Logdatenanalyse mit graylog v2 unter CentOS 7.x

Bild: graylog Logo Für die Überwachung unserer Systeme, genauer gesagt den Loginformationen, greifen wir auf das Projekt graylog v2 zurück. Mit graylog haben wir ein sehr mächtiges Werkzeug in Händen, welches uns die Erfassung, Indizierung und Analyse von Logdateninformationen aus fast all unseren Systemen und Geräten zur Verfügung.

Für den produktiven Einsatz von graylog v2 müssen wir noch ein paar Vorbereitungen treffen; nähere Hinweise dazu findet man in der Architektur-Dokumentation sowie den Überlegungen zu den Voraussetzungen der verwendeten Systemarchitektur von graylog v2. Im folgendem Installations- und Konfigurationsbeispiel orientieren wir uns am Minimum setup.

Bevor wir nun mit der Installation von graylog beginnen, müssen wir noch nachfolgende Voraussetzungen schaffen.

JAVA/OpenJDK Runtime Environment

Hier installieren wir die benötige Java Umgebung (>= 8) aus dem CentOS Base Repository.

MongoDB

graylog nutzt als Datenbank-Server die NoSQL-Datenbank MongoDB (>= 2.4). Diese beziehen wir aus dem EPEL Repository, welches wir, falls noch nicht geschehen, in unser System wie hier beschrieben einbinden.

Elasticsearch

graylog nutzt als Suchmaschine/-server das Projekt Elasticsearch (>= 2.x). Das benötigte aktuelle RPM beziehen wir direkt von elastic, die hierzu ein eigenes Repository anbieten.

ACHTUNG: Graylog 2.x does not work with Elasticsearch 5.x! ⇒ http://docs.graylog.org/en/2.2/pages/installation/operating_system_packages.html#prerequisites

Zur Installation des Repositories selbst wir uns kein RPM angeboten. Daher werden wir kurzer Hand die benötigte Konfigurationsdatei für das Repository elasticsearch selbst anlegen.

 # vim /etc/yum.repos.d/elasticsearch.repo
/etc/yum.repos.d/elasticsearch.repo
# Django : 2017-02-14 - Repository elasticsearch 5.x ist nicht mit graylog v2.x kompatibel!
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
priority=20
enabled=0
autorefresh=1
type=rpm-md
 
# Django : 2015-12-21 - Repository elasticsearch 2.x ist nur mit graylog v2.x kompatibel!
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-elasticsearch
priority=20
enabled=1
 
# Django : 2015-12-28 - Repository elasticsearch für graylog V1.x Installation
[elasticsearch-1.7]
name=Elasticsearch repository for 1.7.x packages
baseurl=http://packages.elastic.co/elasticsearch/1.7/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
priority=20
enabled=0

Damit später nur verifizierte, also RPM-Pakete mit einer gültigen PGP-Signatur installiert werden können, benötigen wir noch den passenden PGP-Key von elasticsearch. Hinweise zum Bezug des Schlüssels und dessen Fingerprint finden wir auf der elasticsearch Dokumentationsseite. Wir holen uns nun den RPM-PGP-Key auf unseren Server.

 # wget https://packages.elastic.co/GPG-KEY-elasticsearch -P /etc/pki/rpm-gpg

Bevor wir diesen aber importieren, lassen wir uns den Fingerprint am Bildschirm ausgeben.

 # gpg --with-fingerprint /etc/pki/rpm-gpg/GPG-KEY-elasticsearch
pub  2048R/D88E42B4 2013-09-16 Elasticsearch (Elasticsearch Signing Key) <dev_ops@elasticsearch.org>
      Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4
sub  2048R/60D31954 2013-09-16

Diesen Key fingerprint = 4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4 vergleichen wir nun mit den Angaben auf der elasticsearch Dokumentationsseite. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nichts mehr entgegen.

 # rpm --import /etc/pki/rpm-gpg/GPG-KEY-elasticsearch

graylog

Graylog selbst werden wir später aus dem Repository von graylog installieren. So bleibt zum einen der Konfigurationsaufwand überschaubar und wir werden mit Updates versorgt, wenn Änderungen und/oder Erweiterungen am Programmcode von graylog notwendig werden. Die Integration des benötigten Repositories erfolgt direkt mit nachfolgendem Befehl:

 # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm

Anschliessend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.

 # vim /etc/yum.repos.d/graylog.repo
/etc/yum.repos.d/graylog.repo
[graylog]
name=graylog
baseurl=https://packages.graylog2.org/repo/el/stable/2.3/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog
priority=20

Leider bietet uns graylog selbst keine Möglichkeit, den Fingerprint des PGP-Key /etc/pki/rpm-gpg/RPM-GPG-KEY-graylog mit der Key-ID=B1606F22 einzusehen. Wir müssen daher auf einen PGP-Keyserver ausweichen. Über die URL http://keyserver.nausch.org/pks/lookup?search=0xB1606F22&fingerprint=on erhalten wir in einem Browserfenster direkt den Fingerprint angezeigt. Diesen Fingerprint vergleichen wir nun mit dem des RPM-Pakets.

 # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-graylog
pub  2048R/B1606F22 2014-06-04 TORCH GmbH <packages@torch.sh>
      Key fingerprint = 28AB 6EB5 7277 9C2A D196  BE22 D44C 1D8D B160 6F22

Sind beide Werte gleich, können wir auch diesen PGP-Key wie gewohnt importieren.

 # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-graylog

Da nun alle Voraussetzungen geschaffen sind, können wir uns an die Installation der einzelnen RPM-Pakete machen.

OpenJDK

Als erstes installieren wir nun die OpenJDK Runtime Environment mit Hilfe von YUM.

 # yum install java-1.8.0-openjdk -y

Haben wir bereits eine installierte Java Umgebung installiert können wir mit folgendem Befehl abfragen ob die benötigte Version den Installationsvoraussetzungen (installiertes JAVA oder OpenJDK ab Version 1.7.0) von graylog genügt.

 # java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-b13)
OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)

Wollen wir wissen, welche Dateien und Verzeichnisse das Paket auf unseren Server packte, benutzen wir folgenden Befehl.

 # rpm -qil java-1.8.0-openjdk
Name        : java-1.8.0-openjdk
Epoch       : 1
Version     : 1.8.0.121
Release     : 0.b13.el7_3
Architecture: x86_64
Install Date: Wed 15 Feb 2017 03:26:37 PM CET
Group       : Development/Languages
Size        : 512882
License     : ASL 1.1 and ASL 2.0 and GPL+ and GPLv2 and GPLv2 with exceptions and LGPL+ and LGPLv2 and MPLv1.0 and MPLv1.1 and Public Domain and W3C
Signature   : RSA/SHA256, Sat 21 Jan 2017 04:40:40 PM CET, Key ID 24c6a8a7f4a80eb5
Source RPM  : java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.src.rpm
Build Date  : Fri 20 Jan 2017 07:08:18 PM CET
Build Host  : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://openjdk.java.net/
Summary     : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/bin/policytool
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/amd64/libawt_xawt.so
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/amd64/libjawt.so
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/amd64/libjsoundalsa.so
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/amd64/libsplashscreen.so
/usr/share/applications/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64-policytool.desktop
/usr/share/icons/hicolor/16x16/apps/java-1.8.0.png
/usr/share/icons/hicolor/24x24/apps/java-1.8.0.png
/usr/share/icons/hicolor/32x32/apps/java-1.8.0.png
/usr/share/icons/hicolor/48x48/apps/java-1.8.0.png

MongoDB

Als nächstes erfolgt die Installation unserer MongoDB. Dank dem eingebundenen zugehörigen Repository erfolgt dies mit Hilfe von YUM.

 # yum install mongodb mongodb-server -y

Auch hier können wir uns einen Überblick verschaffen, welche Verzeichnisse angelegt und Dateien dort abgelegt wurden.

 # rpm -qil mongodb
Name        : mongodb
Version     : 2.6.12
Release     : 3.el7
Architecture: x86_64
Install Date: Wed 15 Feb 2017 04:12:10 PM CET
Group       : Applications/Databases
Size        : 137184760
License     : AGPLv3 and zlib and ASL 2.0
Signature   : RSA/SHA256, Tue 20 Sep 2016 06:13:42 PM CEST, Key ID 6a2faea2352c64e5
Source RPM  : mongodb-2.6.12-3.el7.src.rpm
Build Date  : Mon 19 Sep 2016 10:56:43 AM CEST
Build Host  : buildvm-09.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.mongodb.org
Summary     : High-performance, schema-free document-oriented database
Description :
Mongo (from "humongous") is a high-performance, open source, schema-free
document-oriented database. MongoDB is written in C++ and offers the following
features:
    * Collection oriented storage: easy storage of object/JSON-style data
    * Dynamic queries
    * Full index support, including on inner objects and embedded arrays
    * Query profiling
    * Replication and fail-over support
    * Efficient storage of binary data including large objects (e.g. photos
    and videos)
    * Auto-sharding for cloud-level scalability (currently in early alpha)
    * Commercial Support Available

A key goal of MongoDB is to bridge the gap between key/value stores (which are
fast and highly scalable) and traditional RDBMS systems (which are deep in
functionality).
/usr/bin/bsondump
/usr/bin/mongo
/usr/bin/mongodump
/usr/bin/mongoexport
/usr/bin/mongofiles
/usr/bin/mongoimport
/usr/bin/mongooplog
/usr/bin/mongoperf
/usr/bin/mongorestore
/usr/bin/mongosniff
/usr/bin/mongostat
/usr/bin/mongotop
/usr/share/doc/mongodb-2.6.12
/usr/share/doc/mongodb-2.6.12/README
/usr/share/licenses/mongodb-2.6.12
/usr/share/licenses/mongodb-2.6.12/APACHE-2.0.txt
/usr/share/licenses/mongodb-2.6.12/GNU-AGPL-3.0.txt
/usr/share/man/man1/bsondump.1.gz
/usr/share/man/man1/mongo.1.gz
/usr/share/man/man1/mongodump.1.gz
/usr/share/man/man1/mongoexport.1.gz
/usr/share/man/man1/mongofiles.1.gz
/usr/share/man/man1/mongoimport.1.gz
/usr/share/man/man1/mongooplog.1.gz
/usr/share/man/man1/mongoperf.1.gz
/usr/share/man/man1/mongorestore.1.gz
/usr/share/man/man1/mongosniff.1.gz
/usr/share/man/man1/mongostat.1.gz
/usr/share/man/man1/mongotop.1.gz
 # rpm -qil mongodb-server
Name        : mongodb-server
Version     : 2.6.12
Release     : 3.el7
Architecture: x86_64
Install Date: Wed 15 Feb 2017 04:12:00 PM CET
Group       : Applications/Databases
Size        : 20903323
License     : AGPLv3 and zlib and ASL 2.0
Signature   : RSA/SHA256, Tue 20 Sep 2016 06:03:42 PM CEST, Key ID 6a2faea2352c64e5
Source RPM  : mongodb-2.6.12-3.el7.src.rpm
Build Date  : Mon 19 Sep 2016 10:56:43 AM CEST
Build Host  : buildvm-09.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://www.mongodb.org
Summary     : MongoDB server, sharding server and support scripts
Description :
This package provides the mongo server software, mongo sharding server
software, default configuration files, and init scripts.
/etc/logrotate.d/mongodb
/etc/mongod.conf
/etc/mongos.conf
/etc/sysconfig/mongod
/etc/sysconfig/mongos
/usr/bin/mongod
/usr/bin/mongos
/usr/lib/systemd/system/mongod.service
/usr/lib/systemd/system/mongos.service
/usr/lib/tmpfiles.d/mongodb.conf
/usr/share/man/man1/mongod.1.gz
/usr/share/man/man1/mongos.1.gz
/var/lib/mongodb
/var/log/mongodb
/var/run/mongodb

Elasticsearch

Im nächsten Schritt installieren wir nun noch elasticsearch als Suchmaschine/-server.

 # yum install elasticsearch -y

Wollen wir wissen, welche Dateien und Verzeichnisse das Paket auf unseren Server packte, benutzen wir folgenden Befehl.

 # rpm -qil elasticsearch
Name        : elasticsearch
Version     : 2.4.4
Release     : 1
Architecture: noarch
Install Date: Wed 15 Feb 2017 04:15:08 PM CET
Group       : Application/Internet
Size        : 30542380
License     : (c) 2009
Signature   : RSA/SHA1, Tue 03 Jan 2017 12:52:53 PM CET, Key ID d27d666cd88e42b4
Source RPM  : elasticsearch-2.4.4-1.src.rpm
Build Date  : Tue 03 Jan 2017 12:52:50 PM CET
Build Host  : vagrant-ubuntu-trusty-64
Relocations : /usr 
Packager    : Elasticsearch
Summary     : Distribution: RPM
Description :
Elasticsearch is a distributed RESTful search engine built for the cloud. Reference documentation can be found at https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html and the 'Elasticsearch: The Definitive Guide' book can be found at https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html
/etc/elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/logging.yml
/etc/elasticsearch/scripts
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service
/usr/lib/tmpfiles.d
/usr/lib/tmpfiles.d/elasticsearch.conf
/usr/share/elasticsearch/LICENSE.txt
/usr/share/elasticsearch/NOTICE.txt
/usr/share/elasticsearch/README.textile
/usr/share/elasticsearch/bin
/usr/share/elasticsearch/bin/elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec
/usr/share/elasticsearch/bin/elasticsearch.in.sh
/usr/share/elasticsearch/bin/plugin
/usr/share/elasticsearch/lib
/usr/share/elasticsearch/lib/HdrHistogram-2.1.6.jar
/usr/share/elasticsearch/lib/apache-log4j-extras-1.2.17.jar
/usr/share/elasticsearch/lib/commons-cli-1.3.1.jar
/usr/share/elasticsearch/lib/compiler-0.8.13.jar
/usr/share/elasticsearch/lib/compress-lzf-1.0.2.jar
/usr/share/elasticsearch/lib/elasticsearch-2.4.4.jar
/usr/share/elasticsearch/lib/guava-18.0.jar
/usr/share/elasticsearch/lib/hppc-0.7.1.jar
/usr/share/elasticsearch/lib/jackson-core-2.8.1.jar
/usr/share/elasticsearch/lib/jackson-dataformat-cbor-2.8.1.jar
/usr/share/elasticsearch/lib/jackson-dataformat-smile-2.8.1.jar
/usr/share/elasticsearch/lib/jackson-dataformat-yaml-2.8.1.jar
/usr/share/elasticsearch/lib/jna-4.1.0.jar
/usr/share/elasticsearch/lib/joda-time-2.9.5.jar
/usr/share/elasticsearch/lib/jsr166e-1.1.0.jar
/usr/share/elasticsearch/lib/jts-1.13.jar
/usr/share/elasticsearch/lib/log4j-1.2.17.jar
/usr/share/elasticsearch/lib/lucene-analyzers-common-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-backward-codecs-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-core-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-grouping-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-highlighter-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-join-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-memory-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-misc-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-queries-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-queryparser-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-sandbox-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-spatial-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-spatial3d-5.5.2.jar
/usr/share/elasticsearch/lib/lucene-suggest-5.5.2.jar
/usr/share/elasticsearch/lib/netty-3.10.6.Final.jar
/usr/share/elasticsearch/lib/securesm-1.0.jar
/usr/share/elasticsearch/lib/snakeyaml-1.15.jar
/usr/share/elasticsearch/lib/spatial4j-0.5.jar
/usr/share/elasticsearch/lib/t-digest-3.0.jar
/usr/share/elasticsearch/modules
/usr/share/elasticsearch/modules/lang-expression
/usr/share/elasticsearch/modules/lang-expression/antlr4-runtime-4.5.1-1.jar
/usr/share/elasticsearch/modules/lang-expression/asm-5.0.4.jar
/usr/share/elasticsearch/modules/lang-expression/asm-commons-5.0.4.jar
/usr/share/elasticsearch/modules/lang-expression/lang-expression-2.4.4.jar
/usr/share/elasticsearch/modules/lang-expression/lucene-expressions-5.5.2.jar
/usr/share/elasticsearch/modules/lang-expression/plugin-descriptor.properties
/usr/share/elasticsearch/modules/lang-expression/plugin-security.policy
/usr/share/elasticsearch/modules/lang-groovy
/usr/share/elasticsearch/modules/lang-groovy/groovy-2.4.6-indy.jar
/usr/share/elasticsearch/modules/lang-groovy/lang-groovy-2.4.4.jar
/usr/share/elasticsearch/modules/lang-groovy/plugin-descriptor.properties
/usr/share/elasticsearch/modules/lang-groovy/plugin-security.policy
/usr/share/elasticsearch/modules/reindex
/usr/share/elasticsearch/modules/reindex/plugin-descriptor.properties
/usr/share/elasticsearch/modules/reindex/reindex-2.4.4.jar
/usr/share/elasticsearch/plugins
/var/lib/elasticsearch
/var/log/elasticsearch
/var/run/elasticsearch

graylog

Zu guter letzt installieren wir nun noch Pakete graylog sowie das Zusatzprogramm pwgen zum Generieren von Passwörtern, natürlich auch dieses mal mit Unterstützung von YUM.

 # yum install graylog-server pwgen -y

Auch hier können wir uns einen Überblick verschaffen, welche Verzeichnisse angelegt und Dateien dort abgelegt wurden.

 # rpm -qil graylog-server
Name        : graylog-server
Version     : 2.3.1
Release     : 1
Architecture: noarch
Install Date: Wed 27 Sep 2017 11:26:28 AM CEST
Group       : optional
Size        : 110416070
License     : GPLv3
Signature   : RSA/SHA1, Fri 25 Aug 2017 03:57:24 PM CEST, Key ID d44c1d8db1606f22
Source RPM  : graylog-server-2.3.1-1.src.rpm
Build Date  : Fri 25 Aug 2017 03:57:17 PM CEST
Build Host  : 5ee9456006b4
Relocations : / 
Packager    : Graylog, Inc. <hello@graylog.org>
Vendor      : graylog
URL         : https://www.graylog.org/
Summary     : Graylog server
Description :
Graylog server
/etc/graylog/server/log4j2.xml
/etc/graylog/server/server.conf
/etc/init.d/graylog-server
/etc/sysconfig/graylog-server
/usr/lib/systemd/system/graylog-server.service
/usr/share/graylog-server/bin/graylog-server
/usr/share/graylog-server/contentpacks/grok-patterns.json
/usr/share/graylog-server/graylog.jar
/usr/share/graylog-server/installation-source.sh
/usr/share/graylog-server/lib/sigar/libsigar-amd64-linux.so
/usr/share/graylog-server/lib/sigar/libsigar-x86-linux.so
/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.3.1.jar
/usr/share/graylog-server/plugin/graylog-plugin-beats-2.3.1.jar
/usr/share/graylog-server/plugin/graylog-plugin-collector-2.3.1.jar
/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.3.1.jar
/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.3.1.jar
/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.3.1.jar
 # rpm -qil pwgen
Name        : pwgen
Version     : 2.07
Release     : 1.el7
Architecture: x86_64
Install Date: Mon 28 Dec 2015 09:54:47 AM CET
Group       : Applications/System
Size        : 37925
License     : GPL+
Signature   : RSA/SHA256, Sat 06 Dec 2014 03:49:56 PM CET, Key ID 6a2faea2352c64e5
Source RPM  : pwgen-2.07-1.el7.src.rpm
Build Date  : Fri 05 Dec 2014 06:56:18 PM CET
Build Host  : buildvm-08.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://sf.net/projects/pwgen
Summary     : Automatic password generation
Description :
pwgen generates random, meaningless but pronounceable passwords. These
passwords contain either only lowercase letters, or upper and lower case, or
upper case, lower case and numeric digits. Upper case letters and numeric
digits are placed in a way that eases memorizing the password.
/usr/bin/pwgen
/usr/share/doc/pwgen-2.07
/usr/share/doc/pwgen-2.07/changelog
/usr/share/doc/pwgen-2.07/copyright
/usr/share/man/man1/pwgen.1.gz

Nachdem wir die Installation aller benötigten Programmpakete erfolgreich abgeschlossen haben, können wir uns nun an die Installation der einzelnen Komponenten wagen.

MongoDB

Obwohl in der MongoDB nur Metainformationen gespeichert und vorgehalten werden, wollen wir diese NoSQL-Datenbank absichern, indem wir einen Datenbankbenutzer mit Passwort anlegen. Somit ist sichergestellt, dass kein unbefugter Daten der MongoDB abrufen, ändern oder gar löschen kann.

Start des Daemon

Unsere Konfigurationsänderungen werden mit Hilfe von mongo der MongoDB Shell vorgenommen. Dieses JavaScript stellt die Benutzerschnittstelle zum eigentlichen MongoDN-Daemon zur Verfügung. Damit sich der Client mit dem Server auch verbinden kann, muss der Server natürlich laufen; wir starten also nun unsere NoSQL-Datenbank mit folgendem Befehl.

 # systemctl start mongod.service

Den Serverstatus können wir wie folgt abfragen.

