Graylog&Nagios

From EIK wiki

Logging and Monitoring - Graylog and Nagios installation.

Group : Cyber Security Engineering (C21).

Page created by Meelis Hass.

Introduction

In this page, I will show how a person can easily install and configure a good logging and monitoring solution into their systems and networks. My choices for this task are Graylog and Nagios.

Graylog

Graylog is currently one of the most popular open-source logging solution. It's plus sides, are that it is able to work with unstructured logs from anywhere, is free and open source and is easy to install.[1]


Prerequisites


Now before we begin installing Graylog, we should check what version the machine is actully running.

lsb_release -a

This is because this guide is intended for 16.04 version of Ubuntu, If you do already have it, skip to actual installation. People who need to upgrade just continue with the following commands.

Next lets upgrade our machine.

  • Start off by updating your package list

sudo apt-get update

  • Next lets upgrade everything

sudo apt-get upgrade

  • Then fix the dependencies with this

sudo apt-get dist-upgrade

  • And finish off by finishing the upgrade

sudo do-release-upgrade


Graylog Installation


Now to the actual meat of the guide, installing graylog. But we cant just jump into installing Graylog itself, because it needs a few services and a setup base to run it, like Elasticsearch and MongoDB.


1)Starting off with the setup base.

sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen


2)Now lets install MongoDB.

sudo apt-get install mongodb-server


3)Installing Elasticsearch takes a few more commands.

wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list

sudo apt-get update && sudo apt-get install elasticsearch


4)We still need to configure Elasticsearch a bit.

nano /etc/elasticsearch/elasticsearch.yml

And uncomment and change this line.

cluster.name: graylog


5)After that, just start the service

sudo systemctl daemon-reload

sudo systemctl enable elasticsearch.service

sudo systemctl restart elasticsearch.service


6)Now we actully start installing Graylog itself! Start off by getting the required packages and then installing them.

wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb

sudo dpkg -i graylog-2.1-repository_latest.deb

sudo apt-get update && sudo apt-get install graylog-server


7)After installing Graylog, we need to add a few extra parts into the configuration file, mainly passwords.

This will generate a password and a sha256sum for it. Do note that the password is required and MUST be 16 characters or longer, otherwise Graylog refuses to function.

echo -n yourpassword | sha256sum

The password must be put into /etc/graylog/server/server.conf file.

While in the configuration file, also add your public ip with correct ports into rest_listen_uri and web_listen_uri .


8)Final steps to enable Graylog.

sudo systemctl daemon-reload

sudo systemctl enable graylog-server.service

sudo systemctl start graylog-server.service


And there you have it, one fully installed Graylog, ready for all your logging needs!.

After this, you can explore the web interface at the public ip address you set before and start logging whatever you want.

Nagios

Nagios is a free open source application that is used to monitor systems and networks. Nagios is able to alert users if things go wrong and when the problem is resolved. Nagios was created Ethen Galstad and a group of developers, and was initially released in March 14, 1999[2]


Prerequisites


Before installing Nagios, we need to once again check the version

lsb_release -a

This guide is intended for 14.04 ubuntu servers, so if you are higher or lower, upgrade/downgrade appropriately.


Nagios Installation


Installing Nagios is a easier said than done, because it needs alot of stuff in advanced, like a LAMP[3] base.

1)Doing these commands will install Apache, MYSQL and PHP, which are needed for Nagios functionality.

sudo apt-get install apache2

sudo apt-get install mysql-server php5-mysql

sudo mysql_install_db

sudo mysql_secure_installation

sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt

We also need to configure Apache2 a bit, go into /etc/apache2/mods-enabled/dir.conf

And change this line

<IfModule mod_dir.c>
    DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
</IfModule>

into this line by moving index.php ahead of index.html.

<IfModule mod_dir.c>
    DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
</IfModule>

After that just restart Apache service.

sudo service apache2 restart


2)Now we need to make a user and group who will be dealing with using Nagios.

sudo useradd nagios

sudo groupadd nagcmd

sudo usermod -a -G nagcmd nagios


3)We can almost move to building the Nagios Core, but first we need a few dependencies.

sudo apt-get update

sudo apt-get install build-essential libgd2-xpm-dev openssl libssl-dev xinetd apache2-utils unzip


4)Now to finally install Nagios itself

curl -L -O https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.1.1.tar.gz

tar xvf nagios-4.1.1.tar.gz


5)Move to the newly created folder and type these commands.

