Skip to main content

Graylog Environment Project 2015

Here are some of the links I used to get Graylog on Centos 7 working.  On my current project I have to downgrade to Centos 6.6 due to some older HP hardware.

The architecture I want to build out for the current engagement is the following:



https://www.graylog.org

MongoDB is very important for this:


http://docs.mongodb.org/manual/tutorial/install-mongodb-on-red-hat/

Here is the first steps:

vi /etc/yum.repos.d/mongodb-org-3.0.repo

[mongodb-org-3.0]
name=MongoDB Repository
baseurl=http://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.0/x86_64/
gpgcheck=0
enabled=1


Install the MongoDB packages and associated tools.

When you install the packages, you choose whether to install the current release or a previous one. This step provides the commands for both.

To install the latest stable version of MongoDB, issue the following command:
sudo yum install -y mongodb-org

Start MongoDB.

You can start the mongod process by issuing the following command:\
sudo service mongod start

Verify that MongoDB has started successfully

You can verify that the mongod process has started successfully by checking the contents of the log file at /var/log/mongodb/mongod.log for a line reading

[initandlisten] waiting for connections on port <port>
where <port> is the port configured in /etc/mongod.conf27017 by default.
You can optionally ensure that MongoDB will start following a system reboot by issuing the following command:
sudo chkconfig mongod on

Stop MongoDB.

As needed, you can stop the mongod process by issuing the following command:
sudo service mongod stop

Restart MongoDB.


You can restart the mongod process by issuing the following command:
sudo service mongod restart 
You can follow the state of the process for errors or important messages by watching the output in the /var/log/mongodb/mongod.log file.

Referenced from:  http://docs.mongodb.org/manual/tutorial/install-mongodb-on-red-hat/

Elastic Search Installation

Centos Installation and ConfigurationReferenced from the following location:

vi /etc/yum.repos.d/elasticsearch.repo

Insert the following:

[elasticsearch-1.5]
name=Elasticsearch repository for 1.5.x packages baseurlbaseurl=http://packages.elasticsearch.org/elasticsearch/1.5/centos gpgcheck
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled
enabled=1

yum install elastic search
chkconfig --add elastic search


EPEL Repository Confiiguration and Installation:


http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/

## RHEL/CentOS 6 64-Bit ##
# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
yum repolist
http://wiki.xenproject.org/wiki/Xen_Project_Beginners_Guide

Download and install the public signing key:
Add the following in your /etc/yum.repos.d/ directory in a file with a .repo suffix, for example elasticsearch.repo
And your repository is ready for use. You can install it with:
Configure Elasticsearch to automatically start during bootup. If your distribution is using SysV init, then you will need to run:


EPEL Repository I think is needed. In this Blog I will review the configuration steps to verify the result of a clean build.



Centos Graylog Repository Installation:

$ sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-1.0-repository-el6_latest.rpm2.$ yum install graylog-server graylog-web

 This has become much easier than previous iterations of installations and builds on Centos 7 the process is very manual including creating the init.d scripts for it.

At some point I will post them in this blog. For review or in case I might need them later.

Link: Graylog Early Version 3.2 Previous


 Also syslog forwarding to graylog the bread and butter of it all.

http://docs.graylog.org/en/1.0/pages/sending_data.html#syslog

Here is the syslog forwarder for this.
 Additional Notes:

I know un-related probably just I reminder for myself.

 Here is the Vagrant website. I plan using this later.

https://www.vagrantup.com

Comments

Post a Comment

Popular posts from this blog

Qradar Scripts and Results Part 1. Disk Space and Qradar Persistent Queue

______________________________________________________________________________________________________ Script examples written by Travis Hutchings thutch901@gmail.com 971.226.6732 _______________________________________________________ Disk Space and Alerting Results specific to Qradar servers and environments. General Linux script concepts can also be applied to system administration concepts. This disk space script utilizes a few Qradar support functions. 1. Disk Space Alerting and results in /store volume List disk space for all Qradar servers: df- h /opt/qradar/support/all_servers.sh -a '15%' 'df -h /store' >> $listFile List the top of the directory to see file dates and times to determine if Persistent Queue is processing: /opt/qradar/support/all_servers.sh -a '15%' 'ls -l /store/persistent_queue/ecs-ec-ingress.ecs-ec-ingress | head -6' >> $listFile Bottom of the Persistent Queue and seeing if results are processing: /opt/qradar/suppor...
Post a Comment
Read more

Qradar- PSQL Report Development for EPS by log source result

EPS by logsource with QRADAR PSQL query tests and research By Travis Hutchings thutch901@gmail.com 971.226.6732  psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicetype.id and sensordevice.deviceenabled = 't' and sensordevice.devicename not ilike '%wincollect%' and to_timestamp(sensordevice.timestamp_last_seen/1000) > now() - interval '30 days' order by to_timestamp(timestamp_last_seen/1000) desc" psql -A -F"," -U qradar -c "select sensordevice.id, sensordevice.hostname, sensordevice.devicename, sensordevicetype.devicetypename, to_timestamp(sensordevice.timestamp_last_seen/1000), to_timestamp(round(sensordevice.creationdate/1000) from sensordevice, sensordevicetype where sensordevice.devicetypeid = sensordevicety...
Post a Comment
Read more

Splunk Log Forwarding Configuration Steps

Splunk Log Forwarding Configuration Steps: There are multiple ways to send linux logs to splunk like using splunk linux app, splunk universal forwarder or syslog. Best and performance reliable way is to install splunk universal forwarder on linux machines for which you wish to forward data.Splunk universal forwarder will act as agent for log collection.It will collect logs and will forward to indexer.We can  also use syslog for log collection and then install splunk forwarder on it and then forward data from syslog server to splunk indexer.Below we have provided steps for most reliable method to add linux logs to splunk For syslog installation and configuration follow steps give at below link: Refer below steps to add linux logs to splunk Step 1: On Splunk server (receiver) Download/install Splunk TA for Unix and Linux to the Splunk server (receiver) and enabled it by going to Manager|Apps|Enable Step 2: On host you want to collect data from (sender) Download and install the Splu...
Post a Comment
Read more