 # systemctl status mongod.service

mongod.service - High-performance, schema-free document-oriented database
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-02-15 18:48:36 CET; 16s ago
  Process: 1774 ExecStart=/usr/bin/mongod $OPTIONS run (code=exited, status=0/SUCCESS)
 Main PID: 1776 (mongod)
   CGroup: /system.slice/mongod.service
           └─1776 /usr/bin/mongod --quiet -f /etc/mongod.conf run

Feb 15 18:48:08 vml000117.dmz.nausch.org systemd[1]: Starting High-performance, schema-free document-oriented database...
Feb 15 18:48:08 vml000117.dmz.nausch.org mongod[1774]: about to fork child process, waiting until server is ready for connections.
Feb 15 18:48:08 vml000117.dmz.nausch.org mongod[1774]: forked process: 1776
Feb 15 18:48:36 vml000117.dmz.nausch.org systemd[1]: Started High-performance, schema-free document-oriented database.

Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.

 # less /var/log/mongodb/mongod.log
2017-02-15T18:48:08.128+0100 [initandlisten] MongoDB starting : pid=1776 port=27017 dbpath=/var/lib/mongodb 64-bit host=vml000117.dmz.nausch.org
2017-02-15T18:48:08.128+0100 [initandlisten] db version v2.6.12
2017-02-15T18:48:08.128+0100 [initandlisten] git version: nogitversion
2017-02-15T18:48:08.128+0100 [initandlisten] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
2017-02-15T18:48:08.128+0100 [initandlisten] build info: Linux buildvm-09.phx2.fedoraproject.org 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 BOOST_LIB_VERSION=1_53
2017-02-15T18:48:08.128+0100 [initandlisten] allocator: tcmalloc
2017-02-15T18:48:08.128+0100 [initandlisten] options: { command: [ "run" ], config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1", unixDomainSocket: { pathPrefix: "/var/run/mongodb" } }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, storage: { dbPath: "/var/lib/mongodb" }, systemLog: { destination: "file", path: "/var/log/mongodb/mongod.log", quiet: true } }
2017-02-15T18:48:08.129+0100 [initandlisten] 
2017-02-15T18:48:08.129+0100 [initandlisten] ** WARNING: Readahead for /var/lib/mongodb is set to 4096KB
2017-02-15T18:48:08.129+0100 [initandlisten] **          We suggest setting it to 256KB (512 sectors) or less
2017-02-15T18:48:08.129+0100 [initandlisten] **          http://dochub.mongodb.org/core/readahead
2017-02-15T18:48:08.137+0100 [initandlisten] journal dir=/var/lib/mongodb/journal
2017-02-15T18:48:08.137+0100 [initandlisten] recover : no journal files present, no recovery needed
2017-02-15T18:48:08.753+0100 [initandlisten] preallocateIsFaster=true 3.1
2017-02-15T18:48:09.373+0100 [initandlisten] preallocateIsFaster=true 3.46
2017-02-15T18:48:11.034+0100 [initandlisten] preallocateIsFaster=true 4.04
2017-02-15T18:48:11.034+0100 [initandlisten] preallocating a journal file /var/lib/mongodb/journal/prealloc.0
2017-02-15T18:48:14.001+0100 [initandlisten]            File Preallocator Progress: 1038090240/1073741824       96%
2017-02-15T18:48:17.842+0100 [initandlisten] preallocating a journal file /var/lib/mongodb/journal/prealloc.1
2017-02-15T18:48:20.207+0100 [initandlisten]            File Preallocator Progress: 629145600/1073741824        58%
2017-02-15T18:48:23.024+0100 [initandlisten]            File Preallocator Progress: 1069547520/1073741824       99%
2017-02-15T18:48:25.594+0100 [initandlisten] preallocating a journal file /var/lib/mongodb/journal/prealloc.2
2017-02-15T18:48:28.018+0100 [initandlisten]            File Preallocator Progress: 293601280/1073741824        27%
2017-02-15T18:48:31.022+0100 [initandlisten]            File Preallocator Progress: 975175680/1073741824        90%
2017-02-15T18:48:36.415+0100 [initandlisten] allocating new ns file /var/lib/mongodb/local.ns, filling with zeroes...
2017-02-15T18:48:36.553+0100 [FileAllocator] allocating new datafile /var/lib/mongodb/local.0, filling with zeroes...
2017-02-15T18:48:36.554+0100 [FileAllocator] creating directory /var/lib/mongodb/_tmp
2017-02-15T18:48:36.575+0100 [FileAllocator] done allocating datafile /var/lib/mongodb/local.0, size: 64MB,  took 0.017 secs
2017-02-15T18:48:36.583+0100 [initandlisten] build index on: local.startup_log properties: { v: 1, key: { _id: 1 }, name: "_id_", ns: "local.startup_log" }
2017-02-15T18:48:36.583+0100 [initandlisten]     added index to empty collection
2017-02-15T18:48:36.586+0100 [initandlisten] command local.$cmd command: create { create: "startup_log", size: 10485760, capped: true } ntoreturn:1 keyUpdates:0 numYields:0  reslen:37 168ms
2017-02-15T18:48:36.587+0100 [initandlisten] waiting for connections on port 27017

Standardmässig öffnet der MongoDB-Daemon den Port 27017. Dies können wir wie folgt auch überprüfen:

 # netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      184        19185      1984/mongod

Anpassung des Readahead-Parameters

Im Logfile finden wir eine Readahead-Warnmeldung mit dem Hinweis, dass die readahead-Einstellungen für das Block-Gerät auf dem die MongoDB gespeichert wurde nicht optimal zum Speichern der NoSQL-Datenbank MongoDB geeigent ist.

2017-02-15T18:48:08.129+0100 [initandlisten] ** WARNING: Readahead for /var/lib/mongodb is set to 4096KB
2017-02-15T18:48:08.129+0100 [initandlisten] **          We suggest setting it to 256KB (512 sectors) or less
2017-02-15T18:48:08.129+0100 [initandlisten] **          http://dochub.mongodb.org/core/readahead

Zunächst suchen wir, auf welchem Blockdevice das Verzeichnis /var/lib/mongodb liegt.

 # mount | grep /var/lib/mongodb
/dev/vdb1 on /var/lib/mongodb type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Fragen wir die Einstellungen unserer Blockdevices ab erhalten wir zunächst:

 # blockdev --report
RO    RA   SSZ   BSZ   StartSec            Size   Device
rw  8192   512  4096          0     31457280000   /dev/vda
rw  8192   512   512       2048      1073741824   /dev/vda1
rw  8192   512  4096    2099200     30067916800   /dev/vda2
rw  8192   512  4096          0     10485760000   /dev/vdb
rw  8192   512   512       2048     10484711424   /dev/vdb1
rw  8192   512  4096          0     26214400000   /dev/vdc
rw  8192   512   512       2048     26213351424   /dev/vdc1
rw  8192   512   512          0     10737418240   /dev/dm-0
rw  8192   512  4096          0      4294967296   /dev/dm-1
rw  8192   512   512          0     10737418240   /dev/dm-2
rw  8192   512   512          0      4294967296   /dev/dm-3

Wir setzen nunmehr den Wert RA auf die empfohlene Grösse von 256KB (512 sectors) für das Blockdevice /dev/vdb1 auf dem unsere MongoDB bespeichert wird.

 # blockdev --setra 256 /dev/vdb1

Fragen wir erneut die Einstellungen für /dev/vdb1 sehen wir, dass der Parameter RA nun den Wert von 256 hat.

 # blockdev --report | grep /dev/vdb1
rw   256   512   512       2048     10484711424   /dev/vdb1

Wenn abschliessend starten wir nun den MongoDB-Daemon einmal durch, damit unsere Änderung auch wirksam werden kann.

 # systemctl restart mongod.service

Die Warnmeldung ist nunmehr verschwunden.

 # less /var/log/mongodb/mongod.log
2017-02-15T19:21:44.956+0100 [initandlisten] MongoDB starting : pid=2202 port=27017 dbpath=/var/lib/mongodb 64-bit host=vml000117.dmz.nausch.org
2017-02-15T19:21:44.956+0100 [initandlisten] db version v2.6.12
2017-02-15T19:21:44.956+0100 [initandlisten] git version: nogitversion
2017-02-15T19:21:44.956+0100 [initandlisten] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
2017-02-15T19:21:44.956+0100 [initandlisten] build info: Linux buildvm-09.phx2.fedoraproject.org 4.7.2-201.fc24.x86_64 #1 SMP Fri Aug 26 15:58:40 UTC 2016 x86_64 BOOST_LIB_VERSION=1_53
2017-02-15T19:21:44.956+0100 [initandlisten] allocator: tcmalloc
2017-02-15T19:21:44.956+0100 [initandlisten] options: { command: [ "run" ], config: "/etc/mongod.conf", net: { bindIp: "127.0.0.1", unixDomainSocket: { pathPrefix: "/var/run/mongodb" } }, processManagement: { fork: true, pidFilePath: "/var/run/mongodb/mongod.pid" }, storage: { dbPath: "/var/lib/mongodb" }, systemLog: { destination: "file", path: "/var/log/mongodb/mongod.log", quiet: true } }
2017-02-15T19:21:44.964+0100 [initandlisten] journal dir=/var/lib/mongodb/journal
2017-02-15T19:21:44.965+0100 [initandlisten] recover : no journal files present, no recovery needed
2017-02-15T19:21:45.007+0100 [initandlisten] waiting for connections on port 27017

Die eben gemachte Konfigurationsberichtigung wird aber bei einem Reboot des Servers wieder verworfen. Wir müssen also dafür sorgen, dass der readahead-Wert bei einem Neustart des Systems auf den gewünschten Wert 256 gesetzt wird. Hierzu legen wir uns ein kleines Bash-Script an.

 #  vim /usr/local/bin/setra256
/usr/local/bin/setra256
#!/bin/bash
# Django : 2017-02-14
# Setzen des readahead Wertes auf 256KB (512 Sektoren)
/usr/sbin/blockdev --setra 256 /dev/vdb1

Das gerade angelegte Script statten wir nun mit den x-Dateirechten aus.

 # chmod +x /usr/local/bin/setra256

Nun müssen wir nur noch dafür sorgen, dass dieses Script bei einem Neustart gestartet wird. Dazu legen wir uns einen eigenen „kleinen Service“ an, in dem wir im Verzeichnis /etc/systemd/system/ eine systemd-Startscript anlegen.

 # vim /etc/systemd/system/setra256.service
/etc/systemd/system/setra256.service
[Unit]
Description=Initialize hardware monitoring sensors
After=syslog.target network.target
Before=mongod.service
 
[Service]
Type=oneshot
ExecStart=/usr/local/bin/setra256
 
[Install]
WantedBy=multi-user.target

Zu guter Letzt führen wir noch einen Reload des Systemd-Daemon durch und wir haben künftig immer den richtig gesetzten readahead von 256 gesetzt.

 # systemctl daemon-reload

Damit nun beim Booten des Servers dieses Startscript automatisch angestartet wird, aktivieren wir dies nun.

 # systemctl enable setra256.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/setra256.service to /etc/systemd/system/setra256.service.

automatischer Start des Daemon

Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.

 # systemctl enable mongod.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mongod.service to /usr/lib/systemd/system/mongod.service.

Wollen wir wissen, ob die Autostartfunktion bereits gesetzt ist, verwenden wir diesen Aufruf.

 # systemctl is-enabled mongod.service
enabled

Datenbanknutzer anlegen

Wie bereits kurz erwähnt wollen wir unsere MongoDB absichern, indem wir einen Datenbankbenutzer mit Passwort anlegen. Dazu verbinden wir uns erst einmal mit der MongoDB Shell mongo. Dieses JavaScript stellt die Benutzerschnittstelle zum eigentlichen MongoDN-Daemon zur Verfügung. Damit sich der Client mit dem Server auch verbinden kann, muss der Server natürlich laufen. Bei Bedarf starten wir also unsere NoSQL-Datenbank mit folgendem Befehl.

 # systemctl start mongod.service

Nun können wir uns mit der MongoDB Shell verbinden.

 # mongo
MongoDB shell version: 2.6.11
connecting to: test
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
        http://docs.mongodb.org/
Questions? Try the support group
        http://groups.google.com/group/mongodb-user
> 

Zunächst wechseln wir zur Datenbank admin mit folgendem Aufruf.

> use admin
switched to db admin
>

Anschließend legen wir den Datenbankadministrator admin mit dem Passwort 5y510953rv3r53cr37 an.

> db.createUser({user:"admin",pwd:"5y510953rv3r53cr37",roles:[{role:"root",db:"admin"}]})
Successfully added user: {
        "user" : "admin",
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                }
        ]
}
> 

Für den Zugriff von graylog auf die NoSQL-Datenbang MongoDB erstellen wir uns nun noch einen separaten Nutzer graylog-user mit dem zugehörigen Passwort 7h3FBI15n07ar0ckb4and. Bevor wir diesen Datenbank-Account anlegen, erstellen und wechseln wir noch zur Datenbank graylog.

> use graylog
switched to db graylog

Nun können wir auch unseren User graylog-user anlegen.

> db.createUser({user:"graylog-user",pwd:"7h3FBI15n07ar0ckb4and",roles:["readWrite"]})
Successfully added user: { "user" : "graylog-user", "roles" : [ "readWrite" ] }
> 

Wir haben die nötigen Definitionen erfolgreich zu Ende gebracht und nun können wir die MongoDB Shell mongo wieder verlassen.

> exit
bye

Zum Testen, ob unser Datenbanknutzer graylog-user sich auch erfolgreich mit der NoSQL-Datenbank graylog verbinden kann, melden wir uns mit dessen Daten an und fragen die vorhandenen Datenbanken ab.

 # mongo -u "graylog-user" -p "7h3FBI15n07ar0ckb4and" 127.0.0.1:27017/graylog
MongoDB shell version: 2.6.12
connecting to: 127.0.0.1:27017/test
> 

Eine Übersicht der unterstützeten Befehlen können wir uns mit dem Befehl help anzeigen lassen.

> help
	db.help()                    help on db methods
	db.mycoll.help()             help on collection methods
	sh.help()                    sharding helpers
	rs.help()                    replica set helpers
	help admin                   administrative help
	help connect                 connecting to a db help
	help keys                    key shortcuts
	help misc                    misc things to know
	help mr                      mapreduce

	show dbs                     show database names
	show collections             show collections in current database
	show users                   show users in current database
	show profile                 show most recent system.profile entries with time >= 1ms
	show logs                    show the accessible logger names
	show log [name]              prints out the last segment of log in memory, 'global' is default
	use <db_name>                set current database
	db.foo.find()                list objects in collection foo
	db.foo.find( { a : 1 } )     list objects in foo where a == 1
	it                           result of the last line evaluated; use to further iterate
	DBQuery.shellBatchSize = x   set default number of items to display on shell
	exit                         quit the mongo shell

Die Tabellen der gewählten Datenbank kann man sich mit dem Befehl show collections anzeigen lassen.

> show collections
alarmcallbackconfigurations
alarmcallbackhistory
alerts
cluster_config
cluster_events
collectors
content_packs
dashboards
dead_letters
grok_patterns
index_failures
index_ranges
inputs
ldap_settings
nodes
notifications
roles
sessions
streamrules
streams
system.indexes
system_messages
users
>

Da der Zugriff klappte, können wir die Datenbankverbindung wieder beenden.

> exit
bye

Geben wir ein falsches Passwort ein, wird natürlich der Zugang verwehrt.

 # mongo -u "graylog-user" -p "7h3FBI15ar0ckb4and" 127.0.0.1:27017/graylog
MongoDB shell version: 2.6.12
connecting to: 127.0.0.1:27017/test
2017-02-16T09:50:27.265+0100 Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 } at src/mongo/shell/db.js:1292
exception: login failed

Zum Abschluss unterbinden wir nun noch den Passwortlosen Zugang zur MongoDB. Der Parameter auth im Abschnitt General options der Konfigurationsdatei /etc/mongod.conf

 # vim /etc/mongod.conf
/etc/mongod.conf
##                                       
### Basic Defaults                       
##                                       
 
# Comma separated list of ip addresses to listen on (all local ips by default)
bind_ip = 127.0.0.1                                                           
 
# Specify port number (27017 by default)
#port = 27017                           
 
# Fork server process (false by default)
fork = true                             
 
# Full path to pidfile (if not set, no pidfile is created)
pidfilepath = /var/run/mongodb/mongod.pid                 
 
# Log file to send write to instead of stdout - has to be a file, not directory
logpath = /var/log/mongodb/mongod.log                                          
 
# Alternative directory for UNIX domain sockets (defaults to /tmp)
unixSocketPrefix = /var/run/mongodb                               
 
# Directory for datafiles (defaults to /data/db/)
dbpath = /var/lib/mongodb                        
 
# Enable/Disable journaling (journaling is on by default for 64 bit)
#journal = true                                                     
#nojournal = true                                                   
 
 
 
##
### General options
##                 
 
# Be more verbose (include multiple times for more verbosity e.g. -vvvvv) (v by default)
#verbose = v                                                                            
 
# Max number of simultaneous connections (1000000 by default)
#maxConns = 1000000                                          
 
# Log to system's syslog facility instead of file or stdout (false by default)
#syslog = true                                                                
 
# Syslog facility used for monogdb syslog message (user by defautl)
#syslogFacility = user                                             
 
# Append to logpath instead of over-writing (false by default)
#logappend = true                                             
 
# Desired format for timestamps in log messages (One of ctime, iso8601-utc or iso8601-local) (iso8601-local by default)
#timeStampFormat = arg                                                                                                 
 
# Private key for cluster authentication
#keyFile = arg                          
 
# Set a configurable parameter
#setParameter = arg           
 
# Enable http interface (false by default)
#httpinterface = true                     
 
# Authentication mode used for cluster authentication. Alternatives are (keyFile|sendKeyFile|sendX509|x509) (keyFile by default)
#clusterAuthMode = arg                                                                                                          
 
# Disable listening on unix sockets (false by default)
#nounixsocket = true                                  
 
# Run with/without security (without by default)
#auth = true                                    
#noauth = true                                  
# Django : 2015-12-23 - Passwortlose logins unterbinden
# default: #auth = true                                
#          #noauth = true                              
auth = true                                            
 
# Enable IPv6 support (disabled by default)
#ipv6 = true                               
 
# Allow JSONP access via http (has security implications) (false by default)
#jsonp = true                                                               
 
# Turn on simple rest api (false by default)
#rest = true                                
 
# Value of slow for profile and console log (100 by default)
#slowms = 100                                               
 
# 0=off 1=slow, 2=all (0 by default)
#profile = 0                        
 
# Periodically show cpu and iowait utilization (false by default)
#cpu = true                                                      
 
# Print some diagnostic system information (false by default)
#sysinfo = true                                              
 
# Each database will be stored in a separate directory (false by default)
#directoryperdb = true                                                   
 
# Don't retry any index builds that were interrupted by shutdown (false by default)
#noIndexBuildRetry = true                                                          
 
# Disable data file preallocation - will often hurt performance (false by default)
#noprealloc = true                                                                
 
# .ns file size (in MB) for new databases (16 MB by default)
#nssize = 16                                                
 
# Limits each database to a certain number of files (8 default)
#quota                                                         
 
# Number of files allowed per db, implies --quota (8 by default)
#quotaFiles = 8                                                 
 
# Use a smaller default file size (false by default)
#smallfiles = true                                  
 
# Seconds between disk syncs (0=never, but not recommended) (60 by default)
#syncdelay = 60                                                            
 
# Upgrade db if needed (false by default)
#upgrade = true                          
 
# Run repair on all dbs (false by default)
#repair = true                            
 
# Root directory for repair files (defaults to dbpath)
#repairpath = arg                                     
 
# Disable scripting engine (false by default)
#noscripting = true                          
 
# Do not allow table scans (false by default)
#notablescan = true                          
 
# Journal diagnostic options (0 by default)
#journalOptions = 0                        
 
# How often to group/batch commit (ms) (100 or 30 by default)
#journalCommitInterval = 100                                 
 
 
 
##
### Replication options
##                     
 
# Size to use (in MB) for replication op log (default 5% of disk space - i.e. large is good)
#oplogSize = arg                                                                            
 
 
 
##
### Master/slave options (old; use replica sets instead)
##                                                      
 
# Master mode
#master = true
 
# Slave mode
#slave = true
 
# When slave: specify master as <server:port>
#source = arg                                
 
# When slave: specify a single database to replicate
#only = arg                                         
 
# Specify delay (in seconds) to be used when applying master ops to slave
#slavedelay = arg                                                        
 
# Automatically resync if slave data is stale
#autoresync = true                           
 
 
 
##
### Replica set options
##                     
 
# Arg is <setname>[/<optionalseedhostlist>]
#replSet = arg
 
# Specify index prefetching behavior (if secondary) [none|_id_only|all] (all by default)
#replIndexPrefetch = all
 
 
 
##
### Sharding options
##
 
# Declare this is a config db of a cluster (default port 27019; default dir /data/configdb) (false by default)
#configsvr = true
 
# Declare this is a shard db of a cluster (default port 27018)  (false by default)
#shardsvr = true
 
 
 
##
### SSL options
##
 
# Use ssl on configured ports
#sslOnNormalPorts = true
 
# Set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL)
# sslMode = arg
 
# PEM file for ssl
#sslPEMKeyFile = arg
 
# PEM file password
#sslPEMKeyPassword = arg
 
# Key file for internal SSL authentication
#sslClusterFile = arg
 
# Internal authentication key file password
#sslClusterPassword = arg
 
# Certificate Authority file for SSL
#sslCAFile = arg
 
# Certificate Revocation List file for SSL
#sslCRLFile = arg
 
# Allow client to connect without presenting a certificate
#sslWeakCertificateValidation = true
 
# Allow server certificates to provide non-matching hostnames
#sslAllowInvalidHostnames = true
 
# Allow connections to servers with invalid certificates
#sslAllowInvalidCertificates = true
 
# Activate FIPS 140-2 mode at startup
#sslFIPSMode = true

Nun werden wir den MongoDB-Daemon einmal noch durchstarten, damit die durchgeführten Änderungen auch aktiv werden.

