Logging - Monitoring C21: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Lphanvan (talk | contribs)
Lphanvan (talk | contribs)
Line 123: Line 123:
MongoDB is available in dep format and same can be downloaded from the official website. Add the following repository information on the system to install MongoDB. Before that we must import public key.
MongoDB is available in dep format and same can be downloaded from the official website. Add the following repository information on the system to install MongoDB. Before that we must import public key.


$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
Add repository by creating the /etc/apt/sources.list.d/mongodb-org-3.0.list list file using the command.
Add repository by creating the /etc/apt/sources.list.d/mongodb-org-3.0.list list file using the command.


$ echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list
$ echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list
Update repository cache.
Update repository cache.


$ sudo apt-get update
$ sudo apt-get update
Install MongoDB using the following command.
Install MongoDB using the following command.


$ sudo apt-get install mongodb-org
$ sudo apt-get install mongodb-org
Start the MongoDB service and enable it to start automatically during the system start-up.
Start the MongoDB service and enable it to start automatically during the system start-up.


$ sudo service mongod start
$ sudo service mongod start
$ sudo update-rc.d mongod defaults
$ sudo update-rc.d mongod defaults
Install Graylog2:
 
 
'''Install Graylog2:'''


Graylog-server accepts and process the log messages, also spawns the RESTAPI for the requests that comes from graylog-web-interface. Download the latest version of graylog from graylog.org,
Graylog-server accepts and process the log messages, also spawns the RESTAPI for the requests that comes from graylog-web-interface. Download the latest version of graylog from graylog.org,
Line 143: Line 145:
Use the following command to install graylog2 repository.
Use the following command to install graylog2 repository.


$ wget https://packages.graylog2.org/repo/packages/graylog-1.2-repository-ubuntu14.04_latest.deb
$ wget https://packages.graylog2.org/repo/packages/graylog-1.2-repository-ubuntu14.04_latest.deb


$ sudo dpkg -i graylog-1.2-repository-ubuntu14.04_latest.deb
$ sudo dpkg -i graylog-1.2-repository-ubuntu14.04_latest.deb
Install https suppport and update the repository cache.
Install https suppport and update the repository cache.


$ sudo apt-get install apt-transport-https
$ sudo apt-get install apt-transport-https


$ sudo apt-get update
$ sudo apt-get update
Install Graylog server using following command.
Install Graylog server using following command.


$ sudo apt-get install graylog-server  
$ sudo apt-get install graylog-server  
Edit the server.conf file.
Edit the server.conf file.


$ sudo nano /etc/graylog/server/server.conf
$ sudo nano /etc/graylog/server/server.conf
Configure the following variables in the above file.
Configure the following variables in the above file.


Set a secret to secure the user passwords, use the following command to generate a secret, use at least 64 character’s.
Set a secret to secure the user passwords, use the following command to generate a secret, use at least 64 character’s.


$ pwgen -N 1 -s 96
$ pwgen -N 1 -s 96
 
OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP


OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
If you get a “pwgen: command not found“, use the following command to install pwgen.
If you get a “pwgen: command not found“, use the following command to install pwgen.


$ sudo apt-get install pwgen
$ sudo apt-get install pwgen
 
Place the secret.
Place the secret.


password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
 
Next is to set a hash password for the root user (not to be confused with system user, root user of graylog is admin). You will use this password for login into the web interface, admin’s password can not be changed using web interface, must edit this variable to set.
Next is to set a hash password for the root user (not to be confused with system user, root user of graylog is admin). You will use this password for login into the web interface, admin’s password can not be changed using web interface, must edit this variable to set.


Replace “yourpassword” with the choice of your’s.
Replace “yourpassword” with the choice of your’s.


