Wissen

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Sie befinden sich hier: Start » graylog
Zuletzt angesehen: postfix c linux-probleme vi_vim dateisysteme head os4_linux_debian_comm_server_etc_modules multimedia os4_linux_linuxpasswdlost graylog
graylog

Inhaltsverzeichnis

Graylog

Operating System Packages

/etc/systemd/timesyncd.conf
[Time]
NTP="ptbtime1.ptb.de"
...
> vi /etc/systemd/timesyncd.conf
> timedatectl set-ntp 0
> timedatectl set-ntp 1
> journalctl --unit=systemd-timesyncd.service
> timedatectl timesync-status
> timedatectl status
> tail /var/log/syslog 
May 11 12:06:26 graylog03 systemd-timedated[6955]: Set NTP to enabled (systemd-timesyncd.service).
May 11 12:06:26 graylog03 systemd[1]: Starting Network Time Synchronization...
May 11 12:06:26 graylog03 systemd[1]: Started Network Time Synchronization.
May 11 12:07:18 graylog03 systemd[1]: systemd-timedated.service: Deactivated successfully.
May 11 12:08:29 graylog03 dbus-daemon[606]: [system] Activating via systemd: service name='org.freedesktop.timedate1' unit='dbus-org.freedesktop.timedate1.service' requested by ':1.65' (uid=0 pid=7030 comm="timedatectl set-ntp 1 " label="unconfined")
May 11 12:08:29 graylog03 systemd[1]: Starting Time & Date Service...
May 11 12:08:29 graylog03 dbus-daemon[606]: [system] Successfully activated service 'org.freedesktop.timedate1'
May 11 12:08:29 graylog03 systemd[1]: Started Time & Date Service.
May 11 12:08:29 graylog03 systemd-timedated[7031]: Set NTP to enabled (systemd-timesyncd.service).
May 11 12:08:59 graylog03 systemd[1]: systemd-timedated.service: Deactivated successfully.
apt update
apt full-upgrade
apt autoclean
apt autoremove
apt install apt-transport-https wget curl pwgen gnupg

Basissystem

Ubuntu 22.04.2 LTS

Installation von MongoDB

Schlüssel für MongoDB: 

> wget -qO- 'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf5679a222c647c87527c2f8cb00a0bd1e2c63c11' | tee /etc/apt/trusted.gpg.d/MongoDB.asc
> wget -qO- 'https://pgp.mongodb.com/server-6.0.asc' | tee /etc/apt/trusted.gpg.d/mongodb-server-6.0.asc
> echo "deb https://repo.mongodb.org/apt/ubuntu $(lsb_release -cs)/mongodb-org/6.0 multiverse" > /etc/apt/sources.list.d/mongodb-org-6.0.list

> apt update
> apt install mongodb-org

MongoDB bootfest machen: 

systemctl daemon-reload
systemctl enable mongod.service
systemctl restart mongod.service
systemctl --type=service --state=active | grep -F mongod
 
service mongod restart
service mongod status

<hidden /etc/apt/trusted.gpg.d/MongoDB.asc>

/etc/apt/trusted.gpg.d/MongoDB.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Hockeypuck 2.1.0-189-g15ebf24
Comment: Hostname: 
 
