005. Configure Graylog2 To Send Alarm Notifications

Tested On

OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface: 0.11.0
Hardware: VMware Player 5.0.1

About

In this guide I will configure graylog2 to send email notification on stream alarms.

Prerequisite

Before using this guide you need a running graylog2 server. You can use this Graylog2 Installation guide to install graylog2 server

Configure Graylog2 Email Notification

  • Configure email transport section in graylog2 server configuration file
vi /etc/graylog2.conf
...
# Email transport
transport_email_enabled = true
transport_email_hostname = mail.example.com
transport_email_port = 587
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_auth_username = [email protected]
transport_email_auth_password = secret
transport_email_subject_prefix = [graylog2]
transport_email_from_email = [email protected]
transport_email_from_name = Graylog2
...
  • Restart graylog2-server
service graylog2-server restart
  • After graylog2-server restart completed you can enter the graylog2-web-interface and see that a new field for email address is now added on the edit and create new user page
  • Go to users and add the email address for each user that you have on your graylog2 server and want to send him email notifications
  • Go to each stream that you have on your graylog2 and configure the alarms setting
  • Check that you are getting email notifications that matches your streams alarms configuration

Thats it, very simple after you know how to do it ūüôā

More guides in Graylog2 Category.

Please visit http://www.graylog2.org for more information about Graylog2 configuration and usage.

004. NXlog To Graylog2 Configuration

Tested On

OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface Version: 0.11.0
NXlog Version: nxlog-ce-2.2
Hardware: Virtual Box 4.2.8

About

NXlog is a great tool to use to send your log files to graylog2 server.

In this guide a will show how to install nxlog with a simple configuration that set nxlog to listen for messages from a local file and send them to graylog2 server

Install NXlog

  • Download and install nxlog
  • Download and extract graylog2-radio
cd /usr/local/src
wget http://sourceforge.net/projects/nxlog-ce/files/nxlog-ce-2.3.1027-1.x86_64.rpm
yum localinstall nxlog-ce-*.rpm -y
  • Configure NXlog to send logs to graylog2 server
vi /etc/nxlog.conf
########################################
# Global directives                    #
########################################
User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules                              #
########################################
<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
        Module  im_file
        File    "/var/log/messages"
</Input>

<Output out>
    Module      om_udp
    Host        graylog2-server.local
    Port        12201
    OutputType  GELF
</Output>

########################################
# Routes                               #
########################################
<Route r>
    Path        in => out
</Route>
  • Configure NXlog to start at boot and start it
chkconfig nxlog on
service nxlog start

That’s all. Now you can check your new log messages in graylog2 server

More guides in Graylog2 Category

Useful links:

003. Graylog2-Radio Installation

Tested On

OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface: 0.11.0
Graylog2-Radio: 0.10.0
Hardware: Virtual Box 4.2.8

About

Graylog2-Radio is an add-on for Graylog2-Server that help you send your logs  to an AMQP topic exchange.
With Graylog2-Radio you can avoid problems such as full buffers and rejected messages and also you can stop your graylog2-server without losing any message because they are getting written to an AMQP server.
What graylog2-radio does is listen to a tcp/udp port for syslog or gelf messages and  publish them in an AMQP exchange, then graylog2-server can be configured to consume these messages and store them in elasticsearch.

In this guide I will show how to install graylog2 radio, rabbitmq and configure your graylog2-server to consume messages from rabbitmq.

I am going to use one server for all roles but it’s recommended to use different servers.

Prerequisite

Install Graylog2-Radio

  • Install RabbitMQ server using the following guide: RabbitMQ Installation
  • Download and extract graylog2-radio
mkdir /usr/local/src/graylog2
cd /usr/local/src/graylog2
wget http://download.graylog2.org/graylog2-radio/graylog2-radio-1.0.0.tar.gz -O graylog2-radio.tar.gz
tar zxf graylog2-radio.tar.gz
rm -f graylog2-radio.tar.gz
mv graylog2-radio-* /opt/graylog2-radio
cd /opt/graylog2-radio
  • Create configuration files for graylog2-radio
cp graylog2-radio.conf.example /etc/graylog2-radio.conf
cp graylog2-radio-inputs.conf.example /etc/graylog2-radio-inputs.conf
  • Check that AMQP configuration is suitable to your RabbitMQ server
vi  /etc/graylog2-radio.conf
  • Configure graylog2-radio-inputs file to listen to gelf and syslog messages
vi  /etc/graylog2-radio-inputs.conf
udp gelflogs 0.0.0.0 12501
udp systemlogs 0.0.0.0 12502
  • Create graylog2-radio start script
vi /etc/init.d/graylog2-radio
#!/bin/bash
#
# graylog2-radio:   graylog2 AMQP producer
#
# chkconfig: - 98 02
# description:  This daemon start graylog2-radio
#

