Graylog v4.0.7 Clean install with ssl

Hello,

I´ve installed graylog on azure, after that I use certibot to create a ssl certificate but when I tried to access with dns name I received this message below, but it i try with IP everything is ok.

image

I saw some post here and there´s one refering to the information bellow, but in this version I wasn´t able to find this, I just found http_bind_address = , http_publish_uri = and this http_external_uri =, those are the same as the bellow?

rest_listen_uri: InternalIP:9000
rest_transport_uri: ExternalIP:9000
web_endpoint_uri: InternalIP:9000

@xanymorex

Hello And Welcome,

First thing I noticed was you showed this below. Those settings I do believe are for Graylog version 3.0 and greater.

http_bind_address =
http_publish_uri=
http_external_uri =

These settings are for Graylog version 2.5.

rest_listen_uri: InternalIP:9000
rest_transport_uri: ExternalIP:9000
web_endpoint_uri: InternalIP:9000

I think your using the wrong version of Graylogs configuration file.

If you have GL 4.0.7 then you should have this.
https://docs.graylog.org/en/4.0/pages/configuration/server.conf.html#server-conf

If your using GL version 2.5 then you should have this.
https://docs.graylog.org/en/2.5/pages/configuration/server.conf.html#server-conf

There are a lot of posts in this forum about HTTPS and INPUT certificates.

When configuring Graylog server with HTTPS or INPUT certificates, first thing I did was make sure my DNS reverse lookup was configured. Second when making my certs for HTTPS I made sure I used my GL FQDN for my certs.

Dont know if you used a reverse proxy. Below is a link how i set mine up.

https://docs.graylog.org/en/4.0/pages/configuration/web_interface.html#apache-httpd-2-x

Hope that helps

Mine configuration file has which fill with

http_bind_address = Internal IP
http_publish_uri= External IP
http_external_uri = External IP

The certificate is ok, my issue is that I cant open the main page through the dns only work with ip address

See this post:

1 Like

Hello,
I was wondering if you could formate your server config post. Improve readability with better formatting.

You can find out how to do it here.

Or

Thank you

1 Like
This is my Server Conf

is_master = true
The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
to use an absolute file path here if you are starting Graylog server from init scripts or similar.

node_id_file = /etc/graylog/server/node-id
You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
Generate one by using for example: pwgen -N 1 -s 96
ATTENTION: This value must be the same on all Graylog nodes in the cluster.
Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)

password_secret =
The default root user is named ‘admin’

root_username = admin
You MUST specify a hash password for the root user (which you only need to initially set up the
system and in case you lose connectivity to your authentication backend)
This password cannot be changed using the API or via the web interface. If you need to change it,
modify it in this file.
Create one by using for example: echo -n yourpassword | shasum -a 256
and put the resulting hash value into the following line

root_password_sha2 =
The email address of the root user.
Default is empty

root_email = “brasil-ti@disys.com”
The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
Default is UTC

#root_timezone = UTC
Set the bin directory here (relative or absolute)
This directory contains binaries that are used by the Graylog server.
Default: bin

bin_dir = /usr/share/graylog-server/bin
Set the data directory here (relative or absolute)
This directory is used to store Graylog server state.
Default: data

data_dir = /var/lib/graylog-server
Set plugin directory here (relative or absolute)

plugin_dir = /usr/share/graylog-server/plugin

###############
HTTP settings

###############
HTTP bind address
The network interface used by the Graylog HTTP interface.
This network interface must be accessible by all Graylog nodes in the cluster and by all clients
using the Graylog web interface.
If the port is omitted, Graylog will use port 9000 by default.
Default: 127.0.0.1:9000

http_bind_address = internal IP :9000
#http_bind_address = [2001:db8::1]:9000
HTTP publish URI
The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all
clients using the Graylog web interface.
The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node.
This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address,
for example if the machine has multiple network interfaces or is behind a NAT gateway.
If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used.
This configuration setting must not contain a wildcard address!
Default: http://$http_bind_address/

http_publish_uri = http:// external IP:9000
External Graylog URI
The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer
and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
This setting can be overriden on a per-request basis with the “X-Graylog-Server-URL” HTTP request header.
Default: $http_publish_uri

http_external_uri = http:// external IP:9000
Enable CORS headers for HTTP interface
This allows browsers to make Cross-Origin requests from any origin.
This is disabled for security reasons and typically only needed if running graylog
with a separate server for frontend development.
Default: false

http_enable_cors = true
Enable GZIP support for HTTP interface
This compresses API responses and therefore helps to reduce
overall round trip times. This is enabled by default. Uncomment the next line to disable it.