 # systemctl restart mongod.service

Ein Zugriffversuch ohne Benutzerkennung samt Passwort ist ab sofort nicht mehr möglich.

> show dbs
2017-02-16T10:01:49.456+0100 listDatabases failed:{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
	"code" : 13
} at src/mongo/shell/mongo.js:47

Elasticsearch

In diesem Abschnitt werden wir nun den Suchserver elasticsearch, der auch die eigentlichen Nutztdaten von graylog vorhalten wird, konfigurieren.

In der Dokumentation von graylog im Abschnitt Architectural considerations finden wir folgenden Hinweis:


Elasticsearch nodes should have as much RAM as possible and the fastest disks you can get. Everything depends on I/O speed here.

Diesem Vorschlag wollen wir nun in die Tat umsetzen. Beim Blockdevice haben wir in unserem Konfigurationsbeispiel bereits ein RAID aus schnellen Server-SSD's verwendet. Nun werden wir dem elasticsearch-Daemon noch mehr an RAM zugestehen. Hierzu werden wir nun den Parameter vm.max_map_count anpassen. Zunächst aber fragen wird den aktuellen Wert von vm.max_map_count erst einmal ab.

 # sysctl vm.max_map_count
vm.max_map_count = 65530

In der Dokumentation von elasticsearch zum virtuellen Speicherverbrauch wird empfohlen, den großzügigen Wert von 262144 zu setzen. Während der Laufzeit des Systems können wir die Änderung mit folgendem Befehl vornehmen.

 # sysctl -w vm.max_map_count=262144
vm.max_map_count = 262144

Damit die Werteanpassung resetfest, also bei jedem Neustart des Servers auf den gewünschten Wert gesetzt wird, bearbeiten wir die Datei /etc/sysctl.conf.

 # vim /etc/sysctl.conf
/etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#
# Django : 2015-12-23 - den virtuellen Speicherverbrauch von elasticsearch anpassen
vm.max_map_count=262144

elasticsearch.yml

Eine Beschreibung der Konfigurationsoptionen finden sich im Abschnitt Configuring Elasticsearch der Elasticsearch-Dokumentation. Laut der Installationsdokumentation von graylog beschränkt sich die Konfiguration von elasticsearch auf das Setzen des cluster name. Den Node Name setzen wir im dem Zuge auf den Hoastname unseres Syslog-Servers.

The only important thing for Elasticsearch is that you set the exactly same cluster name (e. g. ``cluster.name: graylog``) that is being used by Graylog in the Elasticsearch configuration (``conf/elasticsearch.yml``).

In der Dokumentation Setup Configuration werden wir noch den Parameter bootstrap.memory_lock auf true setzen.

 # vim /etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please see the documentation for further information on configuration options:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/setup-configuration.html>
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
# Django : 2017-02-14
# default: # cluster.name: my-application
cluster.name: graylog
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
# Django : 2017-02-14
# default: # node.name: node-1
node.name: vml000117
#
# Add custom attributes to the node:
#
# node.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
# path.data: /path/to/data
#
# Path to log files:
#
# path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
# Django : 2017-02-14
# default: # bootstrap.memory_lock: true
bootstrap.memory_lock: true
#
# Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory
# available on the system and that the owner of the process is allowed to use this limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
# network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
# http.port: 9200
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html>
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
# discovery.zen.ping.unicast.hosts: ["host1", "host2"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1):
#
# discovery.zen.minimum_master_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-discovery.html>
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
# gateway.recover_after_nodes: 3
#
# For more information, see the documentation at:
# <http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-gateway.html>
#
# ---------------------------------- Various -----------------------------------
#
# Disable starting multiple nodes on a single system:
#
# node.max_local_storage_nodes: 1
#
# Require explicit names when deleting indices:
#
# action.destructive_requires_name: true

/etc/sysconfig/elasticsearch

Da wir die Konfigurationsoption bootstrap.memory_lock in der Konfigurationsdatei /etc/elasticsearch/elasticsearch.yml auf den wert true gesetzt haben, wie dies in der Dokumentation Heap: Sizing and Swapping angeraten wurde, müssen wir noch die Konfigurationsdatei /etc/sysconfig/elasticsearch anpassen.

 # vim /etc/sysconfig/elasticsearch
/etc/sysconfig/elasticsearch
################################
# Elasticsearch
################################
 
# Elasticsearch home directory
#ES_HOME=/usr/share/elasticsearch
 
# Elasticsearch configuration directory
#CONF_DIR=/etc/elasticsearch
 
# Elasticsearch data directory
#DATA_DIR=/var/lib/elasticsearch
 
# Elasticsearch logs directory
#LOG_DIR=/var/log/elasticsearch
 
# Elasticsearch PID directory
#PID_DIR=/var/run/elasticsearch
 
# Heap size defaults to 256m min, 1g max
# Set ES_HEAP_SIZE to 50% of available RAM, but no more than 31g
# Django : 2017-02-14
# default: #ES_HEAP_SIZE=2g
ES_HEAP_SIZE=4g
 
# Heap new generation
#ES_HEAP_NEWSIZE=
 
# Maximum direct memory
#ES_DIRECT_SIZE=
 
# Additional Java OPTS
#ES_JAVA_OPTS=
 
# Configure restart on package upgrade (true, every other setting will lead to not restarting)
#RESTART_ON_UPGRADE=true
 
# Path to the GC log file
#ES_GC_LOG_FILE=/var/log/elasticsearch/gc.log
 
################################
# Elasticsearch service
################################
 
# SysV init.d
#
# When executing the init script, this user will be used to run the elasticsearch service.
# The default value is 'elasticsearch' and is declared in the init.d file.
# Note that this setting is only used by the init script. If changed, make sure that
# the configured user can read and write into the data, work, plugins and log directories.
# For systemd service, the user is usually configured in file /usr/lib/systemd/system/elasticsearch.service
#ES_USER=elasticsearch
#ES_GROUP=elasticsearch
 
# The number of seconds to wait before checking if Elasticsearch started successfully as a daemon process
ES_STARTUP_SLEEP_TIME=5
 
################################
# System properties
################################
 
# Specifies the maximum file descriptor number that can be opened by this process
# When using Systemd, this setting is ignored and the LimitNOFILE defined in
# /usr/lib/systemd/system/elasticsearch.service takes precedence
#MAX_OPEN_FILES=65536
 
# The maximum number of bytes of memory that may be locked into RAM
# Set to "unlimited" if you use the 'bootstrap.memory_lock: true' option
# in elasticsearch.yml (ES_HEAP_SIZE  must also be set).
# When using Systemd, the LimitMEMLOCK property must be set
# in /usr/lib/systemd/system/elasticsearch.service
# Django : 2017-02-14
# default: #MAX_LOCKED_MEMORY=unlimited
MAX_LOCKED_MEMORY=unlimited
 
# Maximum number of VMA (Virtual Memory Areas) a process can own
# When using Systemd, this setting is ignored and the 'vm.max_map_count'
# property is set at boot time in /usr/lib/sysctl.d/elasticsearch.conf
#MAX_MAP_COUNT=262144

limits.conf

Da wir die Konfigurationsoption bootstrap.memory_lock in der Konfigurationsdatei /etc/elasticsearch/elasticsearch.yml auf den wert true gesetzt haben, wie dies in der Dokumentation Heap: Sizing and Swapping angeraten wurde, bedarf es auch noch einer Anpassung der Konfigurationsdatei /etc/security/limits.conf.

 # vim /etc/sysconfig/elasticsearch
 # vim /etc/security/limits.conf
/etc/security/limits.conf
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain>        <type>  <item>  <value>
#
#Where:
#<domain> can be:
#        - a user name
#        - a group name, with @group syntax
#        - the wildcard *, for default entry
#        - the wildcard %, can be also used with %group syntax,
#                 for maxlogin limit
#
#<type> can have the two values:
#        - "soft" for enforcing the soft limits
#        - "hard" for enforcing hard limits
#
#<item> can be one of the following:
#        - core - limits the core file size (KB)
#        - data - max data size (KB)
#        - fsize - maximum filesize (KB)
#        - memlock - max locked-in-memory address space (KB)
#        - nofile - max number of open file descriptors
#        - rss - max resident set size (KB)
#        - stack - max stack size (KB)
#        - cpu - max CPU time (MIN)
#        - nproc - max number of processes
#        - as - address space limit (KB)
#        - maxlogins - max number of logins for this user
#        - maxsyslogins - max number of logins on the system
#        - priority - the priority to run user process with
#        - locks - max number of file locks the user can hold
#        - sigpending - max number of pending signals
#        - msgqueue - max memory used by POSIX message queues (bytes)
#        - nice - max nice priority allowed to raise to values: [-20, 19]
#        - rtprio - max realtime priority
#
#<domain>      <type>  <item>         <value>
#
 
#*               soft    core            0
#*               hard    rss             10000
#@student        hard    nproc           20
#@faculty        soft    nproc           20
#@faculty        hard    nproc           50
#ftp             hard    nproc           0
#@student        -       maxlogins       4
 
# Django : 2017-02-14 - Änderungen für elasticserach und dessen Speiucherverbrauch/-zugriff
# default: unset
# allow user 'elasticsearch' mlockall
elasticsearch    soft    memlock         unlimited
elasticsearch    hard    memlock         unlimited
 
# End of file

elasticsearch.service

Damit Parameter bootstrap.mlockall auch richtig gesetzt werden kann, ist noch eine Änderung an dem Systemd-Startscript notwendig! Dieses werden wir nun noch anpassen; hierzu kopieren wir uns nun das entsprechende Script nach /etc/systemd/system/.

 # cp -a /usr/lib/systemd/system/elasticsearch.service /etc/systemd/system/

In dieser Datei setzen wir den Parameter LimitMEMLOCK auf infinity.

 # vim /etc/systemd/system/elasticsearch.service
/etc/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
 
[Service]
Environment=ES_HOME=/usr/share/elasticsearch
Environment=CONF_DIR=/etc/elasticsearch
Environment=DATA_DIR=/var/lib/elasticsearch
Environment=LOG_DIR=/var/log/elasticsearch
Environment=PID_DIR=/var/run/elasticsearch
EnvironmentFile=-/etc/sysconfig/elasticsearch
 
WorkingDirectory=/usr/share/elasticsearch
 
User=elasticsearch
Group=elasticsearch
 
ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec
 
ExecStart=/usr/share/elasticsearch/bin/elasticsearch \
                                                -Des.pidfile=${PID_DIR}/elasticsearch.pid \
                                                -Des.default.path.home=${ES_HOME} \
                                                -Des.default.path.logs=${LOG_DIR} \
                                                -Des.default.path.data=${DATA_DIR} \
                                                -Des.default.path.conf=${CONF_DIR}
 
StandardOutput=journal
StandardError=inherit
 
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
 
# Specifies the maximum number of bytes of memory that may be locked into RAM
# Set to "infinity" if you use the 'bootstrap.memory_lock: true' option
# in elasticsearch.yml and 'MAX_LOCKED_MEMORY=unlimited' in /etc/sysconfig/elasticsearch
# Django : 2017-02-14
# default: #LimitMEMLOCK=infinity
LimitMEMLOCK=infinity
 
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
 
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
 
# Java process is never killed
SendSIGKILL=no
 
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
 
[Install]
WantedBy=multi-user.target
 
# Built for Distribution: RPM-2.4.4 (rpm)

Anschließend informieren wir den systemd über unser „updatesicheres“ Startscript.

 systemctl daemon-reload

Start des Daemon

Nachdem die Konfiguration unseres Elastricsearch-Daemon abgeschlossen ist, können wir diesen nun das erste mal manuell starten. Hierzu verwenden wir den Befehl systemctl.

 # systemctl start elasticsearch.service

Den Serverstatus können wir wie folgt abfragen.

 # systemctl status elasticsearch.service -l

elasticsearch.service - Elasticsearch
   Loaded: loaded (/etc/systemd/system/elasticsearch.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-02-16 11:50:54 CET; 9min ago
     Docs: http://www.elastic.co
  Process: 1540 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 1542 (java)
   CGroup: /system.slice/elasticsearch.service
           └─1542 /bin/java -Xms4g -Xmx4g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.4.4.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start -Des.pidfile=/var/run/elasticsearch/elasticsearch.pid -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.conf=/etc/elasticsearch

Feb 16 11:51:02 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:02,770][INFO ][env                      ] [vml000117] using [1] data paths, mounts [[/var/lib/elasticsearch (/dev/vdc1)]], net usable_space [24.3gb], net total_space [24.4gb], spins? [possibly], types [xfs]
Feb 16 11:51:02 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:02,771][INFO ][env                      ] [vml000117] heap size [3.9gb], compressed ordinary object pointers [true]
Feb 16 11:51:06 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:06,974][INFO ][node                     ] [vml000117] initialized
Feb 16 11:51:06 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:06,974][INFO ][node                     ] [vml000117] starting ...
Feb 16 11:51:07 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:07,323][INFO ][transport                ] [vml000117] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
Feb 16 11:51:07 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:07,357][INFO ][discovery                ] [vml000117] graylog/wmPD98gQQDmoSAoQblrrQQ
Feb 16 11:51:10 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:10,658][INFO ][cluster.service          ] [vml000117] new_master {vml000117}{wmPD98gQQDmoSAoQblrrQQ}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
Feb 16 11:51:10 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:10,737][INFO ][http                     ] [vml000117] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
Feb 16 11:51:10 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:10,738][INFO ][node                     ] [vml000117] started
Feb 16 11:51:10 vml000117.dmz.nausch.org elasticsearch[1542]: [2017-02-16 11:51:10,777][INFO ][gateway                  ] [vml000117] recovered [0] indices into cluster_state

Im Datenverzeichnis /var/lib/elasticsearch werden für die Nutzdaten entsprechende Verzeichnisse und Dateien angelegt.

/var/lib/elasticsearch/
└── graylog
    └── nodes
        └── 0
            ├── node.lock
            └── _state
                └── global-0.st

Im Logpfad werden entsprechende Logdateien angelegt und beschrieben.

/var/log/elasticsearch/
├── graylog_deprecation.log
├── graylog_index_indexing_slowlog.log
├── graylog_index_search_slowlog.log
└── graylog.log

Die beiden Ports 9200 und 9300 wurden an den JAVA-Prozess von elasticsearch gebunden; dies können wir mit dem Befehl netstat abfragen.

 # netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          18547      1128/sshd           
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      184        17731      1145/mongod         
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      996        26037      1556/java           
tcp6       0      0 ::1:9200                :::*                    LISTEN      996        26036      1556/java           
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      996        25989      1556/java           
tcp6       0      0 ::1:9300                :::*                    LISTEN      996        25986      1556/java           

Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.

 # less /var/log/elasticsearch/graylog.log
[2017-02-16 11:51:01,455][INFO ][node                     ] [vml000117] version[2.4.4], pid[1542], build[fcbb46d/2017-01-03T11:33:16Z]
[2017-02-16 11:51:01,460][INFO ][node                     ] [vml000117] initializing ...
[2017-02-16 11:51:02,738][INFO ][plugins                  ] [vml000117] modules [reindex, lang-expression, lang-groovy], plugins [], sites []
[2017-02-16 11:51:02,770][INFO ][env                      ] [vml000117] using [1] data paths, mounts [[/var/lib/elasticsearch (/dev/vdc1)]], net usable_space [24.3gb], net total_space [24.4gb], spins? [possibly], types [xfs]
[2017-02-16 11:51:02,771][INFO ][env                      ] [vml000117] heap size [3.9gb], compressed ordinary object pointers [true]
[2017-02-16 11:51:06,974][INFO ][node                     ] [vml000117] initialized
[2017-02-16 11:51:06,974][INFO ][node                     ] [vml000117] starting ...
[2017-02-16 11:51:07,323][INFO ][transport                ] [vml000117] publish_address {127.0.0.1:9300}, bound_addresses {[::1]:9300}, {127.0.0.1:9300}
[2017-02-16 11:51:07,357][INFO ][discovery                ] [vml000117] graylog/wmPD98gQQDmoSAoQblrrQQ
[2017-02-16 11:51:10,658][INFO ][cluster.service          ] [vml000117] new_master {vml000117}{wmPD98gQQDmoSAoQblrrQQ}{127.0.0.1}{127.0.0.1:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)
[2017-02-16 11:51:10,737][INFO ][http                     ] [vml000117] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}
[2017-02-16 11:51:10,738][INFO ][node                     ] [vml000117] started
[2017-02-16 11:51:10,777][INFO ][gateway                  ] [vml000117] recovered [0] indices into cluster_state

automatischer Start des Daemon

Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.

 # systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.

Wollen wir wissen, ob die Autostartfunktion bereits gesetzt ist, verwenden wir diesen Aufruf.

 # systemctl is-enabled elasticsearch.service
enabled

Test

Zum Testen unserer Konfigurationseinstellungen nutzen wir die Nodes Info API.

 # curl localhost:9200/_nodes/process?pretty
{
  "cluster_name" : "graylog",
  "nodes" : {
    "wmPD67gQQDmoSAoQblrrQQ" : {
      "name" : "vml000117",
      "transport_address" : "127.0.0.1:9300",
      "host" : "127.0.0.1",
      "ip" : "127.0.0.1",
      "version" : "2.4.4",
      "build" : "fcbb46d",
      "http_address" : "127.0.0.1:9200",
      "process" : {
        "refresh_interval_in_millis" : 1000,
        "id" : 1542,
        "mlockall" : true
      }
    }
  }
}

Den Zustand des elastic-Servers kann man sich mit folgendem Aufruf anzeigen lassen.

 # curl localhost:9200/_cluster/health?pretty
{
  "cluster_name" : "graylog",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

graylog-server

Nachdem wir alle Vorbereitungen erfolgreich abgeschlossen haben, können wir uns nun der Konfiguration des graylog-server Daemons widmen.

/etc/graylog/server/server.conf

Die eigentliche Konfiguration unseres graylog-Servers wird in dessen Konfigurationsdatei /etc/graylog/server/server.conf vorgenommen.

