Remote graylog website access (via internet, public IP)


#1

Hi,

I am new to graylog so I hope my questions are ok to ask.

I installed graylog on a vm server (ubuntu 16.04 lts server) and I am able to login to the graylog web GUI when locally on the same network, like with “http://192.168.1.211:9000”. When reading the manual it seams like using the public IP for graylog web GUI is not good practice, since it is less secure, exposed to internet. Is that the concern?

So then I tried to tunnel in externally (public IP) vis ssh on that port instead, yet that didn’t work either.

For example:
ssh root@xx.xx.xx.xx -L7000:127.0.0.1:9000 or ssh root@xx.xx.xx.xx -L7000:192.168.1.211:9000
Then use this in browser to access graylog:
http://localhost:7000

Yet this gives the following error:
Server currently unavailable
We are experiencing problems connecting to the Graylog server running on http:192.168.1.2111:9000/api/. Please verify that the server is healthy and working correctly.

So, I guess my questions is what is the best practice if I want to access the graylog web GUI remotely.
Our servers are hosted (colocation) and I need to be able to access the graylog GUI from another company location (over internet), no vpn available. So I can’t be on the same network (local network) to access Graylog web GUI. What are my options here?

Regards,
Markus


(Jochen) #2

You either have to set web_endpoint_uri or use the X-Graylog-Server-URL HTTP request header to provide the URI of the Graylog REST API which the Graylog web interface is supposed to access.

See http://docs.graylog.org/en/2.4/pages/configuration/web_interface.html for details.


#3

Hi,

Thank you for your reply.

On the Graylog server (vm ubuntu 16.04) I have two NIC’s enabled
NIC 1 = Public IP (64.xx.xx.xxx)
NIC 2 = Local IP (192.168.100.139)

I want to be able to access the Graylog Web GUI on the public IP (64.xx.xx.xxx)
I want to use the local server IP (192.168.100.139) for the server clients to send the rsyslog data to this graylog server.

When using these settings I get the following error when trying to login to graylog web GUI.
http://64.xx.xx.xxx:9000/
Error - the server returned: 404 - cannot POST http://64.xx.xx.xxx:9000/system/sessions (404)

The following settings were used in /etc/graylog/server/server.conf

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxxxxx
root_password_sha2 = xxxxx
root_timezone = America/New_York
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://192.168.100.139:12900/api/
rest_transport_uri = http://192.168.100.139:12900/api/
web_listen_uri = http://64.xx.xx.xxx:9000/
web_endpoint_uri = http://64.xx.xx.xxx:9000/
etc

If using the these setting I get the following error

We are experiencing problems connecting to the Graylog server running on http://192.168.100.139:9000/api/. Please verify that the server is healthy and working correctly.

The following settings were used in /etc/graylog/server/server.conf

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxxxxx
root_password_sha2 = xxxxx
root_timezone = America/New_York
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://192.168.100.139:9000/api/
rest_transport_uri = http://192.168.100.139:9000/api/
web_listen_uri = http://64.xx.x.xxx:9000/
#web_endpoint_uri =
etc

Can you please let me know what I am doing wrong here? if I want to be able to login to graylog web GUI via the public IP (eth0) and use the local IP (eth1) for the client servers (rsyslog via udp)

Regards,
Markus


(Jochen) #4

web_endpoint_uri has to be the URI of the Graylog REST API, not the URI of the Graylog web interface.


#5

Hi,

I tested with the following, yet the same issue. I also restarted graylog service and rebooted the server after change. I don’t understand what the problem is here?

rest_listen_uri = http://192.168.100.139:9000/api/
rest_transport_uri = http://192.168.100.139:9000/api/
web_listen_uri = http://64.xx.xx.xxx:9000/
web_endpoint_uri = http://192.168.100.139:9000/

And with this:

rest_listen_uri = http://192.168.100.139:9000/api/
rest_transport_uri = http://192.168.100.139:9000/api/
web_listen_uri = http://64.xx.xx.xxx:9000/api/
web_endpoint_uri = http://192.168.100.139:9000/api/

Error received when trying to access graylog web GUI on the public IP

We are experiencing problems connecting to the Graylog server running on http://192.168.100.139:9000/. Please verify that the server is healthy and working correctly.

Error message
Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.
Original Request
GET http://192.168.100.139:9000/system/sessions
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

Regards,
Markus


(Jochen) #6

This is the URI of the Graylog web interface and not of the Graylog REST API in your example.

This is the URI of the Graylog web interface and not of the Graylog REST API in your example.


#7

Hi,

This is what I tested with now

rest_listen_uri = http://192.168.100.139:9000/api/
rest_transport_uri = http://192.168.100.139:9000/api/
web_listen_uri = http://64.xx.xx.xxx:9000/
web_endpoint_uri = http://192.168.100.139:9000/api/

Is this correct? Yet, this does not work, must be another setting wrong or something. Or I am an idiot:)

Error
We are experiencing problems connecting to the Graylog server running on http://192.168.100.139:9000/api/. Please verify that the server is healthy and working correctly.

Error message
Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.
Original Request
GET http://192.168.100.139:9000/api/system/sessions
Status code
undefined
Full error message
Error: Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

FYI, when I use the public IP for all these setting I can at least login via the graylog web GUI

rest_listen_uri = http://64.xx.xx.xxx:9000/api/
rest_transport_uri = http://64.xx.xx.xxx:9000/api/
web_listen_uri = http://64.xx.xx.xxx:9000/

But I can’t use it since I need to use a local network for the rsyslog data.

Regards,
Markus


(Jochen) #8

The Graylog web interface (running in your browser) has to be able to communicate with the Graylog REST API.

What happens if you try to access http://192.168.100.139:9000/api/ in your web browser?

One doesn’t have to do anything with the other.


#9

Hi,

So this vm graylog server is located on our datacenter (colocation) on one of our physical servers. Also, this vm graylog server is the server version, so do not have a graphical user interface. so I have a vm windows machine that I tested from. This vm also has NIC 1 (public IP) and NIC 2 (local IP, 192.168.100.131). When NIC 2 is enabled on the windows machine I can access the graylog web login with http://64.xx.xx.xxx:9000 but when I disable NIC 2 on the vm I get the same issue. So seams like it works fine locally but not when the communication goes via the public network.

I also tested on a different port, changed from 9000 to 2010, yet same issue.

Any thoughts on this?

Regards,
Markus


(Yuri Suslov) #10

Not sure if it helps but I have the following setup:
Graylog server has IP 192.168.168.111 on internal network with the config below

rest_listen_uri = http://0.0.0.0:9000/api/
web_listen_uri = http://0.0.0.0:9000/
web_endpoint_uri =http://195.0.0.121:9000/api

Firewall rule

iptables -t nat -A PREROUTING -p TCP -d 195.0.0.121 --dport 9000 -j DNAT --to-destination 192.168.168.111:9000

and I could access webpage here http://195.0.0.121:9000 from outside.

However this is not possible to access Graylog web from internal network.


#11

Yuri,

Thank you very much for your response. This resolved the issue:)

Regards,
Markus


(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.