Change IP subnet/pool

I have Graylog installed on a VM. During the initial setup of Graylog I did input/assigned an IP like 10.0.0.100/126 because the Vlan was set like that (/126) and reserved the IP on my firewall.
I need now to expand the DHCP pool to a /24. Do I need to change the configuration somewhere in Graylog? If so, where?

Thanks for helping.

Hey @feliceM

GL Input is Bind Address, If your Vlan is on a different network I would use a proxy in front of Graylog
(i.e, Nginx, Apache2, etc…)

@gsmith Thank you. I checked the config file and found that the “http_bind_address” is set to “0.0.0.0:9000”. At present Graylog is working fine and is behind Nginx. My question pertains to the initial setup. I remember being asked to input the IP address that I would use to access Graylog, and I entered 10.0.0.100/126. However, I can’t find this setting or value anywhere in the config file. I’m concerned that if I expand the DHCP pool to /24, Graylog may become unreachable unless I adjust its IP to /24. Maybe I’m overthinking this.

Hey @feliceM

Oh I thought you were refering to graylog’s INPUT (i.e., Syslog, Beats, etc…)

Yeah that not going to work for graylog. If you need to change Graylog Classless Inter-Domain Routing (CIDR) /126 this would be done through network settings on the node. With Port forwarding you can access Graylog node from another network. But that become a lot of work. If you have different networks and want to send logs to Graylog It would easier to route through a firewall /Switch

Can you kindly tell me where the “network Settings” are? Cannot find them.

hey @feliceM

What did you install Graylog on?

EDIT: Here is Ubuntu

it is on a VM with Ubuntu 22.04

Can I ask what your trying to achieve in better detail?

Sorry, let me try to reword my question.
Graylog is actually running on a Proxmox/VM/Ubuntu 22.04 which is on a Vlan 10.0.0.1/126.
The VM where Graylog is running has IP 10.0.0.100.
I am planning to expand the IP pool of such Vlan from 10.0.0.1/126 to 10.0.0.1/24

Is there anything I need to change in the Graylog settings?

Hey @feliceM

Oh I get now, Understood. This is more networking then Graylog. Depending on where your DHCP server is, and just a suggestion it wise to create static address. Address assigned from DHCP servers have a tendiency to change this is not so swell.

For example say graylog network is configured with a static IP and noramlly the Gatway end in 1, say something like this while following you network example:

# network: {config: disabled}
network:
    ethernets:
        eth0:
            dhcp4: false
            dhcp6: false
            match:
                macaddress: 06:e9:41:ec:85:85
            set-name: eth0
            addresses:
               - 10.0.10.100/126
            nameservers:
               addresses: [8.8.8.8,8.8.4.4]
            routes:
               - to: default
                 via: 10.0.0.1
    version: 2

Since were not talking about Graylog INPUTS ( i.e, Syslog, etc…) You have a couple choices, Point your different Vlans Subnets to Graylog VIA routing thought Switch ( easiest way I know), or thought a Firewall. Not the firewall on Ubuntu. Keep in mind I assume your Firewalld is disabled and/or IPtables. But if not then you will need to set them to allow the different Vlans through.

Exampel on cisco switch.

Switch#vlan database
Switch(vlan)#vlan 2
VLAN 2 added:
    Name: VLAN0002
Switch(vlan)#vlan 3
VLAN 3 added:
    Name: VLAN0003
Switch(vlan)#vlan 10
VLAN 10 added:
    Name: VLAN0010
Switch(vlan)#exit
APPLY completed.
Exiting....

Switch#configure terminal
Switch(config)#interface Vlan2
Switch(config-if)#ip address 10.1.2.1 255.255.255.0
Switch(config-if)#no shutdown

You can also execute ranges if need be.
As for Proxmox, ( I also run that in my home lab)

https://pve.proxmox.com/wiki/Network_Configuration#_choosing_a_network_configuration

Sum it up, If graylog has a staic IP address and can reach the internet or access it internally, you can set ranges where ever.

Dont forget you also have a choice in creating bridges on Ubuntu.

#vi /etc/network/interface 

auto br0
  iface br0 inet static
  address 10.0.2.101
  gateway 10.0.2.1
  netmask 255.255.255.0
  bridge_ports eth0 eth1
  bridge_stp off   // bridge_stp off is a setting for spanning tree.
  bridge_fd 0   // bridge_fd 0 turns off all forwarding delay.
  bridge_maxwait 0  //  bridge_maxwait 0 is how long the system will wait for the Ethernet ports to come up
  auto enp3s0
    iface enp3s0 inet dhcp
  auto enp8s0
     iface enp8s0 inet dhcp

OR
Confiuring br0 for DHCP
Commented out the following lines and add DHCP the the bridge br0 and you good to go.

auto br0
iface br0 inet DHCP
#address 10.0.2.101
#gateway 10.0.2.1
#netmask 255.255.255.0
bridge_ports eth0 eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0

Not that I know of. If your http_bind is set for 0.0.0.0: 9000 you shouldl be good to go on any address. As for Graylog config file it runs off your Network settings on that Instance/node.
May I add, subnets from /126 && /24 kind of odd.
Just an idea.

Thank you for your kind support. I have now a better view about what to do.
I do reserve IPs on the Fortigate rather than fixing static IPs on Machines.

Thanks again.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.