Linux, LXC

Serveur de log : Graylog

Installation

Java

apt-get install ca-certificates dirmngr apt-transport-https uuid-runtime pwgen
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer

MongoDB

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/3.6 main" | tee /etc/apt/sources.list.d/mongodb-org-3.6.list
apt-get update
apt-get install -y mongodb-org

Elastic Search

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-5.x.list
apt-get update && apt-get install elasticsearch

sed -i -r 's/# cluster.name: [a-zA-Z0-9-]+/ cluster.name: graylog/' /etc/elasticsearch/elasticsearch.yml
sed -i -r 's/# node.name: [a-zA-Z0-9]+-1/ node.name: graylog-server/' /etc/elasticsearch/elasticsearch.yml
sed -i 's/# node.max_local_storage_nodes: 1/ node.max_local_storage_nodes: 1/' /etc/elasticsearch/elasticsearch.yml 


chown elasticsearch: /usr/share/elasticsearch/ -R
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service

Graylog

wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb
dpkg -i graylog-2.4-repository_latest.deb
apt-get update && apt-get install graylog-server
chown graylog: /etc/graylog -R

fichier de configuration : /etc/graylog/server/server.conf

password_secret

  • Générer avec la commande :
openssl rand -base64 32
  • ça devrait passer :
sed -i 's/password_secret =/password_secret = `openssl rand -base64 32`/' /etc/graylog/server/server.conf

root_username

sed -i 's/#root_username = admin/#root_username = admin/' /etc/graylog/server/server.conf

root_password

echo -n "MotdePasse" | shasum -a 256 | awk '{print $1}'
sed -i 's/root_password_sha2 =/root_password_sha2 = 23f6249ea0388a75929454e3faf127af2b80bd69bdcbf45d1b4de399da47d51a/' /etc/graylog/server/server.conf

root_email

sed -i 's/#root_email = ""/root_email = "un@email.com"/' /etc/graylog/server/server.conf

root_timezone

sed -i 's/#root_timezone = UTC/root_timezone = CET/' /etc/graylog/server/server.conf

elasticsearch_shards

sed -i 's/elasticsearch_shards = 4/elasticsearch_shards = 1/' /etc/graylog/server/server.conf
sed -i 's/#elasticsearch_discovery_zen_ping_multicast_enabled = false/elasticsearch_discovery_zen_ping_multicast_enabled = false/' /etc/graylog/server/server.conf
sed -i 's/#elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300/elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300/' /etc/graylog/server/server.conf

Epurer le fichier

cat /etc/graylog/server/server.conf |grep -v "^\ *#.*$" |grep -v "^$"

Firewall

iptables -t nat -A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 1514
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 514 -j REDIRECT --to-ports 1514

wget https://raw.githubusercontent.com/jbsky/Debian-On-WRT1900AC-V1/master/rootfs/etc/init.d/firewall
mv firewall /etc/init.d/
chmod +x /etc/init.d/firewall

mkdir /etc/firewall
/etc/init.d/firewall save

Configuration du client

rsyslog

IP=192.168.0.3
echo "*.* @${IP}:514;RSYSLOG_SyslogProtocol23Format" >> /etc/rsyslog.conf
/etc/init.d/rsyslog restart

Source :

http://docs.graylog.org/en/2.2/pages/configuration/elasticsearch.html
http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
https://buzut.fr/analysez-vos-logs-graylog/