#http_enable_gzip = false
The maximum size of the HTTP request headers in bytes.

#http_max_header_size = 8192
The size of the thread pool used exclusively for serving the HTTP interface.

#http_thread_pool_size = 16

################
HTTPS settings

################
Enable HTTPS support for the HTTP interface
This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
Default: false

#http_enable_tls = true
The X.509 certificate chain file in PEM format to use for securing the HTTP interface.

#http_tls_cert_file = /path/to/graylog.crt
The PKCS#8 private key file in PEM format to use for securing the HTTP interface.

#http_tls_key_file = /path/to/graylog.key
The password to unlock the private key used for securing the HTTP interface.

#http_tls_key_password = secret
Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
header. May be subnets, or hosts.

#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128

Sorry, didn´t know this, already deleted the old post and now posted again with preformatted text

Hello,

Oh no problem, and thank for correcting it. As for you HTTPS connection. I have not used Certbot, mainly because our Graylog servers are internal at the moment. From what I can see this looks like a configuration issue, maybe on the cert part but im not 100% sure.

What I would do is check if your IPADDRESS has a reverse lookup in your DNS entry.

Second make sure the certs have a FQDN. For example when I created my self-signed certs I use FQDN for everything.

keytool -genkey -alias FQDN  -keyalg RSA -validity 365 -keystore keystore.jks
keytool -import -trustcacerts -file graylog-certificate.pem -alias FQDN  -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts

Using these directions from Graylog Doc’s

Creating a self-signed private key/certificate

You will see there has to be alt names, and one being FQDN;

[alt_names]
IP.1 = 203.0.113.42
DNS.1 = graylog.example.com

Check your certs if you havent already.

And last check to see if you your Graylog server has access to Java keystore.

Here is my lab GL server config file I use this with TCP/TLS INPUT and HTTPS. Some settings might not work for your environment, may have to adjust it to your needs.

MY_GL_CONFIG
[root@graylog graylog_user]# grep -v "^#\|^$" /etc/graylog/server/server.conf | sed -e "s/#.*$//g"
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret =epOqmLi7r7CdZxl76QOQxr8bRUPYstNdcBuajsaSNfG5bkXXFxyHAAsdgmCfyHhSKlKXjMQG9ojc0bn22EBT17elgGTUJgbD
root_password_sha2 =272c3ac6b26a795a4244d8d2caf1d19a072fbc1c88d497ba1df7fef0a4171ea6
root_email = "greg.smith@domain.com"
root_timezone = America/Chicago
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = graylog.domain.net:9000
http_publish_uri = https://graylog.domain.net:9000/
http_enable_cors = true
 http_enable_tls = true
http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem
http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem
http_tls_key_password = secret
elasticsearch_hosts = http://8.8.8.8:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = true
allow_highlighting = false
elasticsearch_analyzer = standard
elasticsearch_index_optimization_timeout = 1h
output_batch_size = 5000
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 6
outputbuffer_processors = 2
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 3
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 12gb
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://mongo_admin:password123@localhost:27017/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
transport_email_enabled = true
transport_email_hostname = localhost
tansport_email_port = 25
transport_email_subject_prefix = [graylog]
transport_email_from_email = root@domain.net
transport_email_web_interface_url = https://graylog.domain.net:9000
http_connect_timeout = 10s
proxied_requests_thread_pool_size = 32
[root@graylog graylog_user]#

EDIT: And the link @aaronsachs posted is a must to your configuration file.

To be honest, I dont to worried about Chrome trusting my certs inside my lab :slight_smile:

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.