Bevor wir diese öffnen und bearbeiten, erstellen wir uns noch zwei Dinge:

  1. Passwort-Hash
    Mit Hilfe des Passwort-Hash werden die Nutzerpassworte verschlüsselt. Diesen hash-Wert erstellen wir wie folgt:
     # pwgen -N 1 -s 128
    yCWAd48fvOmR7xAmcKezZ2C0v3mtaXCJjA7NfhBlSf98PTxHrf9SrCQDX2xgjCzrHpxoV5UNOEfQZsOP1gkWkYlDarD75tbtztPhR59O70yZchaJcyQTeHBZllQc8RcT
  2. Admin-Passwort
    Der administrative Benutzer admin benötigt noch ein zugehöriges Passwort, erzeugen wir nun mit folgendem Befehl.
    # echo -n N3v3r7ru57Y0URg0v3rnm3n7 | sha256sum
    38337fd07fd4ee02548053d7bed3ee33e3e0c593c2802941e2349fc52e80b98d  -

Diese beiden Werte hinterlegen wir nun in der Konfigurationsdatei unseres graylog-Daemon und passen anschließend die Konfigurationsoptionen unserer Umgebung an. Änderungen an den Default-Werten sind mit Django : <Zeitstempel> gekennzeichnet

 # vim /etc/graylog/server/server.conf
/etc/graylog/server/server.conf
############################
# GRAYLOG CONFIGURATION FILE
############################
#
# This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding.
# Characters that cannot be directly represented in this encoding can be written using Unicode escapes
# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix.
# For example, \u002c.
# 
# * Entries are generally expected to be a single line of the form, one of the following:
#
# propertyName=propertyValue
# propertyName:propertyValue
#
# * White space that appears between the property name and property value is ignored,
#   so the following are equivalent:
# 
# name=Stephen
# name = Stephen
#
# * White space at the beginning of the line is also ignored.
#
# * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored.
#
# * The property value is generally terminated by the end of the line. White space following the
#   property value is not ignored, and is treated as part of the property value.
#
# * A property value can span several lines if each line is terminated by a backslash (‘\’) character.
#   For example:
#
# targetCities=\
#         Detroit,\
#         Chicago,\
#         Los Angeles
#
#   This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored).
# 
# * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively.
# 
# * The backslash character must be escaped as a double backslash. For example:
# 
# path=c:\\docs\\doc1
#
 
# If you are running more than one instances of Graylog server you have to select one of these
# instances as master. The master will perform some periodical tasks that non-masters won't perform.
is_master = true
 
# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /etc/graylog/server/node-id
 
# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
# Django : 2017-02-14
# default: password_secret =
password_secret = yCWAd48fvOmR7xAmcKezZ2C0v3mtaXCJjA7NfhBlSf98PTxHrf9SrCQDX2xgjCzrHpxoV5UNOEfQZsOP1gkWkYlDarD75tbtztPhR59O70yZchaJcyQTeHBZllQc8RcT
 
# The default root user is named 'admin'
# Django : 2017-02-14
# default: #root_username = admin
root_username = graylog-admin
 
# You MUST specify a hash password for the root user (which you only need to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface. If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
# Django : 2017-02-14
# default: root_password_sha2 =
root_password_sha2 = 38337fd07fd4ee02548053d7bed3ee33e3e0c593c2802941e2349fc52e80b98d 
 
# The email address of the root user.
# Default is empty
# Django : 2017-02-14
# default: #root_email = ""
root_email = "graylog-admin@nausch.org"
 
# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
# Django : 2017-02-14
# default: #root_timezone = UTC
root_timezone = Europe/Berlin
 
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin
 
# REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.
# When using Graylog Collectors, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
# Django : 2017-02-14
# default: rest_listen_uri = http://127.0.0.1:9000/api/
rest_listen_uri = http://10.0.0.117:9000/api/
 
# REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri
# is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used.
# If set, this will be promoted in the cluster discovery APIs, so other nodes may try to connect on
# this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri)
# You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting
# the scheme, host name or URI.
# This must not contain a wildcard address (0.0.0.0).
# Django : 2017-02.14
# default: #rest_transport_uri = http://192.168.1.1:9000/api/
rest_transport_uri = http://10.0.0.117:9000/api/
 
# Enable CORS headers for REST API. This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
# This is enabled by default. Uncomment the next line to disable it.
#rest_enable_cors = false
 
# Enable GZIP support for REST API. This compresses API responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#rest_enable_gzip = false
 
# Enable HTTPS support for the REST API. This secures the communication with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
# next line to enable it.
#rest_enable_tls = true
 
# The X.509 certificate chain file in PEM format to use for securing the REST API.
#rest_tls_cert_file = /path/to/graylog.crt
 
# The PKCS#8 private key file in PEM format to use for securing the REST API.
#rest_tls_key_file = /path/to/graylog.key
 
# The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = secret
 
# The maximum size of the HTTP request headers in bytes.
#rest_max_header_size = 8192
 
# The maximal length of the initial HTTP/1.1 line in bytes.
#rest_max_initial_line_length = 4096
 
# The size of the thread pool used exclusively for serving the REST API.
#rest_thread_pool_size = 16
 
# Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
# header. May be subnets, or hosts.
#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
 
# Enable the embedded Graylog web interface.
# Default: true
#web_enable = false
 
# Web interface listen URI.
# Configuring a path for the URI here effectively prefixes all URIs in the web interface. This is a replacement
# for the application.context configuration parameter in pre-2.0 versions of the Graylog web interface.
# Django : 2017-02-14
# default: #web_listen_uri = http://127.0.0.1:9000/
web_listen_uri = http://10.0.0.117:9000/
 
# Web interface endpoint URI. This setting can be overriden on a per-request basis with the X-Graylog-Server-URL header.
# Default: $rest_transport_uri
# Django : 2017-02-16
# default: #web_endpoint_uri =
 
# Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
#web_enable_cors = false
 
# Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
# Django : 2017-02-14
# default: #web_enable_gzip = false
web_enable_gzip = true
 
# Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
#web_enable_tls = true
 
# The X.509 certificate chain file in PEM format to use for securing the web interface.
#web_tls_cert_file = /path/to/graylog-web.crt
 
# The PKCS#8 private key file in PEM format to use for securing the web interface.
#web_tls_key_file = /path/to/graylog-web.key
 
# The password to unlock the private key used for securing the web interface.
#web_tls_key_password = secret
 
# The maximum size of the HTTP request headers in bytes.
#web_max_header_size = 8192
 
# The maximal length of the initial HTTP/1.1 line in bytes.
#web_max_initial_line_length = 4096
 
# The size of the thread pool used exclusively for serving the web interface.
#web_thread_pool_size = 16
 
# Configuration file for the embedded Elasticsearch instance in Graylog.
# Pay attention to the working directory of the server, maybe use an absolute path here.
# Default: empty
#elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml
 
# Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
# when to rotate the currently active write index.
# It supports multiple rotation strategies:
#   - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
#   - "size" per index, use elasticsearch_max_size_per_index below to configure
# valid values are "count", "size" and "time", default is "count"
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
#            to your previous 1.x settings so they will be migrated to the database!
# Django : 2017-02-14
# default: rotation_strategy = count
rotation_strategy = time
 
# (Approximate) maximum number of documents in an Elasticsearch index before a new index
# is being created, also see no_retention and elasticsearch_max_number_of_indices.
# Configure this if you used 'rotation_strategy = count' above.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
#            to your previous 1.x settings so they will be migrated to the database!
elasticsearch_max_docs_per_index = 20000000
 
# (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
# Configure this if you used 'rotation_strategy = size' above.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
#            to your previous 1.x settings so they will be migrated to the database!
#elasticsearch_max_size_per_index = 1073741824
 
# (Approximate) maximum time before a new Elasticsearch index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
# Configure this if you used 'rotation_strategy = time' above.
# Please note that this rotation period does not look at the time specified in the received messages, but is
# using the real clock value to decide when to rotate the index!
# Specify the time using a duration and a suffix indicating which unit you want:
#  1w  = 1 week
#  1d  = 1 day
#  12h = 12 hours
# Permitted suffixes are: d for day, h for hour, m for minute, s for second.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
#            to your previous 1.x settings so they will be migrated to the database!
#elasticsearch_max_time_per_index = 1d
 
# Disable checking the version of Elasticsearch for being compatible with this Graylog release.
# WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
#elasticsearch_disable_version_check = true
 
# Disable message retention on this node, i. e. disable Elasticsearch index rotation.
#no_retention = false
 
# How many indices do you want to keep?
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
#            to your previous 1.x settings so they will be migrated to the database!
elasticsearch_max_number_of_indices = 20
 
# Decide what happens with the oldest indices when the maximum number of indices is reached.
# The following strategies are availble:
#   - delete # Deletes the index completely (Default)
#   - close # Closes the index and hides it from the system. Can be re-opened later.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
#            to your previous 1.x settings so they will be migrated to the database!
retention_strategy = delete
 
# How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
elasticsearch_shards = 4
elasticsearch_replicas = 0
 
# Prefix for all Elasticsearch indices and index aliases managed by Graylog.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
elasticsearch_index_prefix = graylog
 
# Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
# Default: graylog-internal
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
#elasticsearch_template_name = graylog-internal
 
# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
# be enabled with care. See also: http://docs.graylog.org/en/2.1/pages/queries.html
allow_leading_wildcard_searches = false
 
# Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
# should only be enabled after making sure your Elasticsearch cluster has enough memory.
allow_highlighting = false
 
# settings to be passed to elasticsearch's client (overriding those in the provided elasticsearch_config_file)
# all these
# this must be the same as for your Elasticsearch cluster
# Django : 2017-02-14
# default: #elasticsearch_cluster_name = graylog
elasticsearch_cluster_name = graylog
 
# The prefix being used to generate the Elasticsearch node name which makes it easier to identify the specific Graylog
# server running the embedded Elasticsearch instance. The node name will be constructed by concatenating this prefix
# and the Graylog node ID (see node_id_file), for example "graylog-17052010-1234-5678-abcd-1337cafebabe".
# Default: graylog-
#elasticsearch_node_name_prefix = graylog-
 
# A comma-separated list of Elasticsearch nodes which Graylog is using to connect to the Elasticsearch cluster,
# see https://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-discovery-zen.html for details.
# Default: 127.0.0.1
#elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
 
# Use multiple Elasticsearch nodes as seed
#elasticsearch_discovery_zen_ping_unicast_hosts = 198.51.100.23:9300, 198.51.100.42:9300
 
# we don't want the Graylog server to store any data, or be master node
#elasticsearch_node_master = false
#elasticsearch_node_data = false
 
# use a different port if you run multiple Elasticsearch nodes on one machine
#elasticsearch_transport_tcp_port = 9350
 
# we don't need to run the embedded HTTP server here
#elasticsearch_http_enabled = false
 
# Change the following setting if you are running into problems with timeouts during Elasticsearch cluster discovery.
# The setting is specified in milliseconds, the default is 5000ms (5 seconds).
#elasticsearch_cluster_discovery_timeout = 5000
 
# the following settings allow to change the bind addresses for the Elasticsearch client in Graylog
# these settings are empty by default, letting Elasticsearch choose automatically,
# override them here or in the 'elasticsearch_config_file' if you need to bind to a special address
# refer to https://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-network.html
# for special values here
#elasticsearch_network_host =
#elasticsearch_network_bind_host =
#elasticsearch_network_publish_host =
 
# The total amount of time discovery will look for other Elasticsearch nodes in the cluster
# before giving up and declaring the current node master.
#elasticsearch_discovery_initial_state_timeout = 3s
 
# Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
# All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
# Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
# Note that this setting only takes effect on newly created indices.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
elasticsearch_analyzer = standard
 
# Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-range
# calculations) based on a best-effort to restrict the runtime of Elasticsearch operations.
# Default: 1m
#elasticsearch_request_timeout = 1m
 
# Global timeout for index optimization (force merge) requests.
# Default: 1h
#elasticsearch_index_optimization_timeout = 1h
 
# Maximum number of concurrently running index optimization (force merge) jobs.
# If you are using lots of different index sets, you might want to increase that number.
# Default: 20
#elasticsearch_index_optimization_jobs = 20
 
# Time interval for index range information cleanups. This setting defines how often stale index range information
# is being purged from the database.
# Default: 1h
#index_ranges_cleanup_interval = 1h
 
# Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
# module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
# reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
# that every outputbuffer processor manages its own batch and performs its own batch write calls.
# ("outputbuffer_processors" variable)
output_batch_size = 500
 
# Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
# batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
# for this time period is less than output_batch_size * outputbuffer_processors.
output_flush_interval = 1
 
# As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
# over again. To prevent this, the following configuration options define after how many faults an output will
# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
 
# The number of parallel running processors.
# Raise this number if your buffers are filling up.
processbuffer_processors = 5
outputbuffer_processors = 3
 
#outputbuffer_processor_keep_alive_time = 5000
#outputbuffer_processor_threads_core_pool_size = 3
#outputbuffer_processor_threads_max_pool_size = 30
 
# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
#udp_recvbuffer_sizes = 1048576
 
# Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
# Possible types:
#  - yielding
#     Compromise between performance and CPU usage.
#  - sleeping
#     Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
#  - blocking
#     High throughput, low latency, higher CPU usage.
#  - busy_spinning
#     Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
processor_wait_strategy = blocking
 
# Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
# For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536
 
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
 
# Enable the disk based message journal.
message_journal_enabled = true
 
# The directory which will be used to store the message journal. The directory must me exclusively used by Graylog and
# must not contain any other files than the ones created by Graylog itself.
#
# ATTENTION:
#   If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found'
#   in the root directory, you need to create a sub directory for your journal.
#   Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start.
message_journal_dir = /var/lib/graylog-server/journal
 
# Journal hold messages before they could be written to Elasticsearch.
# For a maximum of 12 hours or 5 GB whichever happens first.
# During normal operation the journal will be smaller.
#message_journal_max_age = 12h
#message_journal_max_size = 5gb
 
#message_journal_flush_age = 1m
#message_journal_flush_interval = 1000000
#message_journal_segment_age = 1h
#message_journal_segment_size = 100mb
 
# Number of threads used exclusively for dispatching internal events. Default is 2.
#async_eventbus_processors = 2
 
# How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
# shutdown process. Set to 0 if you have no status checking load balancers in front.
lb_recognition_period_seconds = 3
 
# Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is
# disabled if not set.
#lb_throttle_threshold_percentage = 95
 
# Every message is matched against the configured streams and it can happen that a stream contains rules which
# take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking.
# This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other
# streams, Graylog limits the execution time for each stream.
# The default values are noted below, the timeout is in milliseconds.
# If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times
# that stream is disabled and a notification is shown in the web interface.
#stream_processing_timeout = 2000
#stream_processing_max_faults = 3
 
# Length of the interval in seconds in which the alert conditions for all streams should be checked
# and alarms are being sent.
#alert_check_interval = 60
 
# Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple
# outputs. The next setting defines the timeout for a single output module, including the default output module where all
# messages end up.
#
# Time in milliseconds to wait for all message outputs to finish writing a single message.
#output_module_timeout = 10000
 
# Time in milliseconds after which a detected stale master node is being rechecked on startup.
#stale_master_timeout = 2000
 
# Time in milliseconds which Graylog is waiting for all threads to stop on shutdown.
#shutdown_timeout = 30000
 
# MongoDB connection string
# See https://docs.mongodb.com/manual/reference/connection-string/ for details
# Django : 2017-02-14
# default: mongodb_uri = mongodb://localhost/graylog
mongodb_uri = mongodb://graylog-user:7h3FBI15n07ar0ckb4and@127.0.01:27017/graylog
 
# Authenticate against the MongoDB server
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
 
# Use a replica set instead of a single host
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog
 
# Increase this value according to the maximum connections your MongoDB server can handle from a single client
# if you encounter MongoDB connection problems.
mongodb_max_connections = 1000
 
# Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
# If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
# then 500 threads can block. More than that and an exception will be thrown.
# http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
mongodb_threads_allowed_to_block_multiplier = 5
 
# Drools Rule File (Use to rewrite incoming log messages)
# See: http://docs.graylog.org/en/2.1/pages/drools.html
#rules_file = /etc/graylog/server/rules.drl
 
# Email transport
# Django : 2017-02-14
# default: #transport_email_enabled = false
#          #transport_email_hostname = mail.example.com
#          #transport_email_port = 587
#          #transport_email_use_auth = true
#          #transport_email_use_tls = true
#          #transport_email_use_ssl = true
#          #transport_email_auth_username = you@example.com
#          #transport_email_auth_password = secret
#          #transport_email_subject_prefix = [graylog]
#          #transport_email_from_email = graylog@example.com
transport_email_enabled = true
transport_email_hostname = smtp.dmz.nausch.org
transport_email_port = 587
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = false
transport_email_auth_username = graylog-admin@nausch.org
transport_email_auth_password = -7h3FBI15n07ar0ckb4and! 	
transport_email_subject_prefix = [graylog]              
transport_email_from_email = graylogadmin@nausch.org
 
# Specify and uncomment this if you want to include links to the stream in your stream alert mails.
# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
# Django : 2017-02-14
# default: #transport_email_web_interface_url = https://graylog.example.com
transport_email_web_interface_url = https://graylog.nausch.org
 
# The default connect timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 5s
#http_connect_timeout = 5s
 
# The default read timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_read_timeout = 10s
 
# The default write timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_write_timeout = 10s
 
# HTTP proxy for outgoing HTTP connections
#http_proxy_uri =
 
# Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
# cycled indices.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
#disable_index_optimization = true
 
# Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is 1.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
#index_optimization_max_num_segments = 1
 
# The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification
# will be generated to warn the administrator about possible problems with the system. Default is 1 second.
#gc_warning_threshold = 1s
 
# Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds.
#ldap_connection_timeout = 2000
 
# Disable the use of SIGAR for collecting system stats
#disable_sigar = false
 
# The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second)
#dashboard_widget_default_cache_time = 10s
 
# Automatically load content packs in "content_packs_dir" on the first start of Graylog.
#content_packs_loader_enabled = true
 
# The directory which contains content packs which should be loaded on the first start of Graylog.
content_packs_dir = /usr/share/graylog-server/contentpacks
 
# A comma-separated list of content packs (files in "content_packs_dir") which should be applied on
# the first start of Graylog.
# Default: empty
content_packs_auto_load = grok-patterns.json
 
# For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
# of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
# Should be rest_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
proxied_requests_thread_pool_size = 32

Start des Daemon

Unsere Konfigurationsänderungen werden mit Hilfe von mongo der MongoDB Shell vorgenommen. Dieses JavaScript stellt die Benutzerschnittstelle zum eigentlichen MongoDN-Daemon zur Verfügung. Damit sich der Client mit dem Server auch verbinden kann, muss der Server natürlich laufen; wir starten also nun unsere NoSQL-Datenbank mit folgendem Befehl.

 # systemctl start graylog-server.service

Den Serverstatus können wir wie folgt abfragen.

 # systemctl status graylog-server.service

graylog-server.service - Graylog server
   Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-02-17 12:11:05 CET; 33min ago
     Docs: http://docs.graylog.org/
 Main PID: 2832 (graylog-server)
   CGroup: /system.slice/graylog-server.service
           ├─2832 /bin/sh /usr/share/graylog-server/bin/graylog-server
           └─2833 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+Us...

Feb 17 12:11:05 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
Feb 17 12:11:05 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...

Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.

 # /var/log/graylog-server/server.log
2017-02-16T13:05:32.247+01:00 INFO  [CmdLineTool] Loaded plugin: Elastic Beats Input 2.2.0 [org.graylog.plugins.beats.BeatsInputPlugin]
2017-02-16T13:05:32.250+01:00 INFO  [CmdLineTool] Loaded plugin: Collector 2.2.0 [org.graylog.plugins.collector.CollectorPlugin]
2017-02-16T13:05:32.252+01:00 INFO  [CmdLineTool] Loaded plugin: Enterprise Integration Plugin 2.2.0 [org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
2017-02-16T13:05:32.254+01:00 INFO  [CmdLineTool] Loaded plugin: MapWidgetPlugin 2.2.0 [org.graylog.plugins.map.MapWidgetPlugin]
2017-02-16T13:05:32.255+01:00 INFO  [CmdLineTool] Loaded plugin: Pipeline Processor Plugin 2.2.0 [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
2017-02-16T13:05:32.257+01:00 INFO  [CmdLineTool] Loaded plugin: Anonymous Usage Statistics 2.2.0 [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
2017-02-16T13:05:32.955+01:00 INFO  [CmdLineTool] Running with JVM arguments: -Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnable
d -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rp
m
2017-02-16T13:05:33.487+01:00 INFO  [Version] HV000001: Hibernate Validator null
2017-02-16T13:05:39.765+01:00 INFO  [InputBufferImpl] Message journal is enabled.
2017-02-16T13:05:39.899+01:00 INFO  [NodeId] Node ID: 57cfc6d7-f241-4487-8661-f115d4f70fc8
2017-02-16T13:05:40.717+01:00 INFO  [LogManager] Loading logs.
2017-02-16T13:05:40.727+01:00 INFO  [LogManager] Logs loading complete.
2017-02-16T13:05:40.805+01:00 INFO  [LogManager] Created log for partition [messagejournal,0] in /var/lib/graylog-server/journal with properties {file.delete.delay.ms -> 60000, compact -> false, max.mess
age.bytes -> 104857600, min.insync.replicas -> 1, segment.jitter.ms -> 0, index.interval.bytes -> 4096, min.cleanable.dirty.ratio -> 0.5, unclean.leader.election.enable -> true, retention.bytes -> 536870
9120, delete.retention.ms -> 86400000, flush.ms -> 60000, segment.bytes -> 104857600, segment.ms -> 3600000, retention.ms -> 43200000, flush.messages -> 1000000, segment.index.bytes -> 1048576}.
2017-02-16T13:05:40.806+01:00 INFO  [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
2017-02-16T13:05:41.219+01:00 INFO  [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy <BlockingWaitStrategy>, running 2 parallel message handlers.
2017-02-16T13:05:41.271+01:00 INFO  [cluster] Cluster created with settings {hosts=[127.0.01:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=5000}
2017-02-16T13:05:41.394+01:00 INFO  [cluster] No server chosen by ReadPreferenceServerSelector{readPreference=primary} from cluster description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, ser
verDescriptions=[ServerDescription{address=127.0.01:27017, type=UNKNOWN, state=CONNECTING}]}. Waiting for 30000 ms before timing out
2017-02-16T13:05:41.497+01:00 INFO  [connection] Opened connection [connectionId{localValue:1, serverValue:1}] to 127.0.01:27017
2017-02-16T13:05:41.504+01:00 INFO  [cluster] Monitor thread successfully connected to server with description ServerDescription{address=127.0.01:27017, type=STANDALONE, state=CONNECTED, ok=true, version
=ServerVersion{versionList=[2, 6, 12]}, minWireVersion=0, maxWireVersion=2, maxDocumentSize=16777216, roundTripTimeNanos=1297292}
2017-02-16T13:05:41.527+01:00 INFO  [connection] Opened connection [connectionId{localValue:2, serverValue:2}] to 127.0.01:27017
2017-02-16T13:05:42.486+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] version[2.4.4], pid[2500], build[fcbb46d/2017-01-03T11:33:16Z]
2017-02-16T13:05:42.486+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] initializing ...
2017-02-16T13:05:42.498+01:00 INFO  [plugins] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] modules [], plugins [graylog-monitor], sites []
2017-02-16T13:05:46.715+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] initialized
2017-02-16T13:05:46.885+01:00 INFO  [ProcessBuffer] Initialized ProcessBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
2017-02-16T13:05:50.440+01:00 INFO  [RulesEngineProvider] No static rules file loaded.
2017-02-16T13:05:50.926+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2017-02-16T13:05:50.936+01:00 INFO  [OutputBuffer] Initialized OutputBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
2017-02-16T13:05:51.353+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2017-02-16T13:05:51.439+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2017-02-16T13:05:51.546+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2017-02-16T13:05:51.686+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
2017-02-16T13:05:52.601+01:00 INFO  [RoleServiceImpl] Admin role is missing or invalid, re-adding it as a built-in role.
2017-02-16T13:05:52.779+01:00 INFO  [RoleServiceImpl] Reader role is missing or invalid, re-adding it as a built-in role.
2017-02-16T13:05:53.824+01:00 INFO  [connection] Opened connection [connectionId{localValue:3, serverValue:3}] to 127.0.01:27017
2017-02-16T13:05:54.030+01:00 INFO  [ServerBootstrap] Graylog server 2.2.0+d9681cb starting up
2017-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] JRE: Oracle Corporation 1.8.0_121 on Linux 3.10.0-514.6.1.el7.x86_64
2017-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] Deployment: rpm
2017-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] OS: CentOS Linux 7 (Core) (centos)
2017-02-16T13:05:54.032+01:00 INFO  [ServerBootstrap] Arch: amd64
2017-02-16T13:05:54.050+01:00 WARN  [DeadEventLoggingListener] Received unhandled event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus <AsyncEventBus{graylog-eventbus}>
2017-02-16T13:05:54.129+01:00 INFO  [PeriodicalsService] Starting 26 periodicals ...

