Graylog&Nagios: Difference between revisions
| No edit summary | |||
| Line 395: | Line 395: | ||
| <references> | = References = | ||
| </references> | |||
Revision as of 10:52, 5 January 2017
Logging and Monitoring - Graylog and Nagios installation.
Group : Cyber Security Engineering (C21).
Page created by Meelis Hass.
Introduction
In this page, I will show how a person can easily install and configure a good logging and monitoring solution into their systems and networks. My choices for this task are Graylog and Nagios.
Graylog
Graylog is currently one of the most popular open-source logging solution. It's plus sides, are that it is able to work with unstructured logs from anywhere, is free and open source and is easy to install.[1]
Prerequisites
Now before we begin installing Graylog, we should check what version the machine is actully running.
 lsb_release -a 
This is because this guide is intended for 16.04 version of Ubuntu, If you do already have it, skip to actual installation. People who need to upgrade just continue with the following commands.
Next lets upgrade our machine.
- Start off by updating your package list
 sudo apt-get update 
- Next lets upgrade everything
 sudo apt-get upgrade 
- Then fix the dependencies with this
 sudo apt-get dist-upgrade 
- And finish off by finishing the upgrade
 sudo do-release-upgrade 
Graylog Installation
Now to the actual meat of the guide, installing graylog. But we cant just jump into installing Graylog itself, because it needs a few services and a setup base to run it, like Elasticsearch and MongoDB.
1)Starting off with the setup base.
 sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen 
2)Now lets install MongoDB.
 sudo apt-get install mongodb-server 
3)Installing Elasticsearch takes a few more commands.
 wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - 
 echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list 
 sudo apt-get update && sudo apt-get install elasticsearch 
4)We still need to configure Elasticsearch a bit.
 nano /etc/elasticsearch/elasticsearch.yml 
And uncomment and change this line.
 cluster.name: graylog 
5)After that, just start the service
 sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service 
6)Now we actully start installing Graylog itself! Start off by getting the required packages and then installing them.
 wget https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.deb 
sudo dpkg -i graylog-2.1-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server
7)After installing Graylog, we need to add a few extra parts into the configuration file, mainly passwords.
This will generate a password and a sha256sum for it. Do note that the password is required and MUST be 16 characters or longer, otherwise Graylog refuses to function.
 echo -n yourpassword | sha256sum 
The password must be put into  /etc/graylog/server/server.conf file.
While in the configuration file, also add your public ip with correct ports into  rest_listen_uri  and  web_listen_uri .
8)Final steps to enable Graylog.
 sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
And there you have it, one fully installed Graylog, ready for all your logging needs!.
After this, you can explore the web interface at the public ip address you set before and start logging whatever you want.
Nagios
Nagios is a free open source application that is used to monitor systems and networks. Nagios is able to alert users if things go wrong and when the problem is resolved. Nagios was created Ethen Galstad and a group of developers, and was initially released in March 14, 1999[2]
Prerequisites
Before installing Nagios, we need to once again check the version
 lsb_release -a 
This guide is intended for 14.04 ubuntu servers, so if you are higher or lower, upgrade/downgrade appropriately.
Nagios Installation
Installing Nagios is a easier said than done, because it needs alot of stuff in advanced, like a LAMP base.
1)Doing these commands will install Apache, MYSQL and PHP, which are needed for Nagios functionality.
 sudo apt-get install apache2
sudo apt-get install mysql-server php5-mysql
sudo mysql_install_db
sudo mysql_secure_installation
sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt
We also need to configure Apache2 a bit, go into  /etc/apache2/mods-enabled/dir.conf 
And change this line
<IfModule mod_dir.c>
    DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
</IfModule>
into this line by moving index.php ahead of index.html.
<IfModule mod_dir.c>
    DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
</IfModule>
After that just restart Apache service.
 sudo service apache2 restart 
2)Now we need to make a user and group who will be dealing with using Nagios.
 sudo useradd nagios
sudo groupadd nagcmd
sudo usermod -a -G nagcmd nagios
3)We can almost move to building the Nagios Core, but first we need a few dependencies.
sudo apt-get update 
sudo apt-get install build-essential libgd2-xpm-dev openssl libssl-dev xinetd apache2-utils unzip
4)Now to finally install Nagios itself
curl -L -O https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.1.1.tar.gz
tar xvf nagios-4.1.1.tar.gz
5)Move to the newly created folder and type these commands.