xsFNBGAsKNUBEAClMqPCvvqm6gFmbiorEN9qp00GI8oaECkwbxtGGbqX9sqMSrKe
AB3sGI7kqG2Fl0K+xmmiq1QDjhNgFDA1jjXq+Bd66RNPtvu747IRxVs+9fX7bk67
8Bruha7U3M5l4193x5oYLlbcZL9aC7RSJE2mggTyS6LarmF6vKQN9LMXDicnageV
KCPpF2i3jkZaGnLPzAisW/pOjPQpWCbatTVqKOKvtOyP3Fz1spYd4obu6ELu1PXa
gmhSfvWJYt1irpchOl29LWZfcmXuJszmb00bqm4gLcK12VrnK191iXv46A8h2hSO
f3eQqrkc+pF/kw4RyG54EV7QtHXyTe9TVCbJUfgtliWIQt/bCoJYfPLHJaWIMs83
bzA6ZvOjCKIfMS0CY5ZJyVaBfiI3wURSjgZIYFZAXVwbreQIfOKKuik7UVVn3xUO
nWpmQ2zyI0W7cJMquxwLNjkI+RckPhIqxWFo5iNSV4v6pzrlHD1WmIfFGBKEn7m+
edwVyHG53fNIFZjxyShO6Pf1vgb9Js/XmXB4lxYnNyx1tB+hQhXTjLlY6N5gPpw5
Z/PWQc7vfYekUZGQMXhTyRxU0QTwmdEeKcb+fb9r23OH59bbAfzE10xTMzhqCd2L
lgSozMBvMmkHb1xs1x6FFuv/U/X7LjHTrHIf4M//DNwdP4l4I1jhPlTAxwARAQAB
zTdNb25nb0RCIDUuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
Z29kYi5jb20+wsF+BBMBAgAoBQJgLCjVAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRCwCgvR4sY8EawdD/0ewkyx3yE99K9n3y7gdvh5+2U8BsqU
7SWEfup7kPpf+4pF5xWqMaciEV/wRAGt7TiKlfVyAv3Q9iNsaLFN+s3kMaIcKhwD
8+q/iGfziIuOSTeo20dAxn9vF6YqrKGc7TbHdXf9AtYuJCfIU5j02uVZiupx+P9+
rG39dEnjOXm3uY0Fv3pRGCpuGubDlWB1DYh0R5O481kDVGoMqBxmc3iTALu14L/u
g+AKxFYfT4DmgdzPVMDhppgywfyd/IOWxoOCl4laEhVjUt5CygBa7w07qdKwWx2w
gTd9U0KGHxnnSmvQYxrRrS5RX3ILPJShivTSZG+rMqnUe6RgCwBrKHCRU1L728Yv
1B3ZFJLxB1TlVT2Hjr+oigp0RY9W1FCIdO2uhb9GImpaJ1Y0ZZqUkt/d9D8U2wcw
SW6/6WYeO7wAi/zlJ25hrBwhxS2+88gM6wJ1yL9yrM9v8JUb7Kq0rCGsEO5kqscV
AmX90wsF2cZ6gHR53eGIDbAJK0MO5RHR73aQ4bpTivPnoTx4HTj5fyhW9z8yCSOe
BlQABoFFqFvOS7KBxoyIS3pxlDetWOSc6yQrvA1CwxnkB81OHNmJfWAbNbEtZkLm
xs2c8CIh2R81yi6HUzAaxyDH7mrThbwX3hUe/wsaD1koV91G6bDD4Xx3zpa9DG/O
HyB98+e983gslg==
=RP+V
-----END PGP PUBLIC KEY BLOCK-----

</hidden>

<hidden /etc/apt/trusted.gpg.d/mongodb-server-6.0.asc>

/etc/apt/trusted.gpg.d/mongodb-server-6.0.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
 
mQINBGIWTroBEADgSBs1z1MC5Hog5yd2wYHskzPE0SOl9LGB35Xhw1894hrKsswp
AS7JnViltXE71iJMoAqepJBvfmZLOyQO0rXcLlHXExK/IctnosRqGQeyLxNZKS0h
e1xQYQrPCWRaHqseYLuJ5wME49aFQ2YS7caFowBvKjsT5AoT7B0uXDp6nHZDUQG2
MBZJqUKziVYYt7PARv81llDNKqPvLDSc2McL/2aa4mNR/pM5r8iQjACbSnj37ERm
zca2gJ0GzCeZSqfmjoF7I6Ez1Nc/2ge1+fZA24pDFg+7W25du3JIqbnpJQAK5TAz
7tVzvEKU8WT9aQW3G1e5ox3YtlRPTSrTxN9dzLh123NGCd0J9a4moFkZIr8HmySd
jkdz4V1pKv9aTOhLjQpF/bhRaUuNuGK7TV7ZzY+PCVE51fmJx2EX4Ck5c6sW03rJ
59KbrxeTq02AcIBTFUY0Mfh7nxvYvwvLI0OKBOqFGXi4hFXpV4uo0rDLe+tGLFDD
+HsajFUUyAlMETE80PXOuTs44TZiW+SGCTyP2Sm8TBIiacSqsGNsryjgEDaIG6c1
FB++njqTfGlyZujamYbF3s3wBK8nDBVRympJcsHjLqUhvbh1Bq4hyF2pxio93SgA
mPEm6kl0KBCqpJNZpAFSVHK8penQtQUa0jFQetYPDUFfgTsg7qdZDQNcUwARAQAB
tDdNb25nb0RCIDYuMCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxwYWNrYWdpbmdAbW9u
Z29kYi5jb20+iQI+BBMBAgAoBQJiFk66AhsDBQkJZgGABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRBqJrGuZMPDiADhEACex1qu1HbVIeBwZO4GYYEc8OpswguI
LvTL1ufWMVbpSFkm0XDzx7JU0SewCEBzr7BTri2zjNaPm7RQHYFl1ztTnNvxrvzu
AUoj/BClAgQXujSuUcEu+uA9pBHObiLHAkYFy61EnKgXu2iTOMn7HqRvjvHZyOnr
5llGG2zUq8YbEVs4GTHVV9CjCWBkf78stdqEAPCH69DtR1Bv2jQfUslVSDKUnluX
feTRDgWXnIKo4ld6EoqtYurIbcJIGvXHbFx90PoZiPJXn+eTY+6HS3I/TXDGAOkF
xkgmVsPWcZvbU0dLXjAiTIADODyiEiZlonrxYXJztIs/KXLl5CnvAEeXKXACbgaN
nuIMKtprtrLvFDpXwfyI90He0Vv8iE1wXSLcuztT5R1h6NmisMz9oRYQL3hqsSEn
TjV+Ko34Kyo459Bs9PhJO0DcZGg+B8iU9TdJgfp1KEs2HJFAueVtYAUJ3y5+UJFn
AkQoD5CC0Y+93z0+nHQPvjyxQ/7swFWNtrumrthcpYbGMIKEWqaQoEz2My5gVXHh
v5pHEXxXiARNe44GsS8r+1DYQypDUAh5Tw9mQRagWuC5Dsaaqob5vCdcFEAgiK5W
a/coP3B6WzUoQE8NKa8qnKDvX5RU0dxG5oUre+PuOwiHpom9G+375YYkwIL9a6pE
RRM5efxf1F532A==
=Cc71
-----END PGP PUBLIC KEY BLOCK-----