Mit einer Abfrage der geöffneten Ports, sehen wir unsere neu definierten Ports, wie z.B. den Port 9000 des JAVA-Prozesses, der die WEB-GUI bedient.

 # netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          33371      3352/master         
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      184        18750      1172/mongod         
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      996        18406      1129/java           
tcp6       0      0 ::1:9200                :::*                    LISTEN      996        19313      1129/java           
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      996        19239      1129/java           
tcp6       0      0 ::1:9300                :::*                    LISTEN      996        19234      1129/java           
tcp6       0      0 127.0.0.1:9350          :::*                    LISTEN      995        31315      2833/java           
tcp6       0      0 ::1:9350                :::*                    LISTEN      995        31818      2833/java           
tcp6       0      0 10.0.0.117:9000         :::*                    LISTEN      995        31876      2833/java           
udp6       0      0 :::10514                :::*                                995        31584      2833/java

automatischer Start des Daemon

Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.

 # systemctl enable graylog-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/graylog-server.service to /usr/lib/systemd/system/graylog-server.service.

Wollen wir wissen, ob die Autostartfunktion bereits gesetzt ist, verwenden wir diesen Aufruf.

 # systemctl is-enabled graylog-server.service
enabled

Apache Reverse-Proxy

Da der graylog-web-Daemon ohne Root-Rechte gestartet wird, können wir nur unprivilegierte Ports (Ports größer als 1024) definieren. Da wir aber die Graylog-Web-GUI auch von außen, über einen TLS geschützten Transportkanal ansprechen wollen, nutzen wir einen Apache-vHOST als Reverse-Proxy.

Dazu legen wir uns folgende vHOST-Datei an.

 # vim /etc/httpd/conf.d/graylog.conf
/etc/httpd/conf.d/graylog.conf
#
# Django : 2017-02-14
#          vHost graylog
#
 
# Variablen der Hostvariablen
Define vhost graylog
Define errors_log logs/${vhost}_error.log
Define access_log logs/${vhost}_access.log
Define ssl_log logs/${vhost}_ssl_request.lo
 
 
<VirtualHost 10.0.0.97:80>
    ServerAdmin webmaster@nausch.org
    ServerName ${vhost}.nausch.org
 
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
    # Welche Logdateien sollen beschrieben werden
    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
    ErrorLog  ${errors_log}
    CustomLog ${access_log} combined env=!dontlog
</VirtualHost>
<VirtualHost 10.0.0.97:443>
    ServerAdmin webmaster@nausch.org
    ServerName ${vhost}.nausch.org
    ServerPath /
 
    # Wer soll Zugriff auf die Webseite(n) bekommen?
    <Proxy *>
        Options +FollowSymLinks +Multiviews -Indexes
        AllowOverride None                          
        AuthType Basic                              
        AuthName "Fuer den Zugriff auf den Webserver bitte Anmeldedaten eingeben!"
        AuthBasicProvider ldap                                                    
        AuthLDAPUrl ldaps://openldap.dmz.nausch.org:636/ou=People,dc=nausch,dc=org?uid
        AuthLDAPBindDN cn=Technischer_User,dc=nausch,dc=org                           
        AuthLDAPBindPassword "e1n531f!D4xIi57n38103034u!"                       
        AuthLDAPBindAuthoritative on                                                  
        Require ldap-user graylog-admin
    </Proxy>
 
    # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests weitergeleitet werden?
    ProxyRequests Off
    ProxyPass / https://10.0.0.117/
    ProxyPassReverse / https://10.0.0.117/ 
 
    <Location />
        RequestHeader set X-Graylog-Server-URL "https://graylog.nausch.org/api/"
        ProxyPass  http://10.0.0.117:9000/
        ProxyPassReverse http://10.0.0.117:9000/
    </Location>
 
    <Location /api/>
        ProxyPass http://10.0.0.117:9000/api/
        ProxyPassReverse http://10.0.0.117:9000/api/
    </Location> 
 
    # Welche Logdateien sollen beschrieben werden
    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
    ErrorLog  ${errors_log}
    CustomLog ${access_log} combined env=!dontlog
    CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
    # Absicherung der Übertragung mit Hilfe von TLS
    # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
    SSLEngine on
    # Definition der anzubietenden Protokolle
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    # Definition der Cipher
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384
    # Schlüsseldatei, mit der der CSR erstellt wurde
    SSLCertificateKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
    # Zertifikatsdatei, die von der CA signiert wurde
    SSLCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificate_161118.pem
    # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
    SSLCertificateChainFile /etc/pki/tls/certs/AlphaSSL_Intermediate.certificate.pem
    # Änderung der Cipherorder der Clients verneinen 
    SSLHonorCipherOrder on
    # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
    SSLCompression off
    # Online Certificate Status Protocol stapling zum Prüfen des Gültigkeitsstatus des Serverzertifikats.
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
 
    # HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt,
    # dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 
    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    Header always set X-Xss-Protection "1; mode=block"
 
    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
    # Sofern die Datei auch den entsprechenden MIME-Typ "text/css" entspricht, soll der Browser 
    # CSS-Dateien nur als CSS interprätieren.
    Header always set X-Content-Type-Options nosniff
 
    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    header always set X-Frame-Options DENY
 
    # hide server header (apache and php version)
    Header always unset Server
 
    # Only allow JavaScript from the same domain to be run.
    # don't allow inline JavaScript to run.
    Header always set X-Content-Security-Policy "allow 'self';"
 
    # Add Secure and HTTP only attributes to cookies
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 
    # prevent Clickjacking Attack
    Header always set X-Frame-Options "SAMEORIGIN"
 
    # hkpk-stuff
    Header always set Public-Key-Pins "pin-sha256=\"nMiOpb6vUnjCoWCkPZkDaG4D8SNWzFTsQf2ZfruLno0=\"; pin-sha256=\"INhxSQ38nCS6ijaAAyo4xAhAZj9xeL3X4ak+GGiM2fo=\"; max-age=2592000; report-uri=\"https://nausch.report-uri.io/r/default/hpkp/enforce\""
</VirtualHost>

Bevor wir die Änderungen am Apache Webseerver scharf schalten, testen wir unsere Konfiguration noch auf syntaktische Fehler.

 # apachectl -t
Syntax OK

Ist alles O.K. brauchen wir nur noch den Apache-Webserver einmal durchstarten.

 # systemctl restart httpd.service

Paketfilter/Firewall

graylog v2 WEB-GUI

Unter CentOS 7 wird als Standard-Firewall die dynamische firewalld verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbindungen kurz getrennt werden. Sondern unsere Änderungen können on-the-fly aktiviert oder auch wieder deaktiviert werden.

Laufen der Apache-Reverse-Proxy und der Graylog-Servers nicht auf dem gleichen Host, benötigen wir noch eine Firewall-Definition die diesen Kommunkikationsweg definiert. Dabei soll in unserem Konfigurationsbeispiel die Source-IP die 10.0.0.97 und die Destination-IP die Ip-Adresse 10.0.0.117 sein.

Mit Hilfe des Programms firewall-cmd legen wir nun eine permanente Regel in der Zone public, dies entspricht in unserem Beispiel das Netzwerk-Interface eth0 mit der IP 10.0.0.117 an. Als Source-IP geben wir die beiden IP-Adressen der Apache-Webservers, also die 10.0.0.117 und 10.0.0.97 an. Genug der Vorrede, mit nachfolgendem Befehl wird diese restriktive Regel angelegt.

 # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.97/32" port protocol="tcp" port="9000" destination address="10.0.0.117/32" accept"
success

Zum Aktivieren brauchen wir nun nur einen reload des Firewall-Daemon vornehmen.

 # firewall-cmd --reload

Fragen wir nun den Regelsatz unserer iptables-basieten Firewall ab, finden wir in der Chain IN_public_allow unsere aktivierten Regeln.

 # iptables -nvL IN_public_allow
Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       10.0.0.97            10.0.0.117           tcp dpt:9000 ctstate NEW

syslog (Port 514)

Der graylog-server Daemon läuft mit den Rechten des Users graylog; daher kann der Dienst graylog-server nur Ports >1024 binden.

 # ps aux | grep graylog-server
graylog   2832  0.0  0.0 113120  1368 ?        Ss   12:11   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server
graylog   2833  7.1 13.2 3874092 1087156 ?     Sl   12:11   4:39 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
root      3965  0.0  0.0 112648   924 pts/0    R+   13:16   0:00 grep --color=auto graylog-server

Somit können wir keine bei der Definition von Eingangskanälen (Inputs) keine dieser privilegierte Ports direkt ansprechen. Bei vielen Netzwerkgeräten, wie Router, Switche oder Telefone kann man bei der Definition des Syslog-Dienstes nur den Namen bzw. IP-Adresse des Zielservers angeben, nicht aber die den vordefinierten Port 514.

Da wir aber aus Sicherheitsgründen keinenfalls den graylog Daemon mit root-Rechten wollen, müssen wir uns anders behelfen. Zunächst definieren wir uns einen input-Kanal und weisen diesem dem Port 10514.

BILD: graylog INPUT Definition

Nun werden wir mit Hilfe von iptables den Port 514 auf den zuvor definierten 10514 mappen. Dazu brauchen wir zwei Dinge:

  1. Masquerading
    Mit Hilfe des zugehörigen Kernel-Moduls werden ankommende Pakete auf Port 514 auf Port 10514 „umgerouted“ und ausgehende Pakte von Port 10514 wiederum als Absendeport 514 in den UDP/TCP-Paketen umgeschrieben. Die zugehörige firewalld-Regel zum Aktivieren von Masquerading lautet:
     # firewall-cmd --permanent --zone=public --add-masquerade
    success
  2. DNAT-Regel
    Aus Sicht unseres iptables-Filter wollen wir das Pakete auf den Ziel-Port 514 den der Client verwendet hat, auf auf den Port 10514 unseres graylog INPUTs umschreiben; dazu benötigen wir folgende Regel:
     # firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=udp:toport=10514
    success

Zum Schluß führen wir nun noch einen Reload des Daemon firewalld durch.

 # firewall-cmd --reload
success

Wenn wir jetzt einen Blick in die definierten INPUTs unseres graylog-Servers werfen, werden wir die angekommenen und verarbeiteten syslog-Meldungen unserer „syslog Port 514 only“-Geräte sehen.

Bild: graylog INPUT syslog UDP Port 514

Die Web-GUI unseres graylog-Servers erreichen wir über die URL, die wir bei der Konfiguration des Apache Reverse-Proxy definiert hatten: https://graylog.nausch.org

Bild: Graylog Web-GUI Login-Screen

Nach erfolgter Erstanmeldung befinden wir uns im „“Getting Started„ Fenster. Dort finden wir auch schon ein paar Online-Hilfe Punkte

Bild: Graylog Web-GUI Startfenster

Nachdem wir unseren graylog-Server erfolgreich vorbereitet haben, werden wir nun unsere Linux-Hosts so konfigurieren, dass diese ihre syslog-Meldungen zu unserem zentralem syslog-/graylog-Server senden.

Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäss dem RFC 5424, insbesondere ist darauf zu achten dass die Meldungen dem RSYSLOG_SyslogProtocol23Format entsprechend formatiert werden.

UDP

Im ersten Konfigurationsbeispiel wollen wir die Syslog-Meldungen an den Port 514 per UDP1) an unseren graylog-Server senden. Dazu tragen wir am Ende der Konfigurationsdatei des rsyslog-Daemon folgende Zeile ein.

 # vim /etc/rsyslog.conf
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#
# Django : 2017-02-14
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
#
# ### end of the forwarding rule ###

Zum Aktivieren der Konfigurationsänderung starten wir den rsyslog-Daemon einmal durch.

 # systemctl restart rsyslog.service

TCP

Möchte man die die Syslog-Meldungen an den Port 514 per TCP2) an den graylog-Server senden, unterscheidet sich die Konfiguration nur unwesentlich. In der Konfigurationszeile wird statt einem @ zwei @@ angegeben. Am Ende der Konfigurationsdatei des rsyslog-Daemon tragen wir folgende Zeile ein.

 # vim /etc/rsyslog.conf
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#
# Django : 2017-02-14
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @@10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
#
# ### end of the forwarding rule ###

Zum Aktivieren der Konfigurationsänderung starten wir den rsyslog-Daemon einmal durch.

 # systemctl restart rsyslog.service

An zwei wesentlichen Stellen läuft in unserem Konfigurationsbeispiel noch völlig ungeschützt ab. Der erste Punkt den es zu bemängeln gilt, ist die Autorisierung der Datenquellen; d.h. jeder beliebige Client, der sich mit unserem Netz verbindet kann Daten an unseren graylog-Server schicken und diesen im schlimmsten Fall mit Datenmüll überfluten. Der zweite Punkt ist die unverschlüsselte Übertragung der rsyslog Daten. Schützenswerte Daten könnten also im Zweifelsfall ebenso mitgeschnitten wie auch manipuliert werden.

Zur Lösung dieser beiden unstrittigen Schwachstellen werden wir uns nun mit der Absicherung durch TLS3) näher beschäftigen. Die für die TLS-Verschlüsselung notwendigen Schlüssel und Zertifikate erstellen wir mittels OpenSSL, einer freien Implementierung von SSL4). SSL oder TLS5) ist ein hybrides Verschlüsselungsprotokoll zur Datenübertragung im Internet. Unter TLS 1.0, 1.1 und 1.2 versteht man die standardisierten Weiterentwicklungen von SSL 3.0 (TLS 1.0 steht neu für SSL 3.1). Dies bedeutet also, SSL wird nun unter dem Namen TLS weiterentwickelt.

OpenSSL

Bei der Standardinstallation unseres Systems wurde in der Regel bereits das Paket openssl installiert. Ein kurzer Blick in die RPM-Datenbank schafft hierzu Gewissheit.

 # yum list openssl
 Installed Packages
 openssl.x86_64                                  1:1.0.1e-51.el7_2.1

Sollte das Paket noch fehlen, installieren wir dies einfach via:

 # yum install openssl

Was uns das Paket openssl alles mitbringt und wohin die Programme und Konfigurationsdateien kopiert werden, offenbart uns das System wie folgt.

 # rpm -qil openssl
Name        : openssl
Epoch       : 1
Version     : 1.0.1e
Release     : 51.el7_2.1
Architecture: x86_64
Install Date: Tue 15 Dec 2015 09:59:48 AM CET
Group       : System Environment/Libraries
Size        : 1611101
License     : OpenSSL
Signature   : RSA/SHA256, Mon 14 Dec 2015 12:25:06 PM CET, Key ID 24c6a8a7f4a80eb5
Source RPM  : openssl-1.0.1e-51.el7_2.1.src.rpm
Build Date  : Mon 14 Dec 2015 06:19:50 AM CET
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.openssl.org/
Summary     : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
/etc/pki/CA/private
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
/usr/share/doc/openssl-1.0.1e
/usr/share/doc/openssl-1.0.1e/CHANGES
/usr/share/doc/openssl-1.0.1e/FAQ
/usr/share/doc/openssl-1.0.1e/INSTALL
/usr/share/doc/openssl-1.0.1e/LICENSE
/usr/share/doc/openssl-1.0.1e/NEWS
/usr/share/doc/openssl-1.0.1e/README
/usr/share/doc/openssl-1.0.1e/README.FIPS
/usr/share/doc/openssl-1.0.1e/c-indentation.el
/usr/share/doc/openssl-1.0.1e/openssl.txt
/usr/share/doc/openssl-1.0.1e/openssl_button.gif
/usr/share/doc/openssl-1.0.1e/openssl_button.html
/usr/share/doc/openssl-1.0.1e/ssleay.txt
/usr/share/man/man1/asn1parse.1ssl.gz
/usr/share/man/man1/ca.1ssl.gz
/usr/share/man/man1/ciphers.1ssl.gz
/usr/share/man/man1/cms.1ssl.gz
/usr/share/man/man1/crl.1ssl.gz
/usr/share/man/man1/crl2pkcs7.1ssl.gz
/usr/share/man/man1/dgst.1ssl.gz
/usr/share/man/man1/dhparam.1ssl.gz
/usr/share/man/man1/dsa.1ssl.gz
/usr/share/man/man1/dsaparam.1ssl.gz
/usr/share/man/man1/ec.1ssl.gz
/usr/share/man/man1/ecparam.1ssl.gz
/usr/share/man/man1/enc.1ssl.gz
/usr/share/man/man1/errstr.1ssl.gz
/usr/share/man/man1/gendsa.1ssl.gz
/usr/share/man/man1/genpkey.1ssl.gz
/usr/share/man/man1/genrsa.1ssl.gz
/usr/share/man/man1/md2.1ssl.gz
/usr/share/man/man1/md4.1ssl.gz
/usr/share/man/man1/md5.1ssl.gz
/usr/share/man/man1/mdc2.1ssl.gz
/usr/share/man/man1/nseq.1ssl.gz
/usr/share/man/man1/ocsp.1ssl.gz
/usr/share/man/man1/openssl.1ssl.gz
/usr/share/man/man1/pkcs12.1ssl.gz
/usr/share/man/man1/pkcs7.1ssl.gz
/usr/share/man/man1/pkcs8.1ssl.gz
/usr/share/man/man1/pkey.1ssl.gz
/usr/share/man/man1/pkeyparam.1ssl.gz
/usr/share/man/man1/pkeyutl.1ssl.gz
/usr/share/man/man1/req.1ssl.gz
/usr/share/man/man1/ripemd160.1ssl.gz
/usr/share/man/man1/rsa.1ssl.gz
/usr/share/man/man1/rsautl.1ssl.gz
/usr/share/man/man1/s_client.1ssl.gz
/usr/share/man/man1/s_server.1ssl.gz
/usr/share/man/man1/s_time.1ssl.gz
/usr/share/man/man1/sess_id.1ssl.gz
/usr/share/man/man1/sha.1ssl.gz
/usr/share/man/man1/sha1.1ssl.gz
/usr/share/man/man1/smime.1ssl.gz
/usr/share/man/man1/speed.1ssl.gz
/usr/share/man/man1/spkac.1ssl.gz
/usr/share/man/man1/sslpasswd.1ssl.gz
/usr/share/man/man1/sslrand.1ssl.gz
/usr/share/man/man1/ts.1ssl.gz
/usr/share/man/man1/tsget.1ssl.gz
/usr/share/man/man1/verify.1ssl.gz
/usr/share/man/man1/version.1ssl.gz
/usr/share/man/man1/x509.1ssl.gz
/usr/share/man/man5/config.5ssl.gz
/usr/share/man/man5/openssl.cnf.5ssl.gz
/usr/share/man/man5/x509v3_config.5ssl.gz
/usr/share/man/man7/des_modes.7ssl.gz

Zertifikatserstellung

Wie bereits erwähnt benötigen wir für die TLS-Verschlüsselung Schlüssel und Zertifikate. Das Schlüsselmaterial werden wir ausschließlich und immer nur auf unserem Server generieren. Die Zertifikate können wir nun auch selbst erstellen, oder von einer externen CA6) beziehen.

Technisch gesehen unterscheiden sich Zertifikate einer „offiziellen“ oder besser gesagt einer kommerziellen CA nicht von Zertifikaten einer eigenen „self signed“ Zertifikaten. Da es sich bei unserem Unterfangen, die rsyslog-Datenübertragung und -Authorisierung von erlaubten Sendern und Empfängern um reine Maschinen zu Maschinen Kommunikation handelt, können wir zur Vereinfachung des ganzen Zertifikatshandlings auf eine eigen CA mit sehr langen Zertifikatslaufzeiten zurückgreifen.

