GrayLog => password_secret
> pwgen -N 1 -s 96
lvZkkRd9G4UzdIzrtEGCFcbj2h6MG43lr0VtxGkJiaUMjybjJE4Rp7RXefx7woHh5i6S4FfsNKE50KkyFHKz7SnnVIjA3XuF

### GrayLog => root_password_sha2
> echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: ********
9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af

root@graylog01:~# vi /etc/graylog/server/server.conf
...
password_secret = 6cP1xnaWlkkTbVK2AiHMOhHVeyhAnyxMXviQTICfOMTkzBIWPRdw8BWuMwOBeh93pD7qS1aYySjmcfWvcDNgXvNtOvcIik6c
...
root_password_sha2 = 9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af
...

> vi /etc/graylog/server/server.conf

<hidden /etc/graylog/server/server.conf>

/etc/graylog/server/server.conf

password_secret = D24EGFFtVlqhNPXys3UN5E86yceWyAkLpMiDXxAVlVhWKtMBeJFValBbDUg5kmPWJl3wLJr5CqPuYYEpLdtM87wM1sK3m393
root_password_sha2 = 9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af
...
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://0.0.0.0:9000/
...
elasticsearch_hosts = http://0.0.0.0:9200

</hidden>

> systemctl daemon-reload
> systemctl enable graylog-server.service
> service graylog-server start

> ss -antp | grep -F 9000
LISTEN    0      4096                      *:9000                     *:*     users:(("java",pid=2740,fd=57))

> apt install nginx-full

> vi /etc/nginx/sites-available/rev_graylog.conf
> ln -s /etc/nginx/sites-available/rev_graylog.conf /etc/nginx/sites-enabled/rev_graylog.conf
> rm /etc/nginx/sites-enabled/graylog.conf

<hidden /etc/nginx/sites-available/rev_graylog.conf>

/etc/nginx/sites-available/rev_graylog.conf

server
{
        listen 80 default_server;
        server_name graylog01;
 
        location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Graylog-Server-URL http://$server_name/;
                proxy_pass http://0.0.0.0:9000;
        }       
}

</hidden>

---

> service nginx restart
> service mongod restart
> service opensearch restart
> service opensearch-dashboards restart
> service graylog-server restart

> less /var/log/graylog-server/server.log
> less /var/log/opensearch/test-graylog.log