Additional Setup for master node
Setup Graylog Web UI on master node
Setup Note: newer versions of graylog do not require a separate install for the web interface anymore so we can make a few firewall rule changes and be good.
Configure Graylog WebUI firewalld rules
Let’s make some firewall rule changes specifically to allow web traffic. If for some reason you aren’t using a firewall then you can skip this.
Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)
Create a new service file for graylog WebUI access
vi /etc/firewalld/services/graylog-web.xml
Use this as the contents for graylog-web.xml (allowing port 80 and 443 now will come in handy later)
<?xml version="1.0" encoding="utf-8"?> <service> <short>graylog-web</short> <description>graylog web service access for default tcp ports.</description> <port protocol="tcp" port="80"/> <port protocol="tcp" port="443"/> <port protocol="tcp" port="9000"/> </service>
Permanently create an selinux context label
semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/graylog-web.xml
Apply the new selinux label
restorecon -vF /etc/firewalld/services/graylog-web.xml
Add service rule to allow connections to the web frontend
firewall-cmd --zone=internal --add-service=graylog-web --permanent
Reload the current firewall config
firewall-cmd --reload
Check the interface and verify the services
firewall-cmd --zone=internal --list-services
Verify the Graylog web interface
If everything was done correctly then we should be able to login to the Graylog web interface, using the default port of 9000. Use the admin account and secret password created earlier and go to http://yourserver.domain.tld:9000 to see the login page.
Configure Graylog Input
I won’t go into a lot of detail here since the Graylog docs cover creating an input. Of course, you can make whatever choices you like but I used the following settings for this post when configuring the new input.
After you have logged into your Graylog Instance, click “System” => “Inputs”
On the “Inputs” page, select “Syslog TCP” as the input type and click the “Launch new input” button
Title: rsyslog-tcp-input Bind Address: 0.0.0.0 Port: 10514 Check the box "allow overriding Date" Click "Save"
Configure Graylog Inputs firewalld rules
Let’s make some firewall rule changes specifically to allow incoming traffic to an input. If for some reason you aren’t using a firewall then you can skip this.
Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)
Create a new service file for graylog inputs
vi /etc/firewalld/services/graylog-ipt.xml
Use this as the contents for graylog-ipt.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>graylog-ipt</short> <description>Incoming ports for multiple inputs from log sources.</description> <port protocol="tcp" port="10514"/> </service>
Permanently create an selinux context label
semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/graylog-ipt.xml
Apply the new selinux label
restorecon -vF /etc/firewalld/services/graylog-ipt.xml
Add service rule to allow connections
firewall-cmd --zone=internal --add-service=graylog-ipt --permanent
You can also just add the port
firewall-cmd --zone=internal --add-port=10514/tcp
Reload the current firewall config
firewall-cmd --reload
Check the interface and verify the services
firewall-cmd --zone=internal --list-services