Setting up a multi-tiered log infrastructure Part 3 -- System Build

  1. Setting up a multi-tiered log infrastructure Part 1 -- Getting Started
  2. Setting up a multi-tiered log infrastructure Part 2 -- System Overview
  3. Setting up a multi-tiered log infrastructure Part 3 -- System Build
  4. Setting up a multi-tiered log infrastructure Part 4 -- Elasticsearch Setup
  5. Setting up a multi-tiered log infrastructure Part 5 -- MongoDB Setup
  6. Setting up a multi-tiered log infrastructure Part 6 -- Graylog Setup
  7. Setting up a multi-tiered log infrastructure Part 7 -- Graylog WebUI Setup
  8. Setting up a multi-tiered log infrastructure Part 8 -- Rsyslog Setup
  9. Setting up a multi-tiered log infrastructure Part 9 -- Rsyslog HA Setup
  10. Setting up a multi-tiered log infrastructure Part 10 -- HA Cluster Setup
  11. Setting up a multi-tiered log infrastructure Part 11 -- Cluster Tuning

Partitioning layout

Setup Note: The partition layout for elasticsearch nodes may vary depending on how much data storage is needed. It makes sense to create mount points with the idea they may grow in the future.

Worksheet for estimating proper sizing that can be helpful https://community.graylog.org/t/sizing-estimator/644

For ES data nodes, ES master node, and rsyslog storage node

/dev/sda1 mount on /boot 500MB
vg_local-lv_swap 1024MB up to twice size of installed RAM
vg_local-lv_root mount on / minimum of 10240MB
vg_local-lv_home mount on /home minimum of 15360MB up to whatever size
vg_local-lv_tmp mount on /tmp minimum of 1024MB
vg_local-lv_usr mount on /usr minimum of 4096MB
vg_local-lv_var mount on /var minimum of 8000MB up to whatever size

For rsyslog aggregator nodes (Optional)

/dev/sda1 mount on /boot 500MB
vg_local-lv_swap 1024MB up to twice size of installed RAM
vg_local-lv_root mount on / minimum of 8192MB
vg_local-lv_home mount on /home minimum of 10240MB up to whatever size
vg_local-lv_tmp mount on /tmp minimum of 1024MB
vg_local-lv_usr mount on /usr minimum of 4096MB
vg_local-lv_var mount on /var minimum of 8000MB up to whatever size

For OSSEC node (Optional)

/dev/sda1 mount on /boot 500MB
vg_local-lv_swap 1024MB up to twice size of installed RAM 
vg_local-lv_root mount on / minimum of 8192MB 
vg_local-lv_home mount on /home minimum of 10240MB up to whatever size 
vg_local-lv_tmp mount on /tmp minimum of 1024MB 
vg_local-lv_usr mount on /usr minimum of 4096MB 
vg_local-lv_var mount on /var minimum of 8000MB up to whatever size

Install prerequisite apps

Setup Note: Some services should be available on the network such as a timeserver and DNS services otherwise, some assumptions made throughout this document will not be correct. It should also be noted that turning off SElinux and the firewall is not necessary for any part of this guide.

Install perl

yum install perl

Install helpful utilities

yum install wget

yum install lsof

yum install mlocate

yum install deltarpm

yum install sudo

yum install policycoreutils-python

yum install yum-utils

Install rsyslog

Everything on one line

yum install perl wget lsof mlocate deltarpm sudo policycoreutils-python yum-utils rsyslog

Setup time services client

Upgrade all packages if it has not been done yet

yum update

Reboot the system

shutdown -r now

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com