# Source function library.
. /etc/rc.d/init.d/functions

CMD=$1
NOHUP=`which nohup`

STOP_TIMEOUT=30
BINARY=java
PROG=graylog2-radio

HOME_DIR=/opt/graylog2-radio
LOG_FILE=${HOME_DIR}/log/${PROG}.log
JAR_FILE=graylog2-radio.jar
CONF_FILE=/etc/graylog2-radio.conf
PID_FILE=/var/run/graylog2-radio.pid

start() {
        graylog2_status > /dev/null 2>&1
        if [ ${RETVAL} -eq 3 ]
        then
                echo "Starting ${PROG} ..."
                cd ${HOME_DIR}
                $NOHUP > /dev/null 2>&1 ${BINARY} -jar ${JAR_FILE} -f ${CONF_FILE} -p ${PID_FILE} >> ${LOG_FILE} &
                RETVAL=0
        else
                echo "${PROG} is already running"
        fi
}

stop() {
        echo -n $"Stopping $PROG: "
        killproc -p ${PID_FILE} -d ${STOP_TIMEOUT} ${PROG}
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f ${PID_FILE}
}

graylog2_status() {
        status -p ${PID_FILE} ${PROG}
        RETVAL=$?
}

restart() {
    echo "Restarting ${PROG} ..."
    stop
    start
}

case "$CMD" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        restart
        ;;
    status)
        graylog2_status
        ;;
    *)
        echo "Usage $0 {start|stop|restart|status}"
        RETVAL=1
esac

exit ${RETVAL}
  • Configure graylog2-radio to start at boot and start it
chmod +x /etc/init.d/graylog2-radio
chkconfig --add graylog2-radio 
chkconfig graylog2-radio on 
service graylog2-radio start
  • Configure RabbitMQ credentials in your graylog2 server
vi /etc/graylog2.conf
...
# AMQP
amqp_enabled = true
amqp_host = localhost
amqp_port = 5672
amqp_username = guest
amqp_password = guest
amqp_virtualhost = /
...
  • Restart graylog2-server to apply new AMQP configuration
service graylog2-server restart
  • Browse to your graylog2 web interface and configure on which exchange your graylog2 server should listen for which messages type:
  • In graylog2 web interface go to Setting -> AMQP
  • Add new AMQP configuration for gelf messages: Exchange=messages, Routing Key=gelflogs, Type=GELF
  • Add another AMQP configuration for syslog messages: Exchange=messages, Routing Key=systemlogs, Type=syslog

That’s all. Now you need to configure your servers to send logs to graylog2 server using graylog2-radio listening ports 12501 and 12502.

More guides in Graylog2 Category

Useful links:

002. Configure syslog to forward logs to graylog2

Tested On

OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.10.0
Graylog2-web-interface: 0.10.2
Hardware: VMware Player 5.0.1

About

In this guide I will configure rsyslog to forward logs to graylog2 server

Prerequisite

Before using this guide you need a running graylog2 server. You can use this Graylog2 Installation guide to install graylog2 server

Configure Rsyslog

  • Configure syslog conf file
vi /etc/rsyslog.conf (change graylog2-server to your graylog2 server name or IP)
#### GLOBAL DIRECTIVES ####

...
#*.* @@remote-host:514
*.* @graylog2-server:514
  • Restart syslog
service rsyslog restart

That’s all now you can check your syslog messages in graylog2 web interface.

More guides in Graylog2 Category.

Please visit http://www.graylog2.org for more information about Graylog2 configuration and usage.

001. Graylog2 Installation

Tested On

OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface: 0.11.0
Hardware: Virtual Box 4.2.10

About

Graylog2 is an open source software to manage your logs and get the most out of them.

In this guide I will show how to install graylog2 server with elasticsearch and mongodb on the same server.

Prerequisite

  • Install depndencies packages
yum install make wget java-1.7.0-openjdk openssl-devel libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel -y
  • Download and install Ruby
mkdir /usr/local/src/graylog2
cd /usr/local/src/graylog2
wget http://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p320.tar.gz
tar xzf ruby-1*
cd ruby-1*
./configure && make && make install
cd ext/openssl/
ruby extconf.rb
make && make install
  • Install required gems
gem install passenger bundler --no-rdoc --no-ri
  • Download and extract ElasticSearch
cd /usr/local/src/graylog2
wget http://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.20.4.tar.gz -O elasticsearch.tar.gz
tar zxf elasticsearch.tar.gz 
rm -f elasticsearch.tar.gz
mv elasticsearch-* /opt/elasticsearch
wget http://github.com/elasticsearch/elasticsearch-servicewrapper/tarball/master -O elasticsearch-servicewrapper.tar.gz
tar zxf  elasticsearch-servicewrapper.tar.gz
rm -f  elasticsearch-servicewrapper.tar.gz
mv *servicewrapper*/service /opt/elasticsearch/bin/
/opt/elasticsearch/bin/service/elasticsearch install
  • Configure ElasticSearch
vi /opt/elasticsearch/config/elasticsearch.yml
cluster.name: graylog2
  • Start ElasticSearch
service elasticsearch start
  • Install MongoDB, configure it to start at boot and start MongoDB
rpm -ihv http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install mongodb mongodb-server -y
chkconfig mongod on
service mongod start
  • Configure MongoDB (change user and password to your own requirements)
mongo
use admin
db.addUser('admin', 'humus234')
db.auth('admin', 'humus234')
use graylog2
db.addUser('graylog', 'graylog')
db.auth('graylog', 'graylog')
exit