Leider bietet uns weder graylog noch rsyslog so eine komfortable scriptgesteuerte Unterstützung, wie z.B. der ICINGA2 Node Wizard bei der Anbindung Client- zum Master-Node. Wir werden also bei der Erzeugung der folgendenden Stellen selbst Hand anlegen müssen:

  • CA
  • Serverzertifikat für den graylog-Server
  • Clientzertifikate für die rsyslog-Clients

Die jeweils benötigten Arbeitsschritte sind bei allen drei Stellen jeweils die gleichen:

  • Generieren eines privaten Schlüssels, den wir hüten wie unseren Augapfel,
  • Erstellen unseres Public Key mit zusätzlichen Daten, auch bekannt als CSR7),
  • Unterschreiben des CSR mit dem privaten Schlüssel unserer CA8); auch bekannt als Zertifikatsgenerierung.
  • Verteilen der erzeugten Zertifikate.

Sowohl bei der Laufzeit des Root-Zertifikates unserer CA wie auch bei den Client- und Server-Zertifikaten orientieren wir uns am Beispiel von ICINGA2 und wählen hier jeweils eine Laufzeit von 30 Jahren. Somit erübrigt sich die laufende Erneuerung der jeweiligen Zertifikate und der damit verbundenen Downtime der Clients und Server.

Root CA - Zertifizierungsstelle

Als erstes werden wir uns nun unsere Zertifizierungsstelle mit besagtem 30-jährigen Root CA Zertifikats erstellen.

Vorbereitung

Anlegen fehlender Dateien:

 # echo "00" > /etc/pki/CA/serial
 # touch /etc/pki/CA/index.txt
 # mkdir /etc/pki/CA/csrs

Somit befindet sich in unserem Pfad /etc/pki/CA nun folgender Inhalt:

 # ll /etc/pki/CA
total 4
drwxr-xr-x. 2 root root 6 Dec 14 06:18 certs
drwxr-xr-x. 2 root root 6 Dec 14 06:18 crl
drwxr-xr-x. 2 root root 3 Jan  3 19:40 csrs
-rw-r--r--. 1 root root 0 Jan  3 19:40 index.txt
drwxr-xr-x. 2 root root 6 Dec 14 06:18 newcerts
drwx------. 2 root root 6 Dec 14 06:18 private
-rw-r--r--. 1 root root 3 Jan  3 19:40 serial
/etc/pki/CA
├── certs
├── crl
├── csrs
├── index.txt
├── newcerts
├── private
└── serial

Die CA-Konfigurationsdatei passen wir noch unseren Wünschen entsprechend an.

 # vim /etc/pki/tls/openssl.cnf
/etc/pki/tls/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
 
# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd
 
# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids
 
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
 
[ new_oids ]
 
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
 
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
 
####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section
 
####################################################################
[ CA_default ]
 
dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.
 
# Django : 2017-02-14
# default: certificate  = $dir/cacert.pem       # The CA certificate
certificate     = $dir/certs/root-ca.certifikate.pem
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
# Django : 2017-02-14
# default: private_key	= $dir/private/cakey.pem   # The private key
private_key	= $dir/private/root-ca.key.pem
RANDFILE	= $dir/private/.rand	# private random number file
 
x509_extensions	= usr_cert		# The extentions to add to the cert
 
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
 
# Extension copying option: use with caution.
# copy_extensions = copy
 
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext
 
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use SHA-256 by default
preserve	= no			# keep passed DN ordering
 
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match
 
# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
 
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
 
####################################################################
[ req ]
default_bits		= 2048
default_md		= sha256
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
 
# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
 
# req_extensions = v3_req # The extensions to add to a certificate request
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= XX
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
#stateOrProvinceName_default	= Default Province
 
localityName			= Locality Name (eg, city)
localityName_default		= Default City
 
0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Default Company Ltd
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64
 
emailAddress			= Email Address
emailAddress_max		= 64
 
# SET-ex3			= SET extension number 3
 
[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
 
unstructuredName		= An optional company name
 
[ usr_cert ]
 
# These extensions are added when 'ca' signs a request.
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= server
 
# For an object signing certificate this would be used.
# nsCertType = objsign
 
# For normal client use this is typical
# nsCertType = client, email
 
# and for everything including object signing:
# nsCertType = client, email, objsign
 
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
 
# Copy subject details
# issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
 
[ v3_req ]
 
# Extensions to add to a certificate request
 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
[ v3_ca ]
 
 
# Extensions for a typical CA
 
 
# PKIX recommendation.
 
subjectKeyIdentifier=hash
 
authorityKeyIdentifier=keyid:always,issuer
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
 
# Some might want this also
# nsCertType = sslCA, emailCA
 
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
 
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
 
[ crl_ext ]
 
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
 
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= server
 
# For an object signing certificate this would be used.
# nsCertType = objsign
 
# For normal client use this is typical
# nsCertType = client, email
 
# and for everything including object signing:
# nsCertType = client, email, objsign
 
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
 
# Copy subject details
# issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
####################################################################
[ tsa ]
 
default_tsa = tsa_config1	# the default TSA section
 
[ tsa_config1 ]
 
# These are used by the TSA reply generation only.
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)

privaten Schlüssel und selbstsigniertes Root CA Zertifikat erstellen

Als erstes werden wir uns nun den privaten Schlüssel unserer Root CA generieren, in zugehöriges Zertifikat erzeugen und dieses mit dem privaten Schlüssel der CA unterschreiben; all das passiert bei nachfolgendem Befehlsaufruf. Zur besseren Unterscheidung sind die Eingaben sowohl kursiv und fett gedruckt in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl req -new -x509 -newkey rsa:4096 -sha512 \
        -keyout /etc/pki/CA/private/root-ca.key.pem \
        -out /etc/pki/CA/certs/root-ca.certifikate.pem -days 10950

Generating a 4096 bit RSA private key
..................................................................................................................................................................++
.......................++
writing new private key to '/etc/pki/CA/private/root-ca.key.pem'
Enter PEM pass phrase: des-woas-blos-I-und-sunst-koana!
Verifying - Enter PEM pass phrase: des-woas-blos-I-und-sunst-koana!
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bayern
Locality Name (eg, city) [Default City]:Pliening
Organization Name (eg, company) [Default Company Ltd]:nausch.org
Organizational Unit Name (eg, section) []:Zertifizierungsstelle
Common Name (eg, your name or your server's hostname) []:graylog CA
Email Address []:ca-admin@nausch.org

Sowohl Zertifikat und der Schlüssel des gerade erzeugten Root Zertifikates liegen nun in unserem CA-Systemverzeichnis.

/etc/pki/CA
├── certs
│   └── root-ca.certifikate.pem
├── crl
├── csrs
├── index.txt
├── newcerts
├── private
│   └── root-ca.key.pem
└── serial

privaten Schlüssel der Root CA schützen

Damit nun ausschließlich der Benuter root die Schlüsseldatei mit dem privaten Schlüssel unserer CA lesen kann, passen wir die Dateirechte entsprechend an.

 # chmod 400 /etc/pki/CA/private/root-ca.key.pem

Root CA Zertifikat ausgeben

Möchten wir den Inhalt unseres Root Ca Zertifikates ausgeben und ansehen, verwenden wir den folgenden openssl-Aufruf.

 # openssl x509 -noout -text -in /etc/pki/CA/certs/root-ca.certifikate.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10930264216988842831 (0x97b01964f2c87b4f)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=DE, ST=Bayern, L=Pliening, O=nausch.org, OU=Zertifizierungsstelle, CN=graylog CA/emailAddress=ca-admin@nausch.org
        Validity
            Not Before: Jan  3 22:57:12 2016 GMT
            Not After : Dec 26 22:57:12 2045 GMT
        Subject: C=DE, ST=Bayern, L=Pliening, O=nausch.org, OU=Zertifizierungsstelle, CN=graylog CA/emailAddress=ca-admin@nausch.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ca:f4:bc:2b:0d:43:6a:63:fc:93:fb:e6:18:91:
                    ed:73:22:3f:da:1c:fb:3a:8e:60:41:e1:33:6e:bf:
                    0c:8c:33:b2:52:04:50:05:5c:fb:73:d2:23:96:f4:
                    2a:31:5a:d6:e8:d2:48:47:b6:86:cd:1b:d4:9d:4c:
                    b6:ac:fc:c9:94:fc:dc:8b:ca:50:ac:e4:4d:f2:06:
                    84:0d:e8:dd:bc:2f:bc:fb:fd:26:c1:19:5e:13:61:
                    b2:37:d3:80:9b:0e:7c:bb:5c:19:69:06:3f:de:02:
                    8f:69:c1:c0:55:68:01:1a:49:72:a5:a5:8d:93:a7:
                    cc:4a:e5:f8:6f:03:eb:71:22:b6:3f:5e:54:f7:57:
                    20:5f:5d:80:55:b5:b6:e1:85:ff:93:0e:47:f6:64:
                    a7:3d:84:22:d9:45:f8:f8:01:70:3b:2a:b2:dd:18:
                    80:65:81:61:66:c2:9d:1a:c5:4b:4c:e0:89:05:28:
                    fe:40:06:00:87:c1:13:ac:ae:dc:7e:fb:00:e7:95:
                    84:3d:83:e9:7e:48:ae:5a:a5:c0:d6:ae:75:b9:9e:
                    54:96:4b:8b:86:48:67:9e:b7:31:d0:b0:06:a5:29:
                    44:08:54:05:48:2c:0d:8d:99:bf:31:59:48:f4:3d:
                    b5:bd:4b:c6:56:d0:59:90:6f:b8:12:97:81:ad:d8:
                    eb:01:f4:41:4c:b3:59:c0:26:67:e9:4b:e5:59:5e:
                    96:7b:c2:df:ca:96:73:1b:ed:f3:ec:c6:05:12:db:
                    be:67:a0:2a:d2:a7:03:67:c7:6d:b1:35:b3:ea:e5:
                    2c:65:7e:df:dc:dc:8f:57:86:f9:bc:7a:a5:45:a5:
                    67:a5:f4:9d:af:7b:af:9a:52:db:ea:8a:c8:be:f0:
                    50:f6:58:c3:88:28:0f:c4:04:d5:f3:a6:80:03:33:
                    d7:64:d8:d2:83:39:f4:3d:94:1c:f4:68:c1:a8:bf:
                    af:c7:c5:de:e3:85:86:47:ad:a0:47:bf:47:21:b0:
                    7b:61:9f:a8:05:32:81:0c:7c:54:e6:4b:ad:98:e6:
                    c7:d3:08:50:03:3f:4b:b2:fc:b1:4b:18:5b:e4:b3:
                    71:be:f8:ca:2e:d4:89:84:b8:32:2b:ac:1f:e1:00:
                    71:bb:9f:07:95:ac:a8:fc:c5:b5:a8:5a:8f:cd:3d:
                    5d:a0:d7:2e:34:be:24:41:80:ee:5b:11:13:4e:05:
                    c5:ff:53:ef:31:c2:1f:12:b4:bd:5f:80:0f:80:3d:
                    af:d3:a7:23:17:b9:28:8a:6e:4b:57:33:59:38:f3:
                    ea:f4:30:cc:0e:e8:41:83:eb:8f:88:ea:a2:03:2c:
                    f5:16:0d:ef:b2:97:10:a0:0b:7e:0d:97:e1:0d:d4:
                    69:4e:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                F7:C3:04:70:25:38:2F:02:82:5D:5F:2F:7F:1B:66:97:43:9F:D8:0E
            X509v3 Authority Key Identifier: 
                keyid:F7:C3:04:70:25:38:2F:02:82:5D:5F:2F:7F:1B:66:97:43:9F:D8:0E

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha512WithRSAEncryption
         37:5c:48:19:a0:67:55:3c:e5:f8:74:2e:49:57:0b:fe:ea:d4:
         f3:82:3d:f5:8b:74:74:1d:ad:a4:ce:00:72:f8:19:19:b7:35:
         7f:a1:85:61:b3:11:d1:90:b5:d9:d6:6f:55:04:83:28:05:b9:
         0b:09:95:ac:c0:25:0d:17:02:ee:fd:c5:0d:48:12:ce:7c:09:
         67:72:6a:47:0c:7b:f4:48:0a:1d:05:6d:78:7a:04:49:50:b7:
         2b:fd:37:80:de:be:62:66:3b:b5:1b:52:78:af:b4:16:d6:f9:
         f9:64:b8:a9:d3:6d:9f:0e:81:67:1f:3a:c5:39:bc:5d:d9:73:
         f1:8d:9c:da:1e:f4:22:78:28:d6:d2:ef:2a:07:85:57:fc:f8:
         9c:ac:b4:2f:51:06:f3:a5:fd:10:7e:fa:26:5e:6a:cd:ba:f1:
         03:6c:fb:f1:d9:cd:86:65:32:18:46:ca:24:28:f1:e8:47:d8:
         d7:30:0c:b7:4a:5d:19:0f:9d:9c:59:40:15:60:1e:53:75:22:
         d1:99:4e:c1:c7:f0:d5:92:d0:43:8d:2a:9c:8b:a6:5c:18:88:
         5a:73:0a:75:f2:b3:46:de:a4:02:0e:12:e3:e7:42:79:b5:c9:
         20:a8:da:b2:ca:1e:42:b8:f5:ea:b5:3c:b7:6e:de:15:29:11:
         2e:bd:0d:50:93:e5:19:85:b2:7a:f3:48:06:50:7d:ba:d4:f3:
         3a:64:35:0b:6c:74:3a:6f:02:c5:7d:4c:2d:78:70:43:f9:4b:
         1c:0e:44:1f:fb:91:1e:80:a7:96:2e:ee:04:8f:71:9a:74:a6:
         80:28:41:19:b4:b0:46:d0:1d:d0:3c:8f:d3:9d:02:63:7e:5d:
         38:f5:b4:29:b9:66:7a:fc:a1:94:24:0d:38:bb:31:f5:1c:cb:
         d5:13:a2:0d:fa:59:9c:2f:63:68:a9:ee:02:d7:45:68:47:7e:
         10:b9:bc:58:75:7e:8f:4c:d8:2f:72:f8:a6:e9:e8:33:d7:1f:
         6c:44:35:09:04:f2:96:8c:69:16:a9:f3:7b:50:6d:1a:fc:08:
         e3:77:3d:3c:c4:5a:45:33:81:25:c8:73:4e:ea:e1:c5:2c:5e:
         0c:34:48:9b:7e:ec:fa:b1:82:75:6a:7d:80:5f:07:30:5c:81:
         37:db:e1:a2:17:52:31:9b:7f:ce:0b:55:51:b4:e0:03:0d:7c:
         f6:60:3f:5b:e7:c9:95:17:30:91:6e:96:d6:02:9e:fa:64:8d:
         35:0d:dc:32:e1:58:16:e7:2e:67:40:73:76:b4:ad:4e:4c:fa:
         78:6f:31:30:7e:7b:ad:4f:10:8f:a5:e3:57:42:fa:04:a9:f6:
         59:7d:69:78:92:af:7f:2b

Das Zertifikat im PEM-Format (Base64-kodiertes Zertifikat) können wir uns ganz einfach ausgeben lassen um es so z.B. auf einem Clientrechner abzulegen.

 # cat /etc/pki/CA/certs/root-ca.certifikate.pem
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIJAJewGWTyyHtPMA0GCSqGSIb3DQEBDQUAMIGfMQswCQYD
VQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhQbGllbmluZzETMBEG
A1UECgwKbmF1c2NoLm9yZzEeMBwGA1UECwwVWmVydGlmaXppZXJ1bmdzc3RlbGxl
MRMwEQYDVQQDDApncmF5bG9nIENBMSIwIAYJKoZIhvcNAQkBFhNjYS1hZG1pbkBu
YXVzY2gub3JnMB4XDTE2MDEwMzIyNTcxMloXDTQ1MTIyNjIyNTcxMlowgZ8xCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCFBsaWVuaW5nMRMw
EQYDVQQKDApuYXVzY2gub3JnMR4wHAYDVQQLDBVaZXJ0aWZpemllcnVuZ3NzdGVs
bGUxEzARBgNVBAMMCmdyYXlsb2cgQ0ExIjAgBgkqhkiG9w0BCQEWE2NhLWFkbWlu
QG5hdXNjaC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDK9Lwr
DUNqY/yT++YYke1zIj/aHPs6jmBB4TNuvwyMM7JSBFAFXPtz0iOW9CoxWtbo0khH
tobNG9SdTLas/MmU/NyLylCs5E3yBoQN6N28L7z7/SbBGV4TYbI304CbDny7XBlp
Bj/eAo9pwcBVaAEaSXKlpY2Tp8xK5fhvA+txIrY/XlT3VyBfXYBVtbbhhf+TDkf2
ZKc9hCLZRfj4AXA7KrLdGIBlgWFmwp0axUtM4IkFKP5ABgCHwROsrtx++wDnlYQ9
g+l+SK5apcDWrnW5nlSWS4uGSGeetzHQsAalKUQIVAVILA2Nmb8xWUj0PbW9S8ZW
0FmQb7gSl4Gt2OsB9EFMs1nAJmfpS+VZXpZ7wt/KlnMb7fPsxgUS275noCrSpwNn
x22xNbPq5Sxlft/c3I9Xhvm8eqVFpWel9J2ve6+aUtvqisi+8FD2WMOIKA/EBNXz
poADM9dk2NKDOfQ9lBz0aMGov6/Hxd7jhYZHraBHv0chsHthn6gFMoEMfFTmS62Y
5sfTCFADP0uy/LFLGFvks3G++Mou1ImEuDIrrB/hAHG7nweVrKj8xbWoWo/NPV2g
1y40viRBgO5bERNOBcX/U+8xwh8StL1fgA+APa/TpyMXuSiKbktXM1k48+r0MMwO
6EGD64+I6qIDLPUWDe+ylxCgC34Nl+EN1GlOlwIDAQABo1AwTjAdBgNVHQ4EFgQU
98MEcCU4LwKCXV8vfxtml0Of2A4wHwYDVR0jBBgwFoAU98MEcCU4LwKCXV8vfxtm
l0Of2A4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAN1xIGaBnVTzl
+HQuSVcL/urU84I99Yt0dB2tpM4AcvgZGbc1f6GFYbMR0ZC12dZvVQSDKAW5CwmV
rMAlDRcC7v3FDUgSznwJZ3JqRwx79EgKHQVteHoESVC3K/03gN6+YmY7tRtSeK+0
Ftb5+WS4qdNtnw6BZx86xTm8Xdlz8Y2c2h70Ingo1tLvKgeFV/z4nKy0L1EG86X9
EH76Jl5qzbrxA2z78dnNhmUyGEbKJCjx6EfY1zAMt0pdGQ+dnFlAFWAeU3Ui0ZlO
wcfw1ZLQQ40qnIumXBiIWnMKdfKzRt6kAg4S4+dCebXJIKjassoeQrj16rU8t27e
FSkRLr0NUJPlGYWyevNIBlB9utTzOmQ1C2x0Om8CxX1MLXhwQ/lLHA5EH/uRHoCn
li7uBI9xmnSmgChBGbSwRtAd0DyP050CY35dOPW0KblmevyhlCQNOLsx9RzL1ROi
DfpZnC9jaKnuAtdFaEd+ELm8WHV+j0zYL3L4punoM9cfbEQ1CQTyloxpFqnze1Bt
GvwI43c9PMRaRTOBJchzTurhxSxeDDRIm37s+rGCdWp9gF8HMFyBN9vhohdSMZt/
zgtVUbTgAw189mA/W+fJlRcwkW6W1gKe+mSNNQ3cMuFYFucuZ0BzdrStTkz6eG8x
MH57rU8Qj6XjV0L6BKn2WX1peJKvfys=
-----END CERTIFICATE-----

Root CA Zertifikat beim Client abspeichern

Nun müssen wir nur noch dafür sorgen, dass unser Root CA Zertifikat auf den bzw. die Clientrechner und auf unserem graylog-Server vorhanden ist. Entweder kopieren wir es via scp auf die Zielsysteme oder wir erzeugen und bearbeiten einfach die Zertifikatsdatei mit dem Editor unserer Wahl.