</hidden>

Installation von OpenSearch

OpenSearch-Repo einrichten: 

> wget -qO- https://artifacts.opensearch.org/publickeys/opensearch.pgp | tee /etc/apt/trusted.gpg.d/opensearch.asc

> echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-2.x.list
> echo "deb https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-dashboards-2.x.list

OpenSearch installieren: 

> apt update
> apt install opensearch opensearch-dashboards
...
Running OpenSearch Post-Installation Script
### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch.service
### You can start opensearch service by executing
 sudo systemctl start opensearch.service
### Create opensearch demo certificates in /etc/opensearch/
 See demo certs creation log in /var/log/opensearch/install_demo_configuration.log
opensearch-dashboards (2.7.0) wird eingerichtet ...
Running OpenSearch-Dashboards Post-Installation Script
### NOT starting on installation, please execute the following statements to configure opensearch-dashboards service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable opensearch-dashboards.service
### You can start opensearch-dashboards service by executing
 sudo systemctl start opensearch-dashboards.service
...
> less /var/log/opensearch/install_demo_configuration.log

ggf. ist das noch nötig, wenn JAVA nicht gefunden wird: 

> export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk/bin/java
> ln -s /usr/share/opensearch/jdk/bin/java /usr/bin/java

OpenSearch bootfest machen: 

systemctl daemon-reload
systemctl enable opensearch.service
systemctl start opensearch.service
 
systemctl daemon-reload
systemctl enable opensearch-dashboards.service
systemctl start opensearch-dashboards.service
 
ss -antp
 
State    Recv-Q Send-Q Local Address:Port       Peer Address:Port        Process
LISTEN   0      511             127.0.0.1:5601             0.0.0.0:*     users:(("node",pid=4439,fd=18))
...
LISTEN   0      4096   [::ffff:127.0.0.1]:9200                   *:*     users:(("java",pid=4044,fd=575))
LISTEN   0      4096                [::1]:9200                [::]:*     users:(("java",pid=4044,fd=574))
LISTEN   0      4096   [::ffff:127.0.0.1]:9300                   *:*     users:(("java",pid=4044,fd=571))
LISTEN   0      4096                [::1]:9300                [::]:*     users:(("java",pid=4044,fd=570))
ESTAB    0      0      [::ffff:127.0.0.1]:9200  [::ffff:127.0.0.1]:52124 users:(("java",pid=4044,fd=580))
ESTAB    0      0      [::ffff:127.0.0.1]:9200  [::ffff:127.0.0.1]:34464 users:(("java",pid=4044,fd=581))
ESTAB    0      0      [::ffff:127.0.0.1]:9200  [::ffff:127.0.0.1]:52134 users:(("java",pid=4044,fd=585))
The following ports need to be open for OpenSearch components.
Port number OpenSearch component
443 OpenSearch Dashboards in AWS OpenSearch Service with encryption in transit (TLS)
5601 OpenSearch Dashboards
9200 OpenSearch REST API
9250 Cross-cluster search
9300 Node communication and transport
9600 Performance Analyzer

Das soll die Geschwindigkeit steigern: 

> swapoff -a

> sysctl vm.max_map_count
> vi /etc/sysctl.conf
vm.max_map_count=262144
> sysctl -p
### Send a request to port 9200:
root@graylog01:~# curl -X GET https://localhost:9200 -u 'admin:admin' --insecure
 