# echo -n yourpassword | sha256sum
# echo -n yourpassword | sha256sum
 
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951


e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Place the hash password.
Place the hash password.


root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
You can setup email address root (admin) user.
You can setup email address root (admin) user.


root_email = "itzgeek.web@gmail.com"
root_email = "cyber.web@gmail.com"
Set timezone of root (admin) user.
Set timezone of root (admin) user.


root_timezone = UTC
root_timezone = UTC
 
Graylog will try to find the Elasticsearch nodes automatically, it uses multicast mode for the same. But when it comes to larger network, it is recommended to use unicast mode which is best suited one for production setups. So add the following two entries to graylog server.conf file, replace ipaddress with live hostname or ipaddress. Multiple hosts can be added with comma separated.
Graylog will try to find the Elasticsearch nodes automatically, it uses multicast mode for the same. But when it comes to larger network, it is recommended to use unicast mode which is best suited one for production setups. So add the following two entries to graylog server.conf file, replace ipaddress with live hostname or ipaddress. Multiple hosts can be added with comma separated.


elasticsearch_http_enabled = false
elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = ipaddress:9300
elasticsearch_discovery_zen_ping_unicast_hosts = ipaddress:9300
 
Set only one master node by defining the below variable, default setting is true, you must set it as a false to make the particular node as a slave. Master node performs some periodic tasks that slave won’t perform.
Set only one master node by defining the below variable, default setting is true, you must set it as a false to make the particular node as a slave. Master node performs some periodic tasks that slave won’t perform.


is_master = true
is_master = true
 
The following variable sets the number of log messages to keep per index, it is recommended to have several smaller indices instead of larger ones.
The following variable sets the number of log messages to keep per index, it is recommended to have several smaller indices instead of larger ones.


elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_docs_per_index = 20000000
The following parameter defines to have total number of indices, if the this number is reached old index will be deleted.
The following parameter defines to have total number of indices, if the this number is reached old index will be deleted.


elasticsearch_max_number_of_indices = 20
elasticsearch_max_number_of_indices = 20
Shards setting is really depends on the number of nodes in the Elasticsearch cluster, if you have only one node, set it as 1.
Shards setting is really depends on the number of nodes in the Elasticsearch cluster, if you have only one node, set it as 1.


elasticsearch_shards = 1
elasticsearch_shards = 1
The number of replicas for your indices, if you have only one node in Elasticsearch cluster; set it as 0.
The number of replicas for your indices, if you have only one node in Elasticsearch cluster; set it as 0.


elasticsearch_replicas = 0
elasticsearch_replicas = 0
Restart Graylog service.
 
''Restart Graylog service.''


$ sudo service graylog-server restart
$ sudo service graylog-server restart
Enable auto start of graylog server service during system startup.
Enable auto start of graylog server service during system startup.


$ sudo update-rc.d graylog-server defaults
$ sudo update-rc.d graylog-server defaults
You can check out the server startup logs, it will be useful for you to troubleshoot graylog in case of any issue.
You can check out the server startup logs, it will be useful for you to troubleshoot graylog in case of any issue.


# tailf /var/log/graylog-server/server.log
# tailf /var/log/graylog-server/server.log
On successful start of graylog-server, you should get the following message in the log file.
On successful start of graylog-server, you should get the following message in the log file.


2015-09-17T09:35:22.895+02:00 INFO  [ServerBootstrap] Graylog server up and running.
2015-09-17T09:35:22.895+02:00 INFO  [ServerBootstrap] Graylog server up and running.
Install Graylog web interface:
 
'''Install Graylog web interface:'''


To configure graylog-web-interface, you must have at least one graylog-server node. Install Graylog web interface using “apt-get”.
To configure graylog-web-interface, you must have at least one graylog-server node. Install Graylog web interface using “apt-get”.


$ sudo apt-get install graylog-web
$ sudo apt-get install graylog-web
Edit the configuration file and set the following parameters.
Edit the configuration file and set the following parameters.


$ sudo nano /etc/graylog/web/web.conf
$ sudo nano /etc/graylog/web/web.conf
This is the list of graylog-server nodes, you can add multiple nodes, separate by commas.
This is the list of graylog-server nodes, you can add multiple nodes, separate by commas.


graylog2-server.uris="http://127.0.0.1:12900/"
graylog2-server.uris="http://127.0.0.1:12900/"
Set the application scret and can be generated using pwgen -N 1 -s 96.
Set the application scret and can be generated using pwgen -N 1 -s 96.


application.secret="sNXyFf6B4Au3GqSlZwq7En86xp10JimdxxYiLtpptOejX6tIUpUE4DGRJOrcMj07wcK0wugPaapvzEzCYinEWj7BOtHXVl5Z"
application.secret="sNXyFf6B4Au3GqSlZwq7En86xp10JimdxxYiLtpptOejX6tIUpUE4DGRJOrcMj07wcK0wugPaapvzEzCYinEWj7BOtHXVl5Z"
Set Web interface timezone.
Set Web interface timezone.


timezone="Europe/Berlin"
Timezone="Europe/Tallinn"
 
Restart the gralog-web-interface using following command,
Restart the gralog-web-interface using following command,


$ sudo service graylog-web restart
$ sudo service graylog-web restart
Enable auto start of web interface service during system startup.
Enable auto start of web interface service during system startup.