 # vim /etc/pki/CA/certs/root-ca.certifikate.pem
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIJAJewGWTyyHtPMA0GCSqGSIb3DQEBDQUAMIGfMQswCQYD
VQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhQbGllbmluZzETMBEG
A1UECgwKbmF1c2NoLm9yZzEeMBwGA1UECwwVWmVydGlmaXppZXJ1bmdzc3RlbGxl
MRMwEQYDVQQDDApncmF5bG9nIENBMSIwIAYJKoZIhvcNAQkBFhNjYS1hZG1pbkBu
YXVzY2gub3JnMB4XDTE2MDEwMzIyNTcxMloXDTQ1MTIyNjIyNTcxMlowgZ8xCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCFBsaWVuaW5nMRMw
EQYDVQQKDApuYXVzY2gub3JnMR4wHAYDVQQLDBVaZXJ0aWZpemllcnVuZ3NzdGVs
bGUxEzARBgNVBAMMCmdyYXlsb2cgQ0ExIjAgBgkqhkiG9w0BCQEWE2NhLWFkbWlu
QG5hdXNjaC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDK9Lwr
DUNqY/yT++YYke1zIj/aHPs6jmBB4TNuvwyMM7JSBFAFXPtz0iOW9CoxWtbo0khH
tobNG9SdTLas/MmU/NyLylCs5E3yBoQN6N28L7z7/SbBGV4TYbI304CbDny7XBlp
Bj/eAo9pwcBVaAEaSXKlpY2Tp8xK5fhvA+txIrY/XlT3VyBfXYBVtbbhhf+TDkf2
ZKc9hCLZRfj4AXA7KrLdGIBlgWFmwp0axUtM4IkFKP5ABgCHwROsrtx++wDnlYQ9
g+l+SK5apcDWrnW5nlSWS4uGSGeetzHQsAalKUQIVAVILA2Nmb8xWUj0PbW9S8ZW
0FmQb7gSl4Gt2OsB9EFMs1nAJmfpS+VZXpZ7wt/KlnMb7fPsxgUS275noCrSpwNn
x22xNbPq5Sxlft/c3I9Xhvm8eqVFpWel9J2ve6+aUtvqisi+8FD2WMOIKA/EBNXz
poADM9dk2NKDOfQ9lBz0aMGov6/Hxd7jhYZHraBHv0chsHthn6gFMoEMfFTmS62Y
5sfTCFADP0uy/LFLGFvks3G++Mou1ImEuDIrrB/hAHG7nweVrKj8xbWoWo/NPV2g
1y40viRBgO5bERNOBcX/U+8xwh8StL1fgA+APa/TpyMXuSiKbktXM1k48+r0MMwO
6EGD64+I6qIDLPUWDe+ylxCgC34Nl+EN1GlOlwIDAQABo1AwTjAdBgNVHQ4EFgQU
98MEcCU4LwKCXV8vfxtml0Of2A4wHwYDVR0jBBgwFoAU98MEcCU4LwKCXV8vfxtm
l0Of2A4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAN1xIGaBnVTzl
+HQuSVcL/urU84I99Yt0dB2tpM4AcvgZGbc1f6GFYbMR0ZC12dZvVQSDKAW5CwmV
rMAlDRcC7v3FDUgSznwJZ3JqRwx79EgKHQVteHoESVC3K/03gN6+YmY7tRtSeK+0
Ftb5+WS4qdNtnw6BZx86xTm8Xdlz8Y2c2h70Ingo1tLvKgeFV/z4nKy0L1EG86X9
EH76Jl5qzbrxA2z78dnNhmUyGEbKJCjx6EfY1zAMt0pdGQ+dnFlAFWAeU3Ui0ZlO
wcfw1ZLQQ40qnIumXBiIWnMKdfKzRt6kAg4S4+dCebXJIKjassoeQrj16rU8t27e
FSkRLr0NUJPlGYWyevNIBlB9utTzOmQ1C2x0Om8CxX1MLXhwQ/lLHA5EH/uRHoCn
li7uBI9xmnSmgChBGbSwRtAd0DyP050CY35dOPW0KblmevyhlCQNOLsx9RzL1ROi
DfpZnC9jaKnuAtdFaEd+ELm8WHV+j0zYL3L4punoM9cfbEQ1CQTyloxpFqnze1Bt
GvwI43c9PMRaRTOBJchzTurhxSxeDDRIm37s+rGCdWp9gF8HMFyBN9vhohdSMZt/
zgtVUbTgAw189mA/W+fJlRcwkW6W1gKe+mSNNQ3cMuFYFucuZ0BzdrStTkz6eG8x
MH57rU8Qj6XjV0L6BKn2WX1peJKvfys=
-----END CERTIFICATE-----

graylog-server Zertifikat erzeugen

Nachdem wir den ersten wichtigen Schritt - Erstellen unserer eigenen CA erfolgreich abgeschlossen haben, können wir uns nun dem zweiten Punkt, der Generierung des graylog-server Zertifikates widmen.

Schlüssel für das Serverzertifikat erzeugen

Nachdem wir nun unsere eigene CA erstellt haben, machen wir uns daran, endlich für unseren Server ein Zertifikat herausgeben. Hierzu erzeugen wir uns wieder als erstes einen 4096 Bit langen RSA Schlüssel, den wir mit AES 256 verschlüsselt auf der Platte abgelegt lassen. Da OpenSSL keine leere Passphrase zulässt braucht die Passphrase diesmal nicht sonderlich geheim sein, da wir diese im Anschluss ohnehin sofort wieder entfernen werden.

Die Eingaben sind auch hier zur besseren Unterscheidung fett und kursiv in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl genrsa -out /etc/pki/tls/serverkey.pem -aes256 4096
Generating RSA private key, 4096 bit long modulus
.......................................................................................................................................................................................................................++
........................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for serverkey.pem: 12qwasyx
Verifying - Enter pass phrase for serverkey.pem: 12qwasyx

Wie schon erwähnt, entfernen wir die Passphrase nun wieder, in dem wir bei der Frage Enter pass phrase: einfach die Taste [ENTER] drücken.

# openssl rsa -in /etc/pki/tls/serverkey.pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem
Enter pass phrase:
writing RSA key

Wie schon zuvor schützen wir auch hier den Serverschlüssel über die Dateirechte.

# chmod 400 /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem

Da wir die Schlüsseldatei mit der unsicheren Passphrase nicht mehr benötigen, vernichten wir die zugehörige Datei.

# shred -u /etc/pki/tls/serverkey.pem

Wichtig:
Damit graylog den soeben erzeugten Schlüssel später auch laden kann, müssen wir diesen erst noch in das passende PKCS #8 Format konvertiert werden. Ein Versuch den originären PKCS #1 Schlüssel zu laden würde andernfalls graylog mit folgendem Fehler quittieren.

2015-12-23T23:42:21.666+01:00 WARN  [AbstractNioSelector] Failed to initialize an accepted socket.
java.lang.IllegalArgumentException: Unsupported key type PKCS#1, please convert to PKCS#8

Wir konvertieren also noch den Schlüssel in das passende Format mit folgendem openssl Kommando.

# openssl pkcs8 -topk8 -in /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem \
          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem \
          -outform pem -nocrypt

Graylog selbst läuft mit den Nutzerrechten des Users graylog; wir müssen also auch noch dafür sorgen, dass der User graylog den Schlüssel auch lesen darf. Wir ändern daher die Berechtigungen wie folgt:

# chown graylog.root /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem

CSR erstellen

Nachdem wir unseren privaten Schlüssel erzeugt haben, können wir uns nun unserem CSR9) widmen. Wie schon zuvor, sind die Eingaben auch hier zur besseren Unterscheidung fett und kursiv in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl req -new -key /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem \
              -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.csr.pem -nodes

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bayern
Locality Name (eg, city) [Default City]:Pliening
Organization Name (eg, company) [Default Company Ltd]:nausch.org
Organizational Unit Name (eg, section) []:IT-Monitoring
Common Name (eg, your name or your server's hostname) []:graylog-server.dmz.nausch.org
Email Address []:graylog-admin@nausch.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CSR ausgeben

Möchten wir den Inhalt unseres Certificate Signing Request ausgeben und ansehen, verwenden wir den folgenden openssl-Aufruf.

 # openssl req -noout -text -in /etc/pki/tls/private/graylog-server.dmz.nausch.org.csr.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Bayern, L=Pliening, O=nausch.org, OU=IT-Monitoring, CN=graylog-server.dmz.nausch.org/emailAddress=graylog-admin@nausch.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a4:89:62:85:af:56:b3:04:0c:34:86:4a:e3:b8:
                    6a:f4:23:6c:7f:bc:4c:a6:4e:cd:2e:fe:38:ad:74:
                    19:a1:de:cb:36:fa:c4:b4:85:31:1e:62:05:a5:f5:
                    f5:f0:7b:94:69:21:b3:48:ae:27:1c:bd:bd:52:2f:
                    9b:ee:ad:cf:5f:fe:e4:0f:a4:8c:0a:91:e0:75:fd:
                    47:e9:11:35:94:bd:86:b5:9e:47:1c:f8:b7:13:c4:
                    60:68:b5:8f:2e:8f:0d:75:fe:7a:41:d8:e7:2b:1e:
                    cb:d7:f2:4f:99:e6:c1:d9:c3:df:07:3b:0b:e4:cd:
                    1f:c3:0b:39:7a:15:38:09:df:a8:29:3c:73:c5:e1:
                    58:50:1e:4b:ef:cb:3c:63:e6:be:d2:ab:54:b7:ce:
                    03:69:3b:1f:d5:80:5a:be:98:af:a3:c9:3f:a8:84:
                    44:21:5d:f5:36:e8:11:ae:3f:7d:51:29:80:51:64:
                    bd:96:ff:32:36:9c:66:1f:9c:8b:4a:f0:f4:0d:50:
                    2b:3b:ea:32:2f:1c:22:0f:ca:87:78:d5:1f:de:4c:
                    45:64:c4:42:ae:d3:bc:47:98:c5:19:15:17:db:d3:
                    e3:1d:4e:84:76:d2:ba:ab:db:97:03:ff:bf:01:d7:
                    21:46:56:09:16:52:58:38:64:d0:8a:9b:7e:ba:5f:
                    9b:ec:f9:67:37:70:66:aa:b2:be:f2:af:ca:70:da:
                    8f:6e:5b:1d:5f:fa:97:da:6e:bf:f3:fb:6b:33:58:
                    74:bd:68:90:7d:21:c2:d3:9c:31:37:f1:88:f8:95:
                    8c:6e:68:ce:6c:71:83:35:8b:97:d8:94:78:fa:d7:
                    d7:c5:bd:26:6f:30:28:ac:0c:08:5e:9b:98:f7:4c:
                    7b:48:8c:a8:3c:2a:9a:01:d0:51:7f:9d:8b:a3:5b:
                    09:a2:60:42:81:fc:18:c1:53:56:9f:78:d5:3b:96:
                    94:59:70:b7:44:a1:f9:8f:88:22:55:9e:e6:67:e4:
                    4f:b5:8b:dd:e2:7c:a7:09:b9:52:91:23:2b:7f:13:
                    5c:2b:f1:05:54:a6:a4:85:df:6c:fd:4e:0b:6f:96:
                    53:2a:01:e4:fa:af:2d:3e:af:93:c4:05:88:d4:be:
                    99:74:d1:be:b7:2d:e4:bc:20:3d:34:36:e4:0e:35:
                    fc:d3:71:58:60:ec:91:b7:2b:35:76:4d:ae:ea:49:
                    ac:4b:64:93:01:ce:3a:38:ea:38:8c:2f:5a:8e:af:
                    d3:7f:aa:e4:17:0a:87:e4:92:94:06:2f:ca:b9:67:
                    20:7d:dc:65:f1:ff:f7:2b:a8:8c:55:71:d4:26:e0:
                    c8:87:c8:1c:8f:0d:42:77:1c:8f:31:8a:b1:66:4c:
                    18:88:79
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha512WithRSAEncryption
         2b:35:c6:1e:b4:d6:d6:3d:91:60:1a:e1:05:f8:00:dc:82:e6:
         5b:4c:71:dc:3a:46:f2:8e:78:ba:3b:6c:2f:f7:fa:79:c5:e1:
         8c:82:08:bf:3c:69:77:57:b6:a5:39:73:63:2b:a1:04:5b:1c:
         24:c1:ba:55:59:d5:13:18:c1:88:02:e1:b1:82:c9:de:77:08:
         41:d1:1d:72:e2:67:21:25:e5:43:de:3c:2e:13:ed:bc:a5:d1:
         8d:d2:e5:71:37:b3:d1:4d:92:90:4f:71:b1:1f:e7:01:c0:66:
         8c:7a:7b:29:5f:2d:96:f6:9e:bb:77:56:23:3d:5e:76:56:13:
         db:1f:88:54:ce:58:f1:4b:bf:b3:b2:33:7f:b8:a8:79:2d:01:
         76:85:18:7f:7d:40:bf:da:05:cf:07:86:43:df:6f:58:56:f7:
         fc:a7:6c:b0:33:95:33:05:be:6f:d8:c0:cc:33:2f:3d:a0:a0:
         7e:0a:5b:27:98:47:ab:44:2c:2a:bb:29:4f:de:70:27:24:59:
         b4:d0:98:08:a8:c8:22:f3:fb:de:7d:d2:5a:e9:8c:8f:3f:c8:
         14:47:2b:7e:e3:82:89:98:f7:4c:11:39:59:a3:82:26:e9:24:
         e3:b2:9a:e0:73:11:01:aa:44:4f:12:6a:da:7e:ec:e8:6d:5d:
         fd:66:04:3f:f6:d6:2e:07:64:1d:3f:38:56:b4:6e:28:73:6a:
         e8:57:ca:27:99:12:51:17:03:f5:41:02:de:ba:b0:cb:29:8e:
         28:eb:2b:61:81:9e:8f:d3:aa:9c:63:d5:e4:09:e0:1c:43:96:
         3a:95:60:62:69:d2:38:45:ad:e2:26:0a:83:3c:13:16:e1:53:
         8d:bc:e1:9e:6f:8a:a5:fd:c1:ac:8e:8b:01:66:e8:ff:51:8c:
         a0:c1:82:7c:2b:60:09:be:12:72:8b:a7:f7:29:e4:95:f0:02:
         17:f8:6a:3d:82:a2:e8:f2:52:d5:ac:2d:14:f2:f9:63:04:e1:
         e0:1a:2f:98:4e:95:31:36:43:d4:b2:22:79:2c:7e:0a:a8:dd:
         f7:4b:86:2c:13:d4:c5:86:8f:ca:4f:18:13:3d:7c:6a:81:69:
         35:76:fd:31:f7:ec:55:c7:57:08:9f:bf:b5:4c:36:8a:34:ab:
         7a:79:91:be:11:da:e9:a0:58:a8:a6:9d:3d:5b:26:5c:7c:c4:
         0d:ab:80:5b:15:ee:61:d9:a5:63:cb:ea:6b:fb:16:41:01:64:
         dc:b3:fd:43:1c:8b:86:a8:6d:45:49:fd:67:75:7a:73:43:9d:
         55:db:90:d4:82:41:de:3a:c5:cf:1b:52:8c:59:0a:6a:6e:b6:
         7e:7d:ed:ea:45:6d:8e:11

Wie auch schon beim Root CA Zertifikat können wir uns auch den CSR BASE64 kodiert ausgeben lassen.

 # cat /etc/pki/tls/private/graylog-server.dmz.nausch.org.csr.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIE9TCCAt0CAQAwga8xCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAP
BgNVBAcMCFBsaWVuaW5nMRMwEQYDVQQKDApuYXVzY2gub3JnMRYwFAYDVQQLDA1J
VC1Nb25pdG9yaW5nMSYwJAYDVQQDDB1ncmF5bG9nLXNlcnZlci5kbXoubmF1c2No
Lm9yZzEnMCUGCSqGSIb3DQEJARYYZ3JheWxvZy1hZG1pbkBuYXVzY2gub3JnMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApIliha9WswQMNIZK47hq9CNs
f7xMpk7NLv44rXQZod7LNvrEtIUxHmIFpfX18HuUaSGzSK4nHL29Ui+b7q3PX/7k
D6SMCpHgdf1H6RE1lL2GtZ5HHPi3E8RgaLWPLo8Ndf56QdjnKx7L1/JPmebB2cPf
BzsL5M0fwws5ehU4Cd+oKTxzxeFYUB5L78s8Y+a+0qtUt84DaTsf1YBavpivo8k/
qIREIV31NugRrj99USmAUWS9lv8yNpxmH5yLSvD0DVArO+oyLxwiD8qHeNUf3kxF
ZMRCrtO8R5jFGRUX29PjHU6EdtK6q9uXA/+/AdchRlYJFlJYOGTQipt+ul+b7Pln
N3BmqrK+8q/KcNqPblsdX/qX2m6/8/trM1h0vWiQfSHC05wxN/GI+JWMbmjObHGD
NYuX2JR4+tfXxb0mbzAorAwIXpuY90x7SIyoPCqaAdBRf52Lo1sJomBCgfwYwVNW
n3jVO5aUWXC3RKH5j4giVZ7mZ+RPtYvd4nynCblSkSMrfxNcK/EFVKakhd9s/U4L
b5ZTKgHk+q8tPq+TxAWI1L6ZdNG+ty3kvCA9NDbkDjX803FYYOyRtys1dk2u6kms
S2STAc46OOo4jC9ajq/Tf6rkFwqH5JKUBi/KuWcgfdxl8f/3K6iMVXHUJuDIh8gc
jw1CdxyPMYqxZkwYiHkCAwEAAaAAMA0GCSqGSIb3DQEBDQUAA4ICAQArNcYetNbW
PZFgGuEF+ADcguZbTHHcOkbyjni6O2wv9/p5xeGMggi/PGl3V7alOXNjK6EEWxwk
wbpVWdUTGMGIAuGxgsnedwhB0R1y4mchJeVD3jwuE+28pdGN0uVxN7PRTZKQT3Gx
H+cBwGaMenspXy2W9p67d1YjPV52VhPbH4hUzljxS7+zsjN/uKh5LQF2hRh/fUC/
2gXPB4ZD329YVvf8p2ywM5UzBb5v2MDMMy89oKB+ClsnmEerRCwquylP3nAnJFm0
0JgIqMgi8/vefdJa6YyPP8gURyt+44KJmPdMETlZo4Im6STjsprgcxEBqkRPEmra
fuzobV39ZgQ/9tYuB2QdPzhWtG4oc2roV8onmRJRFwP1QQLeurDLKY4o6ythgZ6P
06qcY9XkCeAcQ5Y6lWBiadI4Ra3iJgqDPBMW4VONvOGeb4ql/cGsjosBZuj/UYyg
wYJ8K2AJvhJyi6f3KeSV8AIX+Go9gqLo8lLVrC0U8vljBOHgGi+YTpUxNkPUsiJ5
LH4KqN33S4YsE9TFho/KTxgTPXxqgWk1dv0x9+xVx1cIn7+1TDaKNKt6eZG+Edrp
oFiopp09WyZcfMQNq4BbFe5h2aVjy+pr+xZBAWTcs/1DHIuGqG1FSf1ndXpzQ51V
25DUgkHeOsXPG1KMWQpqbrZ+fe3qRW2OEQ==
-----END CERTIFICATE REQUEST-----

CSR bei CA zum Signieren vorlegen

Damit unsere CA den gerade erstellten CSR prüfen und signieren kann, müssen wir den Certificate Signing Request der CA vorlegen. Im Fall unsere graylog-Server Zertificates können wir die CSR-Datei einfach an Ort und Stelle kopieren.

 # cp /etc/pki/tls/private/graylog-server.dmz.nausch.org.csr.pem /etc/pki/CA/csrs/

CSR durch die CA prüfen und signieren

Nun prüfen wir die Angaben des CSR und signieren den öffentlichen Schlüssel des CSRs mit dem privaten Schlüssel unserer CA; dies wir auch als Zertifikatsgenerierung bezeichnet. Diese Arbeit erledigen wir mit Hilfe des folgenden openssl-Aufrufs. Auch hier sind die Eingaben zur besseren Unterscheidung fett und kursiv in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl ca -in /etc/pki/CA/csrs/graylog-server.dmz.nausch.org.csr.pem \
              -out /etc/pki/CA/certs/graylog-server.dmz.nausch.org.certificate.pem -days 10950

Die Option days setzen wir dabei auf die bereits erwähnten 30 Jahre, was 10950 Tage entspricht. Bei der Frage nach der Passphrase des privaten Schlüssels geben wir das Passwort an, welches wir bei der Generierung unserer CA vergeben hatten.

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/root-ca.key.pem:des-woas-blos-I-und-sunst-koana!
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jan  3 23:24:25 2016 GMT
            Not After : Dec 26 23:24:25 2045 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bayern
            organizationName          = nausch.org
            organizationalUnitName    = IT-Monitoring
            commonName                = graylog-server.dmz.nausch.org
            emailAddress              = graylog-admin@nausch.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                7A:F2:41:CE:1C:E7:CE:06:CB:30:00:AD:69:2D:6B:42:79:D7:9F:4D
            X509v3 Authority Key Identifier: 
                keyid:F7:C3:04:70:25:38:2F:02:82:5D:5F:2F:7F:1B:66:97:43:9F:D8:0E

Certificate is to be certified until Dec 26 23:24:25 2045 GMT (10950 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

erstellte Zertifikat dem graylog-server zur Verfügung stellen

Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Hierzu kopieren wir einfach das gerade generierte Zertifikat an Ort und Stelle.

 # cp /etc/pki/CA/certs/graylog-server.dmz.nausch.org.certificate.pem /etc/pki/tls/certs/

Zertifikat ausgeben

Wollen wir den Inhalt unseres gerade erstellten Zertifikates ausgeben, können wir folgenden openssl-Aufruf verwenden.