Install Graylog2

  • Download and extract graylog2-server
cd /usr/local/src/graylog2
wget http://download.graylog2.org/graylog2-server/graylog2-server-0.11.0.tar.gz -O graylog2-server.tar.gz
tar zxf graylog2-server.tar.gz
rm -f graylog2-server.tar.gz
mv graylog2-server-* /opt/graylog2-server
cd /opt/graylog2-server
  • Configure Graylog2 ¬†and start Graylog2 Server
cp elasticsearch.yml.example /etc/graylog2-elasticsearch.yml
cp graylog2.conf.example /etc/graylog2.conf
vi  /etc/graylog2.conf (change user and password to your own requirements)
...
mongodb_user = graylog
mongodb_password = graylog
...
  • Create Graylog2 Server start script
vi /etc/init.d/graylog2-server
#!/bin/bash
#
# graylog2-server:   graylog2 message collector
#
# chkconfig: - 98 02
# description:  This daemon start graylog2-server
#

# Source function library.
. /etc/rc.d/init.d/functions

CMD=$1
NOHUP=`which nohup`

STOP_TIMEOUT=30
BINARY=java
PROG=graylog2-server

HOME_DIR=/opt/graylog2-server
LOG_FILE=${HOME_DIR}/log/${PROG}.log
JAR_FILE=graylog2-server.jar
GRAYLOG2_CONFIG_SH=${GRAYLOG2CTL_DIR}/bin/graylog2_config.sh
CONF_FILE=/etc/graylog2.conf
PID_FILE=/var/run/graylog2.pid

[ -f $GRAYLOG2_CONFIG_SH ] && . $GRAYLOG2_CONFIG_SH

start() {
        graylog2_status > /dev/null 2>&1
        if [ ${RETVAL} -eq 3 ]
        then
                echo "Starting ${PROG} ..."
                cd ${HOME_DIR}
                $NOHUP > /dev/null 2>&1 ${BINARY} -jar ${JAR_FILE} -f ${CONF_FILE} -p ${PID_FILE} >> ${LOG_FILE} &
                RETVAL=0
        else
                echo "${PROG} is already running"
        fi
}

stop() {
        echo -n $"Stopping $PROG: "
        killproc -p ${PID_FILE} -d ${STOP_TIMEOUT} ${PROG}
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f ${PID_FILE}
}

graylog2_status() {
        status -p ${PID_FILE} ${PROG}
        RETVAL=$?
}

restart() {
    echo "Restarting ${PROG} ..."
    stop
    start
}

case "$CMD" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        restart
        ;;
    status)
        graylog2_status
        ;;
    *)
        echo "Usage $0 {start|stop|restart|status}"
        RETVAL=1
esac

exit ${RETVAL}
  • Configure Graylog2 Server to start at boot and start it
chmod +x /etc/init.d/graylog2-server
chkconfig --add graylog2-server 
chkconfig graylog2-server on 
service graylog2-server start
  • Download and extract Graylog2-Web-Interface
cd /usr/local/src/graylog2
wget http://download.graylog2.org/graylog2-web-interface/graylog2-web-interface-0.11.0.tar.gz -O graylog2-web-interface.tar.gz
tar zxf graylog2-web-interface.tar.gz
rm -f graylog2-web-interface.tar.gz
mv graylog2-web-interface-* /var/www/graylog2-web-interface
chown -R apache:apache /var/www/graylog2-web-interface
  • Install graylog2-webinterface dependencies
cd /var/www/graylog2-web-interface
bundle install --without=development
  • Install Passenger module for apache
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin
./passenger-install-apache2-module
  • Configure and restart apache
vi /etc/httpd/conf/httpd.conf
...
#<VirtualHost *:80>
#    ServerAdmin [email protected]
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
        ServerAdmin [email protected]
        ServerName graylog2.local
        DocumentRoot /var/www/graylog2-web-interface/public

        <Directory "/var/www/graylog2-web-interface/public">
                AllowOverride all
                Order deny,allow
                Allow from all
                Options -MultiViews
        </Directory>
</VirtualHost>
  • Configure apache to run at boot ant start it
chkconfig httpd on
service httpd start
  • Configure DNS name graylog2.humus234.local to resolve the IP address of the graylog2 server (DNS or hosts file)
  • Browse to http://graylog2.humus234.local and create first user

That’s all. Now you need to configure your servers to send logs to graylog2 server and you can work with your new Graylog2 system to analyze logs data.
Here is a couple of guides to send logs to graylog2:

If you want to build graylog2 server that will handle high traffic you can use graylog2-radio with RabbitMQ. You can start with the following guide: Graylog2-Radio Installation

More guides in Graylog2 Category.

Please visit http://www.graylog2.org for more information about Graylog2 configuration and usage.