./configure --with-nagios-group=nagios --with-command-group=nagcmd
make all 
That final command compiled Nagios, but its not fully done just yet. We still need a few more things to install on it.
 sudo make install
sudo make install-commandmode
sudo make install-init
sudo make install-config
sudo /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf
6)To be able to issue external commands trough the web interface of Nagios, we need to add the web server user into the nagios group
sudo usermod -G nagcmd www-data
7)We will also need Nagios Plugins and NRPE, which are installed in the same fashion as Nagios Core
Nagios Plugins:
curl -L -O http://nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar xvf nagios-plugins-2.1.1.tar.gz
Move to the newly created folder.
./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl
make
make install
NRPE:
curl -L -O http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
tar xvf nrpe-2.15.tar.gz
Move to the newly created folder.
./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
Building NRPE, needs its xinetd startup script.
make all
sudo make install
sudo make install-xinetd
sudo make install-daemon-config
8)We also need to open up the xinetd script in /etc/xinetd.d/nrpe and add the Nagios servers private/public address to the end of it.
Example:
only_from = 127.0.0.1 192.168.56.200
After modifying the file, restart xinetd
 sudo service xinetd restart 
9)Now Nagios is fully installed, but still needs more configuring.
Lets start off by going into this file:
sudo nano /usr/local/nagios/etc/nagios.cfg
And uncommenting this line:
#cfg_dir=/usr/local/nagios/etc/servers
Now create the directory that will store the configuration file for each server that you will monitor:
sudo mkdir /usr/local/nagios/etc/servers
10)Lets also add a command to NRPE.
sudo nano /usr/local/nagios/etc/objects/commands.cfg
And add the following to the end of the file:
define command{
        command_name check_nrpe
        command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}
We also need to configure Apache aswell, so lets enable Apache rewrite and cgi modules.
sudo a2enmod rewrite
sudo a2enmod cgi
Use htpasswd to create an admin user, called "nagiosadmin", that will be used in getting access to the web interface. Set a password when prompted by the command, this username and password will be the main login credentials.
sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Finally lets make a symlink between the nagios configuration file and the Apache sites-enabled directory.
sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enabled/
11)And thats it, Nagios is ready to be started up, just restart the service and add Nagios to start on server booting.
sudo service nagios start
sudo service apache2 restart
sudo ln -s /etc/init.d/nagios /etc/rcS.d/S99nagios
Thats all, now you have a fully (hopefully) working Nagios thanks to following these steps.
You can access the webinterface by going here: http://nagios_server_public_ip/nagios
12)But lets not stop there, lets try adding something for Nagios to keep an eye on. To do this, lets swap over to another machine that is in the same network as the Nagios server.
On this other machine, lets install NRPE, it will be needed to make Nagios work on the new machine.
sudo apt-get install nagios-plugins nagios-nrpe-server
Once NRPE is installed, lets go into the configuration file once again.
sudo nano /etc/nagios/nrpe.cfg
And add the nagios server ip to the end of the allowed_hosts=127.0.0.1, segment.
13)As an example, lets monitor one of our filesystems.
Lets look up the filesystems that we have.
df -h /
Now go back into the NRPE configuration file in /etc/nagios/nrpe.cfg and change these three lines:
server_address=client_private_IP allowed_hosts=nagios_server_private_IP (you already set this earlier) command[check_hda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p (filesystem that you chose)
Dont forget to restart the NRPE service.
sudo service nagios-nrpe-server restart
14)After all that is done, its time to head back to the machine with the actual Nagios server and the new Host into the configuration file.
sudo nano /usr/local/nagios/etc/servers/yourhost.cfg
In this file, you need to add this:
define host {
        use                             linux-server
        host_name                       yourhost (changeme)
        alias                           My first Apache server
        address                         10.132.234.52 (changeme)
        max_check_attempts              5
        check_period                    24x7
        notification_interval           30
        notification_period             24x7
}
define service {
        use                             generic-service
        host_name                       yourhost (changeme)
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
}
Always restart services after major changes!
sudo service nagios reload
And thats all folks! Now if you were to look at your Nagios web interface, you would be able to see the new host you just added, and also a service tied to said host.
Summary
Graylong and Nagios are rather easy to install, albeit a bit time consuming and confusing. But they are still very good services in regards to Logging and Monitoring things.
Sources
http://docs.graylog.org/en/2.1/pages/installation/os/ubuntu.html
References
</references>