I am playing with the Graylog VM appliance 4.0.7 on VMware ESXi for the first time.
Trying to get it to behave as a simple syslog server at the moment. Hit the port 514 problem but fixed that with the iptables change to 1514 as documented. Had it working fine with the original DHCP’s IP address. Now I am finding that whenever I change the IP address of the VM, whether by making it static via netplan, or creating a DHCP reservation, the syslog messages stop coming into Graylog. The syslog messages are definitely coming into the VM as I can see them using netcat in the OS. I see other posts saying that when you change the IP address, you have to use graylog-ctrl to reconfigure. I also see other posts saying that the graylog-ctrl command has been deprecated on the VM appliance. I can also see that graylog-ctrl is not present on the VM. So how do you reconfigure graylog now in this version? Is it the server.conf file, and if so which parameter do I need change?
Thanks, people !!
Hello and Welcome,
I am assuming your using some type of linux box?
My first step would be is to create a static IP address on my device and make sure it doesnt conflict with another address. Once that is done without any problems, I would configure Graylog server.conf file. If your unsure where these default files are located you can look here.
My configuration file is locate here.
Open your file with a text editor and navigate here.
Web & REST API
http_bind_address = 127.0.0.1:9000
The network interface used by the Graylog HTTP interface.
This network interface must be accessible by all Graylog nodes in the cluster and by all clients using the Graylog web interface.
If the port is omitted, Graylog will use port 9000 by default.
Some people use
192.168.1.3:9000 ( local address), and some have configured it as
Restart garylog service
sudo systemctl restart graylog-server
Hope that helps.
Thanks for replying, gsmith!
That all sounded like sound advice, but I am afraid that it did not work on the Graylog VM appliance that I am using. Indeed, I can even get the graylog server to start unless I use 0.0.0.0 as the http_bind_address , and even then it refuses to collect data that I know is being sent using netcat. If I hardcode that value to the static IP that I have allocated in Netplan, the graylog service will not start!
My gut feel is that there is something wrong with the VM appliance build, and i should try manually building it on top of an existing OS like e.g. Centos. Anyone else finding this ?
VA configuration is the same as on top of OS. Configure static address using netplan, then edit server.conf file. The only setting actually needed to change in http settings section is
http_bind_address = HERE_YOUR_STATIC_IP:9000
All other leave default
Thanks very much for your reply, Karlis, But I am afraid that is not the full story!
The moment that I edit the http_bind_address to my static IP and systemctl restart graylog-server or reboot, I get no reply from http://staticIPAddress . If I revert the field back to 0.0.0.0, i can then get the graylog screen etc., but when I resetup the input, nothing is recorded. And I am actually doing all of this without actually changing the netplan address, so I am just using the original DHCP address, but trying to hardcode it into server.conf. I do not know if this is a new problem with the graylog applinace 4.0.7 ?
There is definitely a problem here!
BTW- I have just tried reverting to a VMware snaphot of the original appliance before I started any configuration. Noticed that the Web password is different- onviously a random assignment. Went through the exact same iptables configuration, and with the same FW syslog configuration, again it failed to show any data coming in to graylog. Almost as though it is only working on the very initial first random setup.
My apologies I haven’t reply lately, I’ve been working a lot.
I finished reading your current post, I personally never used OVA before. I believe you just install using Graylog Doc’s and your good to go. Why your having troubles with this I’m unsure what the problem could be.
To be honest an OVA is nice for a quick peek on how it works, but if you’re going to use Graylog at all for testing I would suggest manually installing it on your choice of Linux. You might have less problems.
Sorry I cant be more help
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.