./configure --with-nagios-group=nagios --with-command-group=nagcmd

make all

That final command compiled Nagios, but its not fully done just yet. We still need a few more things to install on it.

sudo make install

sudo make install-commandmode

sudo make install-init

sudo make install-config

sudo /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf


6)To be able to issue external commands trough the web interface of Nagios, we need to add the web server user into the nagios group

sudo usermod -G nagcmd www-data


7)We will also need Nagios Plugins and NRPE, which are installed in the same fashion as Nagios Core

Nagios Plugins:

curl -L -O http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz

tar xvf nagios-plugins-2.1.1.tar.gz

Move to the newly created folder.

./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl

make

make install


NRPE:

curl -L -O http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz

tar xvf nrpe-2.15.tar.gz

Move to the newly created folder.

./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu

Building NRPE, needs its xinetd startup script.

make all

sudo make install

sudo make install-xinetd

sudo make install-daemon-config


8)We also need to open up the xinetd script in /etc/xinetd.d/nrpe and add the Nagios servers private/public address to the end of it.

Example:

only_from = 127.0.0.1 192.168.56.200

After modifying the file, restart xinetd

sudo service xinetd restart


9)Now Nagios is fully installed, but still needs more configuring.

Lets start off by going into this file:

sudo nano /usr/local/nagios/etc/nagios.cfg

And uncommenting this line:

#cfg_dir=/usr/local/nagios/etc/servers

Now create the directory that will store the configuration file for each server that you will monitor:

sudo mkdir /usr/local/nagios/etc/servers


10)Lets also add a command to NRPE.

sudo nano /usr/local/nagios/etc/objects/commands.cfg

And add the following to the end of the file:

define command{
        command_name check_nrpe
        command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}

We also need to configure Apache aswell, so lets enable Apache rewrite and cgi modules.

sudo a2enmod rewrite

sudo a2enmod cgi

Use htpasswd to create an admin user, called "nagiosadmin", that will be used in getting access to the web interface. Set a password when prompted by the command, this username and password will be the main login credentials.

sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Finally lets make a symlink between the nagios configuration file and the Apache sites-enabled directory.

sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/


11)And thats it, Nagios is ready to be started up, just restart the service and add Nagios to start on server booting.

sudo service nagios start

sudo service apache2 restart

sudo ln -s /etc/init.d/nagios /etc/rcS.d/S99nagios


Thats all, now you have a fully (hopefully) working Nagios thanks to following these steps.

You can access the webinterface by going here: http://nagios_server_public_ip/nagios


12)But lets not stop there, lets try adding something for Nagios to keep an eye on. To do this, lets swap over to another machine that is in the same network as the Nagios server.

On this other machine, lets install NRPE, it will be needed to make Nagios work on the new machine.

sudo apt-get install nagios-plugins nagios-nrpe-server

Once NRPE is installed, lets go into the configuration file once again.

sudo nano /etc/nagios/nrpe.cfg

And add the nagios server ip to the end of the allowed_hosts=127.0.0.1, segment.


13)As an example, lets monitor one of our filesystems.

Lets look up the filesystems that we have.

df -h /

Now go back into the NRPE configuration file in /etc/nagios/nrpe.cfg and change these three lines:

server_address=client_private_IP
allowed_hosts=nagios_server_private_IP (you already set this earlier)
command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p (filesystem that you chose)

Dont forget to restart the NRPE service.

sudo service nagios-nrpe-server restart


14)After all that is done, its time to head back to the machine with the actual Nagios server and the new Host into the configuration file.

sudo nano /usr/local/nagios/etc/servers/yourhost.cfg

In this file, you need to add this:

define host {
        use                             linux-server
        host_name                       yourhost (changeme)
        alias                           My first Apache server
        address                         10.132.234.52 (changeme)
        max_check_attempts              5
        check_period                    24x7
        notification_interval           30
        notification_period             24x7
}

define service {
        use                             generic-service
        host_name                       yourhost (changeme)
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
}

Always restart services after major changes!

sudo service nagios reload

And thats all folks! Now if you were to look at your Nagios web interface, you would be able to see the new host you just added, and also a service tied to said host.

Summary

Graylong and Nagios are rather easy to install, albeit a bit time consuming and confusing. But they are still very good services in regards to Logging and Monitoring things.


Sources

http://docs.graylog.org/en/2.1/pages/installation/os/ubuntu.html

https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-install-nagios-4-and-monitor-your-servers-on-ubuntu-14-04#configure-nagios


References