A more secure Graylog2 server install

We will installing and configuring Graylog Server on CentOS 6 as Part 3 of our series on Monitoring your systems with logstash and Graylog2. ::Part 1::Part 2::Part 4::

Please Note! This configuration is for the 0.9.5 version of Graylog2 Server and will be updated to reflect the changes in the message store implemented in version 0.9.6

Our goals are simple:

  • Run as an unprivileged user
  • Consistent installation, logging, and configuration locations
  • Automating the installation

The installation overview:

  1. Download Graylog2 Server
  2. Create Intallation environment
  3. Unpack the Archive
  4. Configure Server Parameters
  5. Test installation
  6. Download and install the Java Service Wrapper
  7. Configure the Java Service Wrapper
  8. Test the Java Service Wrapper

We will assume you know the basics of system administration (ie.file permissions, ownership, etc.).
So let’s get this working!

Our first step will be to download the graylog2 server to our home directory.

Our next step is to create the installation environment. I’ve previously created a shell script for also installing logstash which will create the directories we’ll be needing, as well as to create our unprivileged user. You’ll need to run the script as root, but can test it as a normal user quite easily (with some minor modifications to the script).

The command to run the script is:

./prog_dir_setup graylog2

Our script will create the following directories:

~ create “/usr/local/bin/greylog2” to hold our greylog2 executables
       then create “bin” and “lib” directories underneath
~ create “/var/spool/greylog2” for our logs and pid
      then create “log”, “pid” and “data” directories underneath
         Note: we will not be using the data directory
~ create “/etc/greylog2” for our greylog2 config files

Our script will then create a system user named “graylog2”, and
modify directory permissions so “graylog2″ can write to those locations.

~ Create user “graylog2” and group “graylog2” as a system account
       pointing $HOME to “/var/spool/graylog2”
~ Change ownership of directories under “/var/spool/graylog2” to “graylog2.root”

We should next unpack the graylog2 server archive to “/usr/local/bin/graylog2” as root from our home directory.

We next copy the config file to “/etc/graylog2″

cp /usr/local/bin/graylog2/graylog2.conf.example /etc/graylog2/graylog2.conf

Our next step will be to configure our graylog2 server config file. Using your favorite editor edit /etc/graylog2/graylog2.conf such that it resembles the entries below. Remember to use the same username and password from setting up MongoDB

#since we will be getting syslog local from logstash
#
syslog_listen_port = 9514
# Or any other port over 1024 that you wish to use
#
#
#MongoDB Configuration
mongodb_useauth = true
mongodb_user = gluser
mongodb_password = grayloguser-password
mongodb_host = 127.0.0.1
mongodb_database = graylog2
mongodb_port = 27017

Now we can test if graylog2 server will run with our current configuration. “su” as user “graylog2″ and run the following command.

java -jar -DconfigPath=/etc/graylog2/graylog2.conf \
/usr/local/bin/graylog2/graylog2-server.jar

Now see if you are logging anything to Mongo in another terminal window as root.

tail -f /var/spool/mongo/log/mongod.log

If everything seems to be working as we hoped, we now configure graylog2 to run under the “Java Service Wrapper” which will allow us to run graylog2 as a service, launching as root and forking to run as user “graylog2″.

If you had not done previously, we should now download the Community version of the Java Service Wrapper and unpack it to ~/wrapper (ie. “/home/username/wrapper”).
We will then copy some files from the ~/wrapper directory for our graylog2 config.

~ Copy ‘wrapper.conf” to /etc/graylog2
 "cp ~/wrapper/src/conf/wrapper.conf.in /etc/graylog2/wrapper.conf"
~ Copy Shell File and rename it to something meaningful
 "cp ~/wrapper/src/bin/sh.script.in /usr/local/bin/graylog2/bin/graylog2_wrapper"
~ Copy “wrapper” executible
 "cp ~/wrapper/bin/wrapper /usr/local/bin/graylog2/bin/"
~ Copy wrapper/lib/libwrapper.so
 "cp ~/wrapper/lib/libwrapper.so /usr/local/bin/graylog2/lib/"
~ Copy wrapper/lib/wrapper.jar
 "cp ~/wrapper/lib/wrapper.jar /usr/local/bin/graylog2/lib/"

Edit the below lines in /usr/local/bin/graylog2/bin/graylog2_wrapper with your favorite editor.

 APP_NAME="graylog2"
 APP_LONG_NAME="Graylog Server"
 WRAPPER_CONF="/etc/graylog2/wrapper.conf"
 PIDDIR="/var/spool/graylog2/pid"
 RUN_AS_USER="graylog2"

Edit the below lines in /etc/graylog2/wrapper.conf with your favorite editor (Note: I’ve hard coded some perfectly valid variables contained in Tanuki’s provided script).

wrapper.java.command=/usr/bin/java
#
wrapper.java.mainclass=org.tanukisoftware.wrapper.WrapperJarApp
#
wrapper.java.classpath.1=/usr/local/bin/graylog2/lib/wrapper.jar
wrapper.java.classpath.2=/usr/local/bin/graylog2/graylog2-server.jar
#
wrapper.java.library.path.1=/usr/local/bin/graylog2/lib
#
wrapper.java.additional.1=-DconfigPath=/etc/graylog2/graylog2.conf
#
wrapper.app.parameter.1=/usr/local/bin/graylog2/graylog2-server.jar
#
wrapper.logfile=/var/spool/graylog2/log/wrapper.log

You should now be able to launch graylog2 as root and have it run as graylog2.

In a terminal window as root:

"/usr/local/bin/graylog2/bin/graylog2_wrapper console"

If you run the wrapper script without any parameters, you’ll see it has a number of options available for our use.

[root@mylaptop sphughes]# /usr/local/bin/logstash/bin/logstash0_wrapper

Usage: /usr/local/bin/logstash/bin/logstash0_wrapper [ console | start | stop | restart | condrestart | status | install | remove | dump ]

Commands:

console     Launch in the current console.
start       Start in the background as a daemon process.
stop        Stop if running as a daemon or in another console.
restart     Stop if running and then start.
condrestart Restart only if already running.
status      Query the current status.
install     Install to start automatically when system boots.
remove      Uninstall.
dump        Request a Java thread dump if running.

That’s a wrap! We’ll next be posting instructions for setting up the Graylog2 web interface for viewing your logs.