Setting up a multi-tiered log infrastructure Part 7 -- Graylog WebUI Setup

Additional Setup for master node

Setup Graylog Web UI on master node

Setup Note: newer versions of graylog do not require a separate install for the web interface anymore so we can make a few firewall rule changes and be good.

Configure Graylog WebUI firewalld rules

Let’s make some firewall rule changes specifically to allow web traffic. If for some reason you aren’t using a firewall then you can skip this.

Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)

Create a new service file for graylog WebUI access

vi /etc/firewalld/services/graylog-web.xml

Use this as the contents for graylog-web.xml (allowing port 80 and 443 now will come in handy later)

<?xml version="1.0" encoding="utf-8"?>
  <service>
    <short>graylog-web</short>
    <description>graylog web service access for default tcp ports.</description>
    <port protocol="tcp" port="80"/>
    <port protocol="tcp" port="443"/>
    <port protocol="tcp" port="9000"/>
  </service>

Permanently create an selinux context label

semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/graylog-web.xml

Apply the new selinux label

restorecon -vF /etc/firewalld/services/graylog-web.xml

Add service rule to allow connections to the web frontend

firewall-cmd --zone=internal --add-service=graylog-web --permanent

Reload the current firewall config

firewall-cmd --reload

Check the interface and verify the services

firewall-cmd --zone=internal --list-services

Verify the Graylog web interface

If everything was done correctly then we should be able to login to the Graylog web interface, using the default port of 9000. Use the admin account and secret password created earlier and go to http://yourserver.domain.tld:9000 to see the login page.

Configure Graylog Input

I won’t go into a lot of detail here since the Graylog docs cover creating an input. Of course, you can make whatever choices you like but I used the following settings for this post when configuring the new input.

After you have logged into your Graylog Instance,  click “System” => “Inputs

On the “Inputs” page, select “Syslog TCP” as the input type and click the “Launch new input” button

Title: rsyslog-tcp-input
Bind Address: 0.0.0.0
Port: 10514
Check the box "allow overriding Date"
Click "Save"

Configure Graylog Inputs firewalld rules

Let’s make some firewall rule changes specifically to allow incoming traffic to an input. If for some reason you aren’t using a firewall then you can skip this.

Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)

Create a new service file for graylog inputs

vi /etc/firewalld/services/graylog-ipt.xml

Use this as the contents for graylog-ipt.xml

<?xml version="1.0" encoding="utf-8"?>
  <service>
    <short>graylog-ipt</short>
    <description>Incoming ports for multiple inputs from log sources.</description>
    <port protocol="tcp" port="10514"/>
  </service>

Permanently create an selinux context label

semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/graylog-ipt.xml

Apply the new selinux label

restorecon -vF /etc/firewalld/services/graylog-ipt.xml

Add service rule to allow connections

firewall-cmd --zone=internal --add-service=graylog-ipt --permanent

You can also just add the port

firewall-cmd --zone=internal --add-port=10514/tcp

Reload the current firewall config

firewall-cmd --reload

Check the interface and verify the services

firewall-cmd --zone=internal --list-services

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com