### Query the plugins endpoint:
root@graylog01:~# curl -X GET https://localhost:9200/_cat/plugins?v -u 'admin:admin' --insecure
name      component                            version
graylog02 opensearch-alerting                  2.7.0.0
graylog02 opensearch-anomaly-detection         2.7.0.0
graylog02 opensearch-asynchronous-search       2.7.0.0
graylog02 opensearch-cross-cluster-replication 2.7.0.0
graylog02 opensearch-geospatial                2.7.0.0
graylog02 opensearch-index-management          2.7.0.0
graylog02 opensearch-job-scheduler             2.7.0.0
graylog02 opensearch-knn                       2.7.0.0
graylog02 opensearch-ml                        2.7.0.0
graylog02 opensearch-neural-search             2.7.0.0
graylog02 opensearch-notifications             2.7.0.0
graylog02 opensearch-notifications-core        2.7.0.0
graylog02 opensearch-observability             2.7.0.0
graylog02 opensearch-performance-analyzer      2.7.0.0
graylog02 opensearch-reports-scheduler         2.7.0.0
graylog02 opensearch-security                  2.7.0.0
graylog02 opensearch-security-analytics        2.7.0.0
graylog02 opensearch-sql                       2.7.0.0
> vi /etc/opensearch/opensearch.yml
> vi /etc/opensearch/jvm.options

<hidden /etc/opensearch/opensearch.yml>

/etc/opensearch/opensearch.yml
cluster.name: test-graylog
node.name: ${HOSTNAME}
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
action.auto_create_index: false
plugins.security.disabled: true

</hidden> 

> service opensearch restart
> service opensearch-dashboards restart

Die GrayLog-Installation

timedatectl set-timezone CET
timedatectl show
> wget https://packages.graylog2.org/repo/packages/graylog-5.1-repository_latest.deb
> dpkg -i graylog-5.1-repository_latest.deb

> cat /etc/apt/sources.list.d/graylog.list
deb https://packages.graylog2.org/repo/debian/ stable 5.1

> apt update
> apt search graylog
> apt install graylog-server

Das Paket auf "Halt" setzen, damit es nicht versehentlich einem Update unterzogen wird: 

apt-mark hold graylog-server
apt-mark showhold | grep -F graylog-server

Das "Halt" entfernen, damit es einem Update unterzogen werden kann: 

apt-mark unhold graylog-server
### GrayLog => password_secret
> pwgen -N 1 -s 96
lvZkkRd9G4UzdIzrtEGCFcbj2h6MG43lr0VtxGkJiaUMjybjJE4Rp7RXefx7woHh5i6S4FfsNKE50KkyFHKz7SnnVIjA3XuF

### GrayLog => root_password_sha2
> echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: ********
9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af

root@graylog01:~# vi /etc/graylog/server/server.conf
...
password_secret = 6cP1xnaWlkkTbVK2AiHMOhHVeyhAnyxMXviQTICfOMTkzBIWPRdw8BWuMwOBeh93pD7qS1aYySjmcfWvcDNgXvNtOvcIik6c
...
root_password_sha2 = 9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af
...
> vi /etc/graylog/server/server.conf

<hidden /etc/graylog/server/server.conf>

/etc/graylog/server/server.conf
password_secret = D24EGFFtVlqhNPXys3UN5E86yceWyAkLpMiDXxAVlVhWKtMBeJFValBbDUg5kmPWJl3wLJr5CqPuYYEpLdtM87wM1sK3m393
root_password_sha2 = 9e4890e2b7f2fb7d52e824879fdb47312a28c542dd1ad59f3e8423529b2328af
...
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://0.0.0.0:9000/
...
elasticsearch_hosts = http://0.0.0.0:9200

</hidden> 

> systemctl daemon-reload
> systemctl enable graylog-server.service
> service graylog-server start

> ss -antp | grep -F 9000
LISTEN    0      4096                      *:9000                     *:*     users:(("java",pid=2740,fd=57))

Die nginx-Installation

> apt install nginx-full
> vi /etc/nginx/sites-available/rev_graylog.conf
> ln -s /etc/nginx/sites-available/rev_graylog.conf /etc/nginx/sites-enabled/rev_graylog.conf
> rm /etc/nginx/sites-enabled/graylog.conf

<hidden /etc/nginx/sites-available/rev_graylog.conf>

/etc/nginx/sites-available/rev_graylog.conf
server
{
        listen 80 default_server;
        server_name graylog01;
 
        location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Graylog-Server-URL http://$server_name/;
                proxy_pass http://0.0.0.0:9000;
        }       
}

</hidden> 

> service nginx restart
> service mongod restart
> service opensearch restart
> service opensearch-dashboards restart
> service graylog-server restart

> less /var/log/graylog-server/server.log
> less /var/log/opensearch/test-graylog.log
/home/http/wiki/data/pages/graylog.txt · Zuletzt geändert: von manfred