I’ve recently installed Graylog server to collect logs from Windows machines and everything works fine when I access web interface 22.214.171.124:9000 from any PC located in isolated subnet 126.96.36.199/24
Also we have PC-based firewall (Debian 7, iptables) which allows RDP access to Windows servers on internal network from management PC located on 192.168.168.0/24 subnet
Now I need to access Graylog from Management PC and added new iptables rules as shown below
188.8.131.52 ----- 184.108.40.206 | 192.168.168.111 ------- 192.168.168.112 Server Firewall Int Firewall Ext Management PC
iptables -t nat -A PREROUTING -p TCP -d 192.168.168.111 --dport 9000 -j DNAT --to-destination 220.127.116.11:9000 iptables -t nat -A POSTROUTING -o eth0 -p TCP -j SNAT --to-source 18.104.22.168 iptables -A FORWARD -i eth1 -p TCP -d 22.214.171.124 --dport 9000 -m state --state NEW,ESTABLISHED -j ACCEPT
Here is Graylog configuration
xxx@sa-grl-srv1:/etc/graylog/server# grep -vi '^#\|^$' server.conf is_master = true node_id_file = /etc/graylog/server/node-id password_secret = xxx root_password_sha2 = xxx root_timezone = Africa/Cairo plugin_dir = /usr/share/graylog-server/plugin rest_listen_uri = http://126.96.36.199:9000/api/ web_listen_uri = http://188.8.131.52:9000/ rotation_strategy = count elasticsearch_max_docs_per_index = 20000000 rotation_strategy = count elasticsearch_max_docs_per_index = 20000000 elasticsearch_max_number_of_indices = 20 retention_strategy = delete elasticsearch_max_number_of_indices = 20 retention_strategy = delete elasticsearch_shards = 4 elasticsearch_replicas = 0 elasticsearch_index_prefix = graylog allow_leading_wildcard_searches = false allow_highlighting = false elasticsearch_analyzer = standard output_batch_size = 500 output_flush_interval = 1 output_fault_count_threshold = 5 output_fault_penalty_seconds = 30 processbuffer_processors = 5 outputbuffer_processors = 3 processor_wait_strategy = blocking ring_size = 65536 inputbuffer_ring_size = 65536 inputbuffer_processors = 2 inputbuffer_wait_strategy = blocking message_journal_enabled = true message_journal_dir = /var/lib/graylog-server/journal lb_recognition_period_seconds = 3 mongodb_uri = mongodb://localhost/graylog mongodb_max_connections = 1000 mongodb_threads_allowed_to_block_multiplier = 5 content_packs_dir = /usr/share/graylog-server/contentpacks content_packs_auto_load = grok-patterns.json proxied_requests_thread_pool_size = 32
But what trying to access web interface 192.168.168.111:9000 from Management PC I receive the following error
We are experiencing problems connecting to the Graylog server running on http//184.108.40.206:9000/api/. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.
This is the last response we received from the server:
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.
I believe open port 9000 is all I need to expose REST API address for external clients but it seems to be not enough.
Much appreciate you help,