$ sudo update-rc.d graylog-web defaults
$ sudo update-rc.d graylog-web defaults


= Summary =
= Summary =


= References =
= References =

Revision as of 17:01, 5 October 2016

Logging and Monitoring with Graylog


Course: Logging and Monitoring - Lecturer: Margus Ernits

Group : Cyber Security Engineering (C21)

Team members: Ender Phan, Kustas Kurval, Sheela Gowry Sumathi Raju, Artur Vincent Kerge

Page created by : October 05, 2016

Abstract

In order to understand how to set up the Graylog service as well as understand its crucial roles. We decided to choose Graylog as our application for Logging and Monitoring. Below are our objectives which would be expected to achieve later on:

- How to install Graylog on Ubuntu 14.04/16.0.

- How to use Graylog to protect servers.

(..more)

Installation Guide

Ubuntu 14.04

Prerequisites:

Since the Elasticsearch is based on java, we would require to install either openJDK or Oracle JDK. It is recommended to install Oracle JDK, verify the java version by using the following command.

Remove the OpenJDK from the system, if you have it already installed.

$ sudo apt-get remove --purge openjdk*

Add repository.

$ sudo add-apt-repository -y ppa:webupd8team/java

Run the following command to pull the packages information from the newly added repository.

$ sudo apt-get update

Issue the following command to install Java jdk 1.8.

$ sudo apt-get -y install oracle-java8-installer
$ java -version
Java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
Install Elasticsearch:


Let’s install the Elasticsearch, it can be downloaded from official website.

Download and install GPG signing key.

$ sudo wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Save the repository definition to /etc/apt/sources.list.d/elasticsearch.list

$ echo "deb http://packages.elastic.co/elasticsearch/1.7/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch.list

Update repository cache.

$ sudo apt-get update

Install Elasticsearch.

$ sudo apt-get install elasticsearch

Configure Elasticsearch to start during system startup.

$ sudo update-rc.d elasticsearch defaults

The only important thing is to set a cluster name as “graylog2“, that is being used by graylog. Now edit the configuration file of Elasticsearch.

$ sudo nano /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog2

Disable dynamic scripts to avoid remote execution, that can be done by adding the following line at the end of above file.

script.disable_dynamic: true

Once it is done, we are good to go. Before that, restart the Elasticsearch services to load the modified configuration.

$ sudo service elasticsearch restart

Wait at least a minute to let the Elasticsearch get fully restarted, otherwise testing will fail. Elastisearch should be now listen on 9200 for processing HTTP request, we can use CURL to get the response. Ensure that it returns with cluster name as “graylog2”

$ curl -X GET http://localhost:9200
{
  "status" : 200,
  "name" : "Pistol",
  "cluster_name" : "graylog2",
  "version" : {
   "number" : "1.7.1",
   "build_hash" : "b88f43fc40b0bcd7f173a1f9ee2e97816de80b19",
   "build_timestamp" : "2015-07-29T09:54:16Z",
   "build_snapshot" : false,
   "lucene_version" : "4.10.4"
 },
 "tagline" : "You Know, for Search"
}

Optional: Use the following command to check the Elasticsearch cluster health, you must get a cluster status as “green” for graylog to work.

$ curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
{
 "cluster_name" : "graylog2",
 "status" : "green",
 "timed_out" : false,
 "number_of_nodes" : 1,
 "number_of_data_nodes" : 1,
 "active_primary_shards" : 0,
 "active_shards" : 0,
 "relocating_shards" : 0,
 "initializing_shards" : 0,
 "unassigned_shards" : 0,
 "delayed_unassigned_shards" : 0,
 "number_of_pending_tasks" : 0,
 "number_of_in_flight_fetch" : 0
}


Install MongoDB:

MongoDB is available in dep format and same can be downloaded from the official website. Add the following repository information on the system to install MongoDB. Before that we must import public key.

