Graylog 4.X Installation and configuration

January 6, 2023 / Balaji Bandi / 0 Comments

Part SIEM Build:

When I was writing this BLOG – Graylog 5.0 was released but – it required Java 17 (which was not installed on my server and also the one I am testing SIEM/SOC may be going to break due to the old Java I was running)

So I have made the decision to go with Graylog 4.X

You can visit https://graylog.org – for more information.

Why I have chosen to go with Graylog 4.X – for the below reasons :

The main features I like – Search, StreamLine, Pipe Lines, Pipeline Rules, Log normalization, Faster GUI compare to others which I was used (like Syslog-ng, rsyslog), API

With various inputs it accepts, GELF – Graylog extends log format support and Different extraction pattern support.

Graylog uses MongoDB to save the configuration – Do not confuse this DB, this is not for Indexes.

Graylog uses Wazuh Indexer to Store Indexes Data.

Let’s start installing :

Pre-requisites for Graylog to install :

#apt update && sudo apt upgrade

#apt install apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen dirmngr gnupg wget

MongoDB installation :

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" | sudo tee 
/etc/apt/sources.list.d/mongodb-org-4.4.list
#apt-get update
#apt-get install -y mongodb-org

#systemctl daemon-reload
#systemctl enable mongod.service
#systemctl restart mongod.service

Graylog installation :

#wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb

#dpkg -i graylog-4.3-repository_latest.deb

#apt-get update && sudo apt-get install graylog-server graylog-integrations-plugins

Since we are using secure communication between Wazuh Indexer and Graylog

We going to use Certs as we have generated last time when we installing WAZUH Indexer

We going to use Java key store for the certs – so we going to add CA root cert which we generated before to java key store as below :

#mkdir /etc/graylog/server/certs
#cp -a /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts /etc/graylog/server/certs/cacerts
keytool -importcert -keystore /etc/graylog/server/certs/cacerts -storepass changeit -alias root_ca -file #/etc/graylog/server/certs/rootCA.crt

Add recently created cacerts keystore that we copied over to our default Graylog Java options.

#vi /etc/default/graylog-server (the file look as below )

GRAYLOG_SERVER_JAVA_OPTS=”$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/graylog/server/certs/cacerts -Djavax.net.ssl.trustStorePassword=XXXXXXXXXXX”

change the java heap – I change to 4G – default is 1G

GRAYLOG_SERVER_JAVA_OPTS=”-Xms4g -Xmx4g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow”

We need to add password secret and root password for graylog to run as expected.

I used below method to generate :

To create your password_secret run the following command:

# pwgen -N 1 -s 96
BUJ9fGyuNKKx17iN8cgNYRqE6LBAFXzcVkZXxNhS0OgRQbrNO8LdhBPeRLzhslxW0T5dI6OliFWv1xOFcBFIuB16Cn3STsiS

To create your root_password_sha2 run the following command:

# echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: bbbbbbbbb
a08d116c20341f0aadbacaedfae937da31006e7eb7bd4c6e723449776a1c13ba

Now time to edit Graylog config, before we start service :

vi /etc/graylog/server/server.conf

My config look like below :

# cat /etc/graylog/server/server.conf  | egrep -v "^\s*(#|$)"
is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
root_password_sha2 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = https://graylog:XXXXXXXXXXXXXXX@soclab.bb.local:9200
elasticsearch_discovery_default_scheme = https
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_disable_version_check = true
elasticsearch_version = 7
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32
enabled_tls_protocols= TLSv1.2,TLSv1.3
skip_preflight_checks = true

I have just Modified the BOLD in the config. and Save the config.

Time to restart Graylog to take effect of new config :

#systemctl stop graylog-server.service
#systemctl restart graylog-server.service
#systemctl status graylog-server.service