Error connecting to Graylog server behind firewall


(Yuri Suslov) #1

Hi everybody,

I’ve recently installed Graylog server to collect logs from Windows machines and everything works fine when I access web interface 195.0.0.121:9000 from any PC located in isolated subnet 195.0.0.0/24

Also we have PC-based firewall (Debian 7, iptables) which allows RDP access to Windows servers on internal network from management PC located on 192.168.168.0/24 subnet

Now I need to access Graylog from Management PC and added new iptables rules as shown below

195.0.0.121 ----- 195.0.0.234 | 192.168.168.111 ------- 192.168.168.112
Server                   Firewall Int     Firewall Ext                Management PC
iptables -t nat -A PREROUTING -p TCP -d 192.168.168.111 --dport 9000 -j DNAT --to-destination 195.0.0.121:9000 
iptables -t nat -A POSTROUTING -o eth0 -p TCP -j SNAT --to-source 195.0.0.234
iptables -A FORWARD -i eth1 -p TCP -d 195.0.0.121 --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT

Here is Graylog configuration

xxx@sa-grl-srv1:/etc/graylog/server# grep -vi '^#\|^$' server.conf
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxx
root_password_sha2 = xxx
root_timezone = Africa/Cairo
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://195.0.0.121:9000/api/
web_listen_uri = http://195.0.0.121:9000/
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32

But what trying to access web interface 192.168.168.111:9000 from Management PC I receive the following error

We are experiencing problems connecting to the Graylog server running on http//195.0.0.121:9000/api/. Please verify that the server is healthy and working correctly.

You will be automatically redirected to the previous page once we can connect to the server.
This is the last response we received from the server:

Error message
Bad request
Original Request
GET http//195.0.0.121:9000/api/system/sessions
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

I believe open port 9000 is all I need to expose REST API address for external clients but it seems to be not enough.

Much appreciate you help,
Yuri


(Jochen) #2

The Graylog web interface needs to be able to communicate with the Graylog REST API. In other words, your web browser must be able to connect to the address configured in web_endpoint_uri.


(Yuri Suslov) #3

Thanks jochen, I spent a bit of time playing with this parameter and ended up with the following configuration

rest_listen_uri = http://0.0.0.0:9000/api/
web_listen_uri = http://0.0.0.0:9000/
web_endpoint_uri =http://192.168.168.111:9000/api

Now web is accessible only from external network which is ok.


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.