$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10

Add repository by creating the /etc/apt/sources.list.d/mongodb-org-3.0.list list file using the command.

$ echo "deb http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.0.list

Update repository cache.

$ sudo apt-get update

Install MongoDB using the following command.

$ sudo apt-get install mongodb-org

Start the MongoDB service and enable it to start automatically during the system start-up.

$ sudo service mongod start
$ sudo update-rc.d mongod defaults


Install Graylog2:

Graylog-server accepts and process the log messages, also spawns the RESTAPI for the requests that comes from graylog-web-interface. Download the latest version of graylog from graylog.org,

Use the following command to install graylog2 repository.

$ wget https://packages.graylog2.org/repo/packages/graylog-1.2-repository-ubuntu14.04_latest.deb
$ sudo dpkg -i graylog-1.2-repository-ubuntu14.04_latest.deb

Install https suppport and update the repository cache.

$ sudo apt-get install apt-transport-https
$ sudo apt-get update

Install Graylog server using following command.

$ sudo apt-get install graylog-server 

Edit the server.conf file.

$ sudo nano /etc/graylog/server/server.conf

Configure the following variables in the above file.

Set a secret to secure the user passwords, use the following command to generate a secret, use at least 64 character’s.

$ pwgen -N 1 -s 96
OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP

If you get a “pwgen: command not found“, use the following command to install pwgen.

$ sudo apt-get install pwgen

Place the secret.

password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP

Next is to set a hash password for the root user (not to be confused with system user, root user of graylog is admin). You will use this password for login into the web interface, admin’s password can not be changed using web interface, must edit this variable to set.

Replace “yourpassword” with the choice of your’s.

# echo -n yourpassword | sha256sum
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Place the hash password.

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

You can setup email address root (admin) user.

root_email = "cyber.web@gmail.com"

Set timezone of root (admin) user.

root_timezone = UTC

Graylog will try to find the Elasticsearch nodes automatically, it uses multicast mode for the same. But when it comes to larger network, it is recommended to use unicast mode which is best suited one for production setups. So add the following two entries to graylog server.conf file, replace ipaddress with live hostname or ipaddress. Multiple hosts can be added with comma separated.

elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = ipaddress:9300

Set only one master node by defining the below variable, default setting is true, you must set it as a false to make the particular node as a slave. Master node performs some periodic tasks that slave won’t perform.

is_master = true

The following variable sets the number of log messages to keep per index, it is recommended to have several smaller indices instead of larger ones.

elasticsearch_max_docs_per_index = 20000000

The following parameter defines to have total number of indices, if the this number is reached old index will be deleted.

elasticsearch_max_number_of_indices = 20

Shards setting is really depends on the number of nodes in the Elasticsearch cluster, if you have only one node, set it as 1.

elasticsearch_shards = 1

The number of replicas for your indices, if you have only one node in Elasticsearch cluster; set it as 0.

elasticsearch_replicas = 0

Restart Graylog service.

$ sudo service graylog-server restart

Enable auto start of graylog server service during system startup.

$ sudo update-rc.d graylog-server defaults

You can check out the server startup logs, it will be useful for you to troubleshoot graylog in case of any issue.

# tailf /var/log/graylog-server/server.log

On successful start of graylog-server, you should get the following message in the log file.

2015-09-17T09:35:22.895+02:00 INFO  [ServerBootstrap] Graylog server up and running.

Install Graylog web interface:

To configure graylog-web-interface, you must have at least one graylog-server node. Install Graylog web interface using “apt-get”.

$ sudo apt-get install graylog-web

Edit the configuration file and set the following parameters.

$ sudo nano /etc/graylog/web/web.conf

This is the list of graylog-server nodes, you can add multiple nodes, separate by commas.

graylog2-server.uris="http://127.0.0.1:12900/"

Set the application scret and can be generated using pwgen -N 1 -s 96.

application.secret="sNXyFf6B4Au3GqSlZwq7En86xp10JimdxxYiLtpptOejX6tIUpUE4DGRJOrcMj07wcK0wugPaapvzEzCYinEWj7BOtHXVl5Z"

Set Web interface timezone.

Timezone="Europe/Tallinn"

Restart the gralog-web-interface using following command,

$ sudo service graylog-web restart

Enable auto start of web interface service during system startup.

$ sudo update-rc.d graylog-web defaults

Summary

References