Embedded Files
Em desenvolvimento
* Versões avaliadas: Debian 9.5 + mongodb-3.2.11 + Elasticsearch-5.6.10 + Graylog-2.4.6
Versões avaliadas - TESTART: Debian + Graylog + Grafana + elasticsearch + NXLOG/WINLOGBEAT
https://docs.graylog.org/en/4.0/pages/architecture.html#graylog-architecture-deep-dive
Avaliar se existe algo diferente do fiz - https://www.youtube.com/watch?v=8xwyimMPfmU
https://www.graylog.org/post/how-to-use-graylog-as-a-syslog-server
https://community.spiceworks.com/how_to/160502-send-windows-log-data-to-a-graylog-server
https://docs.graylog.org/en/4.0/pages/sending/windows.html
https://docs.graylog.org/en/4.0/pages/installation/docker.html#persisting-data
https://nvlan.com.br/comunidade/configurando-cliente-nxlog-para-graylog-server-windows/
Instalação
Instalação
* Path default de armazenamento
/var/lib/mongodb
/var/lib/elasticsearch
/var/log/mongodb
/var/log/elasticsearch
* Instale os pacotes de dependencia de serviços
# apt install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen mongodb-server
* Ajuste o repositorio MongoDB
# systemctl stop mongodb.service
# mv /var/lib/mongodb /path/to/storage
# vi /etc/mongodb.conf
De:
dbpath=/var/lib/mongodb
Para:
dbpath=/path/to/storage/mongodb
* Instalar o Elasticsearch
# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
# echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-5.x.list
# apt update && apt install elasticsearch
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
# systemctl daemon-reload
# systemctl enable elasticsearch.service
Nota.: O Graylog 2.3 e 2.4 não trabalha com o elastisearch 6.x
* (Opcional) Caso altere o local de armazenamento ajuste os parametros abaixo
# mv /var/lib/elasticsearch/ /path/to/storage
# mkdir /path/to/storage/elasticsearchlogs
# chown -R elasticsearch.elasticsearch elasticsearchlogs/
# vi /etc/default/elasticsearch
# Elasticsearch data directory
DATA_DIR=/path/to/storage/elasticsearch
# Elasticsearch logs directory
LOG_DIR=/path/to/storage/elasticsearchlogs
* Instalar o Graylog
# wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb
# dpkg -i graylog-2.4-repository_latest.deb
# apt update && apt install graylog-server
* Configurar o Graylog
Crie uma senha criptografada
# echo -n Senha2018 | sha256sum
d7ab40f74a87646d41717cf40702232549242bb00bf019c8ba0cfecd591c345d
* Insira a senha criptografaca no arquivo de configuração do Graylog
# vi /etc/graylog/server/server.conf
password_secret = d7ab40f74a87646d41717cf40702232549242bb00bf019c8ba0cfecd591c345d
root_password_sha2 = d7ab40f74a87646d41717cf40702232549242bb00bf019c8ba0cfecd591c345d
root_timezone = America/Sao_Paulo
rest_listen_uri = http://<IP_SERVER>:12900/api/
web_listen_uri = http://<IP_SERVER>:9000/
* Ajuste para iniciar o graylog na incialização
# systemctl enable graylog-server.service
# systemctl restart mongodb.service
# systemctl restart elasticsearch.service
# systemctl start graylog-server.service
# systemctl status graylog-server.service
Configuração
Configuração
* Acesse a interface de gerenciamento do Graylog
http://<IP_SERVER>:9000
admin
Senha2018
Acesse System > Inputs, clique em Select Inputs e escolha Syslog UDP e ajuste os campos:
* Ao final clique em Save.
* Repita o processo acima para Syslog TCP.
Firewall
Firewall
* Caso seja configurado firewall no servidor do graylog é necessario abrir portas de INPUT para receber os logs dos clientes.
Cliente
Cliente
* No Cliente configure para enviar as mensagens de log para o server Graylog
# vi /etc/rsyslog.d/graylog.conf
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
*.* @@<IP_SERVER>:1514;RSYSLOG_SyslogProtocol23Format -> Se utilizar um @ a conexao será orientada a UDP
# service rsyslog restart
Capturando logs do windows com NXlog
https://community.spiceworks.com/how_to/160502-send-windows-log-data-to-a-graylog-server
* Configurando o firewall de um cliente Linux para enviar para o servidor graylog
# GRAYLOG
$IPT -A OUTPUT -p tcp -d <IP_SERVER_GRAYLOG> -m multiport --dport 1514 -o $IFINT -j ACCEPT
$IPT -A OUTPUT -p udp -d <IP_SERVER_GRAYLOG> -m multiport --dport 12211 -o $IFINT -j ACCEPT
Ajustes finos
Ajustes finos
* Para habilitar Geo localização acesse System > Configurations e em Geo-Location Processor clique em Update.
Referencia
Referencia
* Ajuda na configuração da página de gerenciamento.
Ajustes
Ajustes
// RSYSLOG #################################################33
https://www.youtube.com/watch?v=jMpVxtnHEZA
https://www.howtoforge.com/tutorial/rsyslog-centralized-log-server-in-debian-9/
http://www.dicas-l.com.br/arquivo/log_remoto_com_o_rsyslog.php#.W04_x3ZKiV4
https://ubuntuforums.org/showthread.php?t=2151986
https://www.youtube.com/watch?v=4F2iZDzVtF4
http://hintcafe.net/post/33689067443/haproxy-logging-with-rsyslog-on-linux
https://www.youtube.com/watch?v=_n44d4E5cH0
https://www.youtube.com/watch?v=8zO_ip4gFls
https://www.youtube.com/watch?v=7jYWpqsg4Gs
https://www.youtube.com/watch?v=HSTVaKVHJ1w
http://docs.graylog.org/en/2.4/pages/installation/os/debian.html
https://www.slant.co/versus/958/965/~logstash_vs_graylog2
https://www.itcentralstation.com/products/comparisons/elk-logstash_vs_graylog
https://packetrevolt.com/2017/07/elk-vs-graylog/
https://stackshare.io/stackups/graylog-vs-logstash
# mv /var/lib/elasticsearch/ /path/to/storage
# mkdir /path/to/storage/elasticsearchlogs
# chown -R elasticsearch.elasticsearch elasticsearchlogs/
############### vi /etc/elasticsearch/elasticsearch.yml
###############path.data: /path/to/storage/elasticsearch
###############path.logs: /path/to/storage/elasticsearchlogs
# vi /etc/init.d/elasticsearch
# Elasticsearch data directory
DATA_DIR=/path/to/storage/$NAME
LOG_DIR=/home/log/elasticsearchlogs
# vi /usr/lib/systemd/system/elasticsearch.service
[Service]
...
Environment=DATA_DIR=/path/to/storage/elasticsearch
Environment=LOG_DIR=/path/to/storage/elasticsearchlogs
..
# systemctl daemon-reload
Page updated
Google Sites
Report abuse