I have just installed Graylog on Ubuntu server and I’m just looking for a little bit of advice before I start it up.
I did have Graylog up and running before and all was working but I ran out of storage space. I did move the data directory by editing the elasticsearch.yml file but things didn’t seem to work right afterward. So I have decided to re-install on a fresh instance of Ubuntu server.
I have followed the instructions to the letter from the docs up to the point where graylog-server is installed. I have not yet generated my password hash and secret or started the service. I have configured my storage location on a mount point and changed the path.data and path.logs in the elasticsearch.yml file.
In terms of retention, is this something I need to set up with the configuration files before starting the service or can this be done from the web interface?
Is there anything else I may need to do that isn’t in the docs?
I believe you can through elasticsearch also. Might take a look here.
I would highly suggest using Graylog Web UI first.
This would depend on how you want to configure Graylog. I really can not think of anything you might want to do before start Graylog when using the documentation. The documents is a very basic understand on a setup with some suggesting along the way. The rest is up to you on how you want to configure it.
When I last set up Graylog I followed a tutorial from Graylog on YouTube. It all worked. There was also some configuration they did with IP tables to route port 1514 to 514 as well. I’m sure I read somewhere that it is best practice to run Syslog on a higher port number too which is probably why it showed that in the video, but I could be wrong.
I can just refer back to the video for that I guess as I didn’t see any mention of IP table configuration in the installation docs unless it’s in a different area.
If you follow the Graylog documention and have problems we can help you a lot better then using a third party documention/video. This give us something to start with to troubleshoot your issue. To be honest when helping someone out I really dont want to watch a 30 minute video on how they installed graylog
If you had problem before using the video I would stop using it.
Here is a part of my IPTABLES config. This is just to give you an idea and its not the full configuration. Creating a secure firewall could be a lot.
# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block syn flood attack
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Web Server (HTTP/HTTPS)
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Web Browsing
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow Inbound/Outbound to Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow SMTP outbound (E.g Sendmail)
iptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# NTP
iptables -A OUTPUT -o eth0 -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
# The network interface used by the Graylog HTTP interface
iptables -A INPUT -i eth0 -p tcp --sport 9000 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp --dport 9000 -m state --state ESTABLISHED -j ACCEPT
# Allow DNS Queries
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# Graylog to Elasticsearch
iptables -A INPUT -i eth0 -p tcp --sport 9200 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp --dport 9200 -m state --state ESTABLISHED -j ACCEPT
# Elasticsearch node communication
iptables -A INPUT -i eth0 -p tcp --sport 9300 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp --dport 9300 -m state --state ESTABLISHED -j ACCEPT
# Graylog INPUTS
Now for each INPUT created you need to open each port in IPTABLES..
iptables -A INPUT -i eth0 -p tcp --sport 5044 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp --dport 5044 -m state --state ESTABLISHED -j ACCEPT
# Log all dropped packets
iptables -N LOGINPUT
iptables -N LOGOUTPUT
iptables -A INPUT -j LOGINPUT
iptables -A OUTPUT -j LOGOUTPUT
iptables -A LOGINPUT -m limit --limit 4/min -j LOG --log-prefix "DROP INPUT: " --log-level 4
iptables -A LOGOUTPUT -m limit --limit 4/min -j LOG --log-prefix "DROP OUTPUT: " --log-level 4
# Set policies to drop everything else
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
