yum install -y java-1.8.0-openjdk-headless epel-release policycoreutils-python wget
yum install -y pwgen coreutils
Criar o arquivo de repositório /etc/yum.repos.d/mongodb-org-3.4.repo:
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.ascyum install -y mongodb-org
semanage port -a -t mongod_port_t -p tcp 27017
systemctl enable mongod.service
systemctl start mongod.service
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Criar o arquivo de repositório /etc/yum.repos.d/elasticsearch.repo:
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-mdyum install -y elasticsearch
Editar o arquivo /etc/elasticsearch/jvm.options e ajustar a memória para o Elasticsearch:
-Xms2g
-Xmx2g
Editar o arquivo /etc/elasticsearch/elasticsearch.yml e ajustar os seguintes parâmetros:
cluster.name: graylog
bootstrap.memory_lock: true
index.codec: best_compression
cluster.routing.allocation.disk.threshold_enabled: true
cluster.routing.allocation.disk.watermark.low: 2gb
cluster.routing.allocation.disk.watermark.high: 4gb
Editar o arquivo /usr/lib/systemd/system/elasticsearch.service para habilitar o memory lock no serviço do Elasticsearch:
Adicionar o texto abaixo no final da seção [Service] do arquivo:
LimitMEMLOCK=infinity
E aplicar:
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service
Instalar o Repositório
yum install -y https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm
Instalar o Graylog Server
yum install -y graylog-server
Editar o arquivo /etc/graylog/server/server.conf e configure os parâmetros:
password_secret
root_password_sha2
root_timezone = America/Sao_Paulo
elasticsearch_hosts = http://localhost:9200/
elasticsearch_shards = 1
elasticsearch_replicas = 0
elasticsearch_cluster_name = graylog
allow_leading_wildcard_searches = true
message_journal_max_age = 12h
message_journal_max_size = 5gb
transport_email_* (opcional: para envio de alertas por e-mail)
Para criar o password_secret:
pwgen -N 1 -s 96Para criar o root_password_sha2:
echo -n <senha_root> | sha256sum
Instalar o GeoIP:
wget -O /etc/graylog/server/GeoLite2-City.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
gunzip -f /etc/graylog/server/GeoLite2-City.mmdb.gzConfigurar update semanal na Cron:
cat <<EOF >> /etc/cron.d/graylog
# Atualiza informações de GeoIP Semanalmente
0 12 * * 0 root wget -O /etc/graylog/server/GeoLite2-City.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz && gunzip -f /etc/graylog/server/GeoLite2-City.mmdb.gz
EOF
systemctl enable graylog-server.service
systemctl start graylog-server.serviceyum install -y kibana
Obs: o Kibana está disponível no mesmo repositório do Elastisearch configurado previamente
Editar o arquivo /etc/kibana/kibana.yml e ajustar os seguintes parâmetros:
server.host: "127.0.0.1"
server.basePath: "/kibana"
systemctl enable kibana.service
systemctl start kibana.serviceyum install -y nginx httpd-tools
# porta TCP Graylog
semanage port -a -t http_port_t -p tcp 9000
# porta TCP Graylog
semanage port -a -t http_port_t -p tcp 5601
Comentar o location / {} dentro do /etc/nginx/nginx.conf, pois este será utilizado pelo Graylog
Criar o arquivo /etc/nginx/default.d/graylog.conf com o seguinte conteúdo:
location /kibana/ {
auth_basic "Kibana Auth";
auth_basic_user_file /etc/nginx/kibana.htpaswd;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:5601/;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$host/api;
proxy_pass http://127.0.0.1:9000/;
}Configurar a autenticação do Kibana
htpasswd -c /etc/nginx/kibana.htpaswd kibanaadmin
systemctl enable nginx.service
systemctl start nginx.service
Conectar no mongo e criar o user admin:
mongo
> use admin
> db.createUser({ user: "admin", pwd: "<senha>", roles: [{ role: "userAdminAnyDatabase", db: "admin" }, { role: "backup", db: "admin" }] })
> db.auth("admin", "<senha>")
> exit
Editar o arquivo /etc/mongod.conf e adicionar as seguintes linhas:
security:
authorization: enabled
Reiniciar o serviço do MongoDB:
systemctl restart mongod.service
mongo
> use admin
> db.auth("admin", "<senha>")
> use graylog
> db.createUser({ user: "graylog", pwd: "<senha>", roles: [{ role: "dbOwner", db: "graylog" }] })
> db.auth("graylog", "<senha>")
> show collections
> exit
Editar o arquivo /etc/graylog/server/server.conf e alterar o campo mongodb_uri para:
mongodb_uri = mongodb://graylog:<senha>@localhost:27017/graylog
Criar um certificado autoassinado baseado no FQDN do servidor Graylog
cd /etc/pki/tls
openssl req -subj '/CN=<graylog-server-fqdn>/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/graylog-server.key -out certs/graylog-server.crt
Gerar chave Diffie-Hellman para "Perfect Forward Secrecy"
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Alterar o /etc/nginx/nginx.conf e ajustar os parâmetros do default server na porta 80 (HTTP):
- Comentar a linha
include /etc/nginx/default.d/*.conf; - Ajustar o redrect do
location /para https:location / { rewrite ^ https://<graylog-server-fqdn>$request_uri? permanent; }
Ajustar o default server na porta 443 (HTTPS) no arquivo /etc/nginx/nginx.conf:
- Adicionar os parâmetros de SSL;
- Adicionar o parâmetro
include /etc/nginx/default.d/*.conf; - Remover a seção
location / - Ajustar os parâmetros
ssl_certificateessl_certificate_keyutilizando o Certificado TLS gerado anteriormente - Ajustar o parâmetro
ssl_dhparamgerado anteriormente
Exemplo de configuração do SSL:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name <graylog-server-fqdn>;
root /usr/share/nginx/html;
ssl on;
ssl_stapling on;
ssl_certificate "/etc/pki/tls/certs/graylog-server.crt";
ssl_certificate_key "/etc/pki/tls/private/graylog-server.key";
ssl_dhparam "/etc/ssl/certs/dhparam.pem";
ssl_trusted_certificate "/etc/pki/tls/certs/graylog-server.crt";
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SH+SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:5m;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
Ajustar o header X-Graylog-Server-URL do location / no arquivo /etc/nginx/default.d/graylog.conf para utilizar HTTPS:
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$host/api;
proxy_pass http://127.0.0.1:9000/;
}
Por fim, testar as configurações aplicadas no NGINX e reiniciar o mesmo para aplicar:
nginx -t
systemctl restart nginx