Hi,
I have been trying to figure out how to contribute to the documentation, but this is how we do it on CentOS6.
On the Graylog Server, configure an input:
allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
override_source:
port: 12450
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
We bundled the root and intermediate, order in the file is important.
tls_cert_file: /etc/ssl/your_CA.pem
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: true
tls_key_file: /etc/ssl/private/your_private.key
tls_key_password: ********
use_null_delimiter: false
On the Graylog client:
Install packages:
yum install rsyslog-gnutls
yum install libsemanage-python
yum install policycoreutils-python
Create Spool Directory
mkdir /var/spool/rsyslog
chown root /var/spool/rsyslog
Add rsyslogd Configuration File
Create graylog.conf file in /etc/rsyslog.d directory
Add contents to graylog.conf
Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/your_CA.pem
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.your.company.lcl
. @@111.55.200.24:12450;RSYSLOG_SyslogProtocol23Format
Set permissions so root can read
chown root /var/rsyslog.d/10-graylogp.conf
Add your root CA to /etc/ssl
cp your_CA.pem /etc/ssl/your_CA.pem
Make sure root owns file
chown root /etc/ssl/your_CA.pem
If you have SELinux
View SELinux status
getenforce
Enforcing
View SELinux ports allowed for rsyslog
semanage port -l | grep syslog
syslogd_port_t tcp 6514, 601
syslogd_port_t udp 514, 6514, 601
Add SELinux port
semanage port -a -t syslogd_port_t -p tcp 12450
View SELinux ports allowed for rsyslog and verify your port was added.
semanage port -l | grep syslog
syslogd_port_t tcp 12450, 6514, 601
syslogd_port_t udp 514, 6514, 601
Authorize directories
semanage fcontext -a -t syslog_conf_t "/var/spool/rsyslog/"
semanage fcontext -a -t syslog_conf_t "/etc/rsyslog.d/"
semanage fcontext -a -t syslog_conf_t "/etc/ssl/"
restorecon -R -v /var/spool/rsyslog
restorecon -R -v /etc/rsyslog.d
restorecon -R -v /etc/ssl
Restart rsyslog
service rsyslog restart
Test:
logger TestWithSELinux
Warning!!!
We had a nightmare with our Microsoft certificate authority. You have to make sure that the root CA is added to the Java keystore on the Graylog server, and I also added it to the server’s root CA’s.
To import the root certificate, we decided to “pollute” the default Java keystore for Graylog.
- Make sure the public certificate is in pem format and Linux file (no Windows characters)
- The default trust store of an installed Java runtime environment can be found at $JAVA_HOME/jre/lib/security/cacerts or /etc/ssl/certs/java/cacerts (due to all the symbolic links).
- Import:
- keytool -importcert -keystore /etc/ssl/certs/cacerts -storepass changeit -alias YourCompany -file your_CA.pem
- View the YourCompany root certificate:
keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep your.company.com