Hi everybody,
I’ve recently installed Graylog server to collect logs from Windows machines and everything works fine when I access web interface 195.0.0.121:9000 from any PC located in isolated subnet 195.0.0.0/24
Also we have PC-based firewall (Debian 7, iptables) which allows RDP access to Windows servers on internal network from management PC located on 192.168.168.0/24 subnet
Now I need to access Graylog from Management PC and added new iptables rules as shown below
195.0.0.121 ----- 195.0.0.234 | 192.168.168.111 ------- 192.168.168.112
Server Firewall Int Firewall Ext Management PC
iptables -t nat -A PREROUTING -p TCP -d 192.168.168.111 --dport 9000 -j DNAT --to-destination 195.0.0.121:9000
iptables -t nat -A POSTROUTING -o eth0 -p TCP -j SNAT --to-source 195.0.0.234
iptables -A FORWARD -i eth1 -p TCP -d 195.0.0.121 --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT
Here is Graylog configuration
xxx@sa-grl-srv1:/etc/graylog/server# grep -vi '^#\|^$' server.conf
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxx
root_password_sha2 = xxx
root_timezone = Africa/Cairo
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://195.0.0.121:9000/api/
web_listen_uri = http://195.0.0.121:9000/
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32
But what trying to access web interface 192.168.168.111:9000 from Management PC I receive the following error
We are experiencing problems connecting to the Graylog server running on http//195.0.0.121:9000/api/. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.
This is the last response we received from the server:
Error message
Bad request
Original Request
GET http//195.0.0.121:9000/api/system/sessions
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.
I believe open port 9000 is all I need to expose REST API address for external clients but it seems to be not enough.
Much appreciate you help,
Yuri