 # openssl x509 -noout -text -in /etc/pki/tls/certs/graylog-server.dmz.nausch.org.certificate.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=DE, ST=Bayern, L=Pliening, O=nausch.org, OU=Zertifizierungsstelle, CN=graylog CA/emailAddress=ca-admin@nausch.org
        Validity
            Not Before: Jan  3 23:24:25 2016 GMT
            Not After : Dec 26 23:24:25 2045 GMT
        Subject: C=DE, ST=Bayern, O=nausch.org, OU=IT-Monitoring, CN=graylog-server.dmz.nausch.org/emailAddress=graylog-admin@nausch.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a4:89:62:85:af:56:b3:04:0c:34:86:4a:e3:b8:
                    6a:f4:23:6c:7f:bc:4c:a6:4e:cd:2e:fe:38:ad:74:
                    19:a1:de:cb:36:fa:c4:b4:85:31:1e:62:05:a5:f5:
                    f5:f0:7b:94:69:21:b3:48:ae:27:1c:bd:bd:52:2f:
                    9b:ee:ad:cf:5f:fe:e4:0f:a4:8c:0a:91:e0:75:fd:
                    47:e9:11:35:94:bd:86:b5:9e:47:1c:f8:b7:13:c4:
                    60:68:b5:8f:2e:8f:0d:75:fe:7a:41:d8:e7:2b:1e:
                    cb:d7:f2:4f:99:e6:c1:d9:c3:df:07:3b:0b:e4:cd:
                    1f:c3:0b:39:7a:15:38:09:df:a8:29:3c:73:c5:e1:
                    58:50:1e:4b:ef:cb:3c:63:e6:be:d2:ab:54:b7:ce:
                    03:69:3b:1f:d5:80:5a:be:98:af:a3:c9:3f:a8:84:
                    44:21:5d:f5:36:e8:11:ae:3f:7d:51:29:80:51:64:
                    bd:96:ff:32:36:9c:66:1f:9c:8b:4a:f0:f4:0d:50:
                    2b:3b:ea:32:2f:1c:22:0f:ca:87:78:d5:1f:de:4c:
                    45:64:c4:42:ae:d3:bc:47:98:c5:19:15:17:db:d3:
                    e3:1d:4e:84:76:d2:ba:ab:db:97:03:ff:bf:01:d7:
                    21:46:56:09:16:52:58:38:64:d0:8a:9b:7e:ba:5f:
                    9b:ec:f9:67:37:70:66:aa:b2:be:f2:af:ca:70:da:
                    8f:6e:5b:1d:5f:fa:97:da:6e:bf:f3:fb:6b:33:58:
                    74:bd:68:90:7d:21:c2:d3:9c:31:37:f1:88:f8:95:
                    8c:6e:68:ce:6c:71:83:35:8b:97:d8:94:78:fa:d7:
                    d7:c5:bd:26:6f:30:28:ac:0c:08:5e:9b:98:f7:4c:
                    7b:48:8c:a8:3c:2a:9a:01:d0:51:7f:9d:8b:a3:5b:
                    09:a2:60:42:81:fc:18:c1:53:56:9f:78:d5:3b:96:
                    94:59:70:b7:44:a1:f9:8f:88:22:55:9e:e6:67:e4:
                    4f:b5:8b:dd:e2:7c:a7:09:b9:52:91:23:2b:7f:13:
                    5c:2b:f1:05:54:a6:a4:85:df:6c:fd:4e:0b:6f:96:
                    53:2a:01:e4:fa:af:2d:3e:af:93:c4:05:88:d4:be:
                    99:74:d1:be:b7:2d:e4:bc:20:3d:34:36:e4:0e:35:
                    fc:d3:71:58:60:ec:91:b7:2b:35:76:4d:ae:ea:49:
                    ac:4b:64:93:01:ce:3a:38:ea:38:8c:2f:5a:8e:af:
                    d3:7f:aa:e4:17:0a:87:e4:92:94:06:2f:ca:b9:67:
                    20:7d:dc:65:f1:ff:f7:2b:a8:8c:55:71:d4:26:e0:
                    c8:87:c8:1c:8f:0d:42:77:1c:8f:31:8a:b1:66:4c:
                    18:88:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                7A:F2:41:CE:1C:E7:CE:06:CB:30:00:AD:69:2D:6B:42:79:D7:9F:4D
            X509v3 Authority Key Identifier: 
                keyid:F7:C3:04:70:25:38:2F:02:82:5D:5F:2F:7F:1B:66:97:43:9F:D8:0E

    Signature Algorithm: sha512WithRSAEncryption
         ba:96:c5:fd:9d:1d:22:78:e3:1b:f4:c0:90:73:0c:7e:d6:e8:
         2f:ad:92:75:3a:8c:18:37:7b:74:2d:ba:01:dd:4f:e2:07:f0:
         6c:d2:e2:0b:a6:7f:67:f5:16:98:96:8a:71:fd:bd:ad:a2:5c:
         07:40:23:4e:e1:0d:da:b4:61:cc:83:56:a9:89:56:4b:69:a1:
         cb:ae:f2:bc:14:7a:c4:8e:15:da:f6:43:77:42:f2:42:da:82:
         a1:63:16:4d:d4:8a:86:00:54:71:98:c9:2e:4f:df:e5:19:26:
         7a:86:f3:62:88:81:64:75:8c:d0:1c:32:40:53:46:6c:cb:c0:
         61:7b:7a:58:be:09:e6:06:00:88:d6:23:f9:f3:9f:ac:61:2c:
         c3:f1:62:c2:25:09:91:d5:3b:11:47:47:e5:d3:ed:a7:11:99:
         d2:7e:af:b1:0d:ec:e0:7e:2b:ba:34:e6:c3:32:16:cc:81:70:
         fd:37:a0:ee:8d:2d:48:2c:47:43:fc:9d:3a:b6:8d:8d:2c:c2:
         68:2e:46:69:76:b7:33:a3:9b:56:ea:85:e4:93:62:1f:2a:3d:
         54:d9:38:46:e4:d6:91:0f:88:63:b1:4c:0f:d7:3f:3e:db:cb:
         dd:1b:18:9e:d1:19:a3:bd:a0:53:1f:c1:ac:d7:cf:2a:5a:29:
         ef:d2:8b:85:b0:91:6e:69:22:9d:bc:11:42:e4:d1:bd:85:85:
         f9:cf:e9:52:b0:52:75:10:4b:9b:84:f2:e5:fb:15:36:36:41:
         9b:0e:b2:d6:d4:7e:83:31:a3:b2:32:9d:39:5f:66:67:73:52:
         56:f0:66:d2:b5:9e:75:38:27:e8:85:4a:b3:bb:20:92:94:04:
         02:c8:d2:fb:24:67:48:6f:24:4e:6e:a4:b1:d6:ef:cf:e3:9a:
         e9:37:f2:73:32:b2:e5:be:e9:0c:52:1e:28:e5:c2:21:e7:b6:
         fc:52:88:15:a5:b2:0a:34:f3:de:89:1b:72:7c:1a:c6:55:3f:
         e3:43:24:62:8a:00:e3:9a:f9:02:7b:4e:77:0a:83:16:07:60:
         f6:21:b1:ee:47:4f:be:78:5a:36:38:c6:89:36:20:8a:d3:c0:
         f2:28:6d:db:4d:81:4b:2b:08:55:ed:23:e8:a7:e1:8f:46:9d:
         29:24:cb:bb:ca:bc:10:58:49:e3:bc:11:b3:55:35:ec:25:f7:
         66:2f:d9:c8:62:f2:d6:5a:c2:ff:b5:a3:ba:bd:5a:7d:05:59:
         04:91:98:3b:41:01:ac:2b:d9:20:d8:df:4a:92:dd:a3:82:c3:
         fe:38:3c:fa:f0:65:c0:5c:89:f2:42:47:56:6c:e4:7e:43:dd:
         70:7c:65:a7:52:b3:59:7e

rsyslog Client-Zertifikate

Was uns nun noch für unser Glück fehlt, ist ein Server-Zertifikat für den rsyslog-Daemon; dieses werden wir nun noch generieren bzw. erstellen lassen. Im Prinzip unterscheidet sich die Generierung eines rsyslog Client-Zertifikate nicht vom Vorgehen des zuvor erstellten graylog-server Zertifikates.

Im folgenden Konfigurationsbeispiel werden wir für den Host vml.dmz.nausch.org ein Clientzertifikat erstellen.

Schlüssel für das Clientzertifikat erzeugen

Wie auch schon beim graylog-server Zertifikat erzeugen wir uns zunächst einen 4096 Bit langen RSA Schlüssel, den wir mit AES 256 verschlüsselt auf der Platte abgelegt lassen. Da OpenSSL keine leere Passphrase zulässt braucht die Passphrase diesmal nicht sonderlich geheim sein, da wir diese im Anschluss ohnehin sofort wieder entfernen werden.

Die Eingaben sind auch hier zur besseren Unterscheidung fett und kursiv in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl genrsa -out /etc/pki/tls/clientkey.pem -aes256 4096
Generating RSA private key, 4096 bit long modulus
.......................................................................................................................................................................................................................++
........................................................................................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for clientkey.pem: 12qwasyx
Verifying - Enter pass phrase for clientkey.pem: 12qwasyx

Anschließend entfernen wir die Passphrase nun wieder, in dem wir bei der Frage Enter pass phrase: einfach die Taste [ENTER] drücken.

# openssl rsa -in /etc/pki/tls/clientkey.pem -out /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem
Enter pass phrase:
writing RSA key

Wie schon zuvor schützen wir auch hier den Serverschlüssel über die Dateirechte.

# chmod 400 /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem

Da wir die Schlüsseldatei mit der unsicheren Passphrase nicht mehr benötigen, vernichten wir die zugehörige Datei.

# shred -u /etc/pki/tls/clientkey.pem

CSR erstellen

Nachdem wir unseren privaten Schlüssel erzeugt haben, können wir uns nun unserem CSR10) widmen. Wie schon zuvor, sind die Eingaben auch hier zur besseren Unterscheidung fett und kursiv in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl req -new -key /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem \
              -out /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.csr.pem -nodes

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:Bayern
Locality Name (eg, city) [Default City]:Pliening
Organization Name (eg, company) [Default Company Ltd]:nausch.org
Organizational Unit Name (eg, section) []:IT-Monitoring
Common Name (eg, your name or your server's hostname) []:rsyslog.vml000037.dmz.nausch.org
Email Address []:graylog-admin@nausch.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CSR ausgeben

Möchten wir den Inhalt unseres Certificate Signing Request ausgeben und ansehen, verwenden wir den folgenden openssl-Aufruf.

 # openssl req -noout -text -in /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.csr.pem
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=DE, ST=Bayern, L=Pliening, O=nausch.org, OU=IT-Monitoring, CN=rsyslog.vml000037.dmz.nausch.org/emailAddress=graylog-admin@nausch.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ea:65:5c:9a:3b:3e:a9:2d:7f:f1:a5:9f:b3:e3:
                    cd:a4:53:fb:70:30:fd:c8:be:00:fd:04:2a:08:f4:
                    ea:d2:69:66:02:2d:c5:d9:b8:53:8d:d9:5a:7c:fd:
                    7a:92:12:4c:ab:83:ce:7a:8a:d3:0e:60:16:87:a0:
                    a6:21:5e:96:2b:36:87:e9:85:f1:1b:fe:56:87:e3:
                    6e:30:40:9e:f7:f8:f2:8f:05:fa:57:d0:fb:10:94:
                    a4:2e:16:ed:55:cb:22:61:e3:ac:4c:13:6c:70:da:
                    e6:8b:8b:54:f6:4e:d4:58:5a:18:06:f1:61:20:98:
                    0f:dc:4c:30:4e:ef:c4:b3:0c:63:93:82:4a:89:98:
                    2e:6b:ae:75:c7:3a:c9:60:25:ac:58:fc:da:d4:83:
                    35:c6:96:2c:d9:6f:5e:0c:9f:9d:7a:f2:2e:ab:f0:
                    06:5b:f5:4a:74:62:02:83:9a:76:e3:04:db:9f:ee:
                    40:d5:03:ad:45:0d:69:be:39:f4:00:75:db:4d:f0:
                    e9:56:7b:e5:3e:3e:63:69:23:c9:b4:0a:e2:d1:cd:
                    56:76:41:8b:43:f3:fc:2e:01:ca:21:16:7d:a9:24:
                    e5:65:9d:21:bc:64:bc:dd:e1:f7:89:33:28:38:4e:
                    09:7c:5d:7c:ec:1f:67:5a:c0:ac:3d:b2:32:9a:73:
                    cc:f2:c5:41:4c:17:b7:75:ca:ad:76:37:7e:a6:f2:
                    85:10:c5:e3:ee:95:94:b2:d2:51:cc:59:96:ca:e4:
                    0f:96:c1:7b:89:42:50:61:01:6c:33:32:33:9d:72:
                    57:a2:45:92:f0:bd:f7:47:6f:c1:51:c0:b9:05:fd:
                    a9:af:a8:6c:f6:9b:1a:a5:e4:2b:34:0b:62:04:b7:
                    c3:89:aa:83:5a:5c:82:b0:d1:72:ac:0b:e0:e4:94:
                    3c:44:0b:95:e9:a5:97:96:ee:e9:38:b9:92:74:89:
                    93:31:a6:5e:ca:dd:f8:d9:f8:ea:ff:b3:62:4a:45:
                    aa:1c:35:05:fc:2c:36:da:b2:59:af:82:69:2c:d7:
                    4d:6c:df:2e:fc:c1:4a:f6:e1:f9:57:b7:83:b3:b1:
                    4e:48:36:1e:57:94:65:1e:a9:3f:96:56:03:21:46:
                    02:dc:4a:54:46:f0:99:25:9c:c8:bf:25:8a:d6:1f:
                    ba:fd:ab:70:cd:96:cc:28:36:3b:66:b0:fb:48:47:
                    59:78:69:5b:69:6c:a9:ca:a1:23:56:7a:47:f7:49:
                    cf:25:b5:1d:37:83:84:fe:f9:8a:be:ff:be:e5:93:
                    9c:c0:05:99:d3:14:a6:ce:23:dc:75:ce:0c:a5:e3:
                    40:cf:f9:10:a6:40:93:1f:25:51:f6:7f:5c:a4:74:
                    b7:b3:39
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         dd:25:b7:55:94:ae:7d:24:9a:5e:4d:84:e8:bc:12:37:20:a2:
         64:f9:fd:15:83:9a:a1:59:72:fe:2a:2b:df:f8:f3:11:f0:0a:
         e0:b9:0e:ae:b8:93:ed:a3:3c:48:06:5a:5a:74:6d:62:c9:9d:
         f8:22:de:9b:5e:39:bd:a2:09:fa:9f:bd:3e:1d:87:37:f3:2f:
         9f:35:9a:5e:b0:c6:7a:66:0c:86:4f:f3:6c:5b:fb:4b:25:9f:
         83:ec:64:e2:43:ad:51:91:b7:56:eb:fc:00:4e:b4:36:0a:2f:
         3d:c7:53:67:e6:b0:8d:11:68:dd:19:b5:ee:25:d9:d8:0c:49:
         21:57:28:ec:ca:c8:ea:09:85:3b:14:54:72:73:58:5a:e3:4c:
         21:3e:d6:e6:b4:7d:25:1a:31:ec:a1:d8:c7:31:bc:fb:44:1d:
         2f:69:91:1a:11:8e:02:63:bf:f4:8f:ca:fc:45:3c:ef:a1:31:
         54:4e:9f:c3:b2:ab:68:69:69:93:ac:17:02:5c:ad:70:9f:73:
         98:ba:12:61:1e:94:d1:92:8a:8b:93:b0:f6:74:58:39:f8:96:
         26:7a:ba:fc:48:63:09:95:21:ee:8e:36:5f:c7:ce:5b:61:1c:
         6b:ed:75:a1:b1:9a:74:64:29:6d:03:64:7b:6e:8a:b5:5d:83:
         62:ce:54:96:c5:47:68:7a:63:2a:8c:3c:3c:5f:54:3a:4f:51:
         a7:ae:49:e8:a4:31:6e:58:34:97:74:9f:6d:72:c1:55:23:ea:
         75:7f:23:8b:0e:cb:f7:71:a0:11:64:50:c7:1e:3f:0f:1b:cd:
         4d:d9:3b:79:6c:a4:39:8a:94:72:33:61:5a:fb:07:8a:0c:02:
         73:77:72:c2:9d:6c:a6:d4:b9:32:e2:9a:6e:dc:ff:33:df:ee:
         75:ff:4d:b8:0c:ee:11:ac:a5:f6:39:cb:9b:b2:9b:98:db:db:
         89:8c:18:13:68:99:90:1d:65:99:21:10:14:b7:91:8f:0c:bd:
         2c:1e:fd:0f:fd:9d:f5:dc:2a:1b:8f:15:37:c0:98:6e:e9:0f:
         0d:96:cb:87:43:c5:1e:7e:28:7e:ca:d7:eb:58:e8:32:34:85:
         29:4c:b1:56:b1:57:c6:e5:72:a6:0a:3b:26:64:af:bc:1f:2f:
         72:ee:c7:50:c5:09:98:57:e6:92:5b:30:8b:f8:05:e5:8c:59:
         1b:53:15:96:dc:4a:de:b2:d0:db:9a:6c:ce:60:38:9c:94:0f:
         3c:21:63:ff:50:f9:a2:c1:64:78:02:fd:52:8c:41:ee:78:27:
         c8:d9:74:1c:31:dd:c2:b5:c9:82:48:2d:e5:e0:f3:e9:51:96:
         1a:c0:d3:58:1b:3c:91:b0

Wie auch schon beim graylog-server Zertifikat können wir uns auch den CSR BASE64 kodiert ausgeben lassen.

 # cat /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.csr.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIE+DCCAuACAQAwgbIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAP
BgNVBAcMCFBsaWVuaW5nMRMwEQYDVQQKDApuYXVzY2gub3JnMRYwFAYDVQQLDA1J
VC1Nb25pdG9yaW5nMSkwJwYDVQQDDCByc3lzbG9nLnZtbDAwMDAzNy5kbXoubmF1
c2NoLm9yZzEnMCUGCSqGSIb3DQEJARYYZ3JheWxvZy1hZG1pbkBuYXVzY2gub3Jn
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6mVcmjs+qS1/8aWfs+PN
pFP7cDD9yL4A/QQqCPTq0mlmAi3F2bhTjdlafP16khJMq4POeorTDmAWh6CmIV6W
KzaH6YXxG/5Wh+NuMECe9/jyjwX6V9D7EJSkLhbtVcsiYeOsTBNscNrmi4tU9k7U
WFoYBvFhIJgP3EwwTu/Eswxjk4JKiZgua651xzrJYCWsWPza1IM1xpYs2W9eDJ+d
evIuq/AGW/VKdGICg5p24wTbn+5A1QOtRQ1pvjn0AHXbTfDpVnvlPj5jaSPJtAri
0c1WdkGLQ/P8LgHKIRZ9qSTlZZ0hvGS83eH3iTMoOE4JfF187B9nWsCsPbIymnPM
8sVBTBe3dcqtdjd+pvKFEMXj7pWUstJRzFmWyuQPlsF7iUJQYQFsMzIznXJXokWS
8L33R2/BUcC5Bf2pr6hs9psapeQrNAtiBLfDiaqDWlyCsNFyrAvg5JQ8RAuV6aWX
lu7pOLmSdImTMaZeyt342fjq/7NiSkWqHDUF/Cw22rJZr4JpLNdNbN8u/MFK9uH5
V7eDs7FOSDYeV5RlHqk/llYDIUYC3EpURvCZJZzIvyWK1h+6/atwzZbMKDY7ZrD7
SEdZeGlbaWypyqEjVnpH90nPJbUdN4OE/vmKvv++5ZOcwAWZ0xSmziPcdc4MpeNA
z/kQpkCTHyVR9n9cpHS3szkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQDdJbdV
lK59JJpeTYTovBI3IKJk+f0Vg5qhWXL+Kivf+PMR8ArguQ6uuJPtozxIBlpadG1i
yZ34It6bXjm9ogn6n70+HYc38y+fNZpesMZ6ZgyGT/NsW/tLJZ+D7GTiQ61RkbdW
6/wATrQ2Ci89x1Nn5rCNEWjdGbXuJdnYDEkhVyjsysjqCYU7FFRyc1ha40whPtbm
tH0lGjHsodjHMbz7RB0vaZEaEY4CY7/0j8r8RTzvoTFUTp/DsqtoaWmTrBcCXK1w
n3OYuhJhHpTRkoqLk7D2dFg5+JYmerr8SGMJlSHujjZfx85bYRxr7XWhsZp0ZClt
A2R7boq1XYNizlSWxUdoemMqjDw8X1Q6T1GnrknopDFuWDSXdJ9tcsFVI+p1fyOL
Dsv3caARZFDHHj8PG81N2Tt5bKQ5ipRyM2Fa+weKDAJzd3LCnWym1Lky4ppu3P8z
3+51/024DO4RrKX2OcubspuY29uJjBgTaJmQHWWZIRAUt5GPDL0sHv0P/Z313Cob
jxU3wJhu6Q8NlsuHQ8Uefih+ytfrWOgyNIUpTLFWsVfG5XKmCjsmZK+8Hy9y7sdQ
xQmYV+aSWzCL+AXljFkbUxWW3ErestDbmmzOYDiclA88IWP/UPmiwWR4Av1SjEHu
eCfI2XQcMd3CtcmCSC3l4PPpUZYawNNYGzyRsA==
-----END CERTