1. Informations
Graylog is a very good syslog server for Linux. It collecting, indexing, and analyzing a lot of data and can send notifications via mail.
https://www.graylog.org/
Note:I only tested this installation on Debian !
2. Extra modules
First you need some extra modules
puppet module install elasticsearch-elasticsearch puppet module install puppetlabs-mongodb puppet module install ehazlett-graylog2
For more informations the the module descriptions:
* https://forge.puppetlabs.com/elasticsearch/elasticsearch
* https://forge.puppetlabs.com/puppetlabs/mongodb
* https://forge.puppetlabs.com/ehazlett/graylog2
2. Puppet Config
class { 'elasticsearch': ensure => 'present', config => { 'cluster.name' => 'graylog2', 'network.host' => '127.0.0.1', 'script.disable_dynamic' => True, }, package_url => 'https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.deb' } elasticsearch::instance { 'graylog2': config => { 'node.name' => 'graylog2-server'} } class { '::mongodb::server': bind_ip => ['127.0.0.1'] } class { 'graylog2::repo': version => '1.0' } class {'graylog2::server': password_secret => 'aa8poojook1oaphaic2iesa4ahLoo4xohW3EiNaQuugh4Uthaedeeb8Aimahj7tho', root_password_sha2 => '5ea632ef78c3e6d64653087d3f810972f97691ae93e064b08e6dbca4a671cb8d', elasticsearch_cluster_name => 'graylog2', elasticsearch_node_name => 'graylog2-server', elasticsearch_network_host => '127.0.0.1', elasticsearch_discovery_zen_ping_multicast_enabled => false, elasticsearch_discovery_zen_ping_unicast_hosts => '127.0.0.1:9300', gc_warning_threshold => '15s', } class {'graylog2::web': application_secret => 'aa8poojook1oaphaic2iesa4ahLoo4xohW3EiNaQuugh4Uthaedeeb8Aimahj7tho', }
Notes:
1. Create the value for „password_secret“ and „application_secret“ with:
pwgen 65
2. Create the value for „root_password_sha2“ with:
echo -n YOUR_PASSWORD | sha256sum
3. Port 514
In this setup Graylog doesn’t run as root. By this way Graylog is not allowed to open a Port below 1024. (privileged port). But you can create a Input ( System -> Inputs -> Add ) above 1024 (for example 1514) and use this port for syslogs. If you like you can add a firewall rule with redirects 514 to 1514:
Here is an iptables example:
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 1514
You have to configure your firewall (of course with puppet) for this rule if you need syslogs on port 514.
4. Mails
The above configuration has no mail setup. This depends on your favorite mailserver. Just add a puppet config that allows outgoing Mails.
3. Login
After the puppet run has completed you can start using Graylog2. Just visit http://your_server:9000 and login with „admin“ and the root password you had defined with sha2.
4. Clients
Small example for client setup with still make local logs:
# Syslog Server class{'rsyslog::client': log_local => true, server => 'YOUR_SERVER', port => '1514', remote_type => 'udp', remote_forward_format => 'GRAYLOGRFC5424', log_templates => [ { name => 'GRAYLOGRFC5424', template => '<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n', }, ] }
I used rsyslog because it is the default logger on debian.
To use this Puppet Module you may need to install it first:
puppet module install saz-rsyslog
Mattias
9 Sep 2015Loved this guide, very clear use on the puppet modules and just about the easiest step-by-step guide for running Graylog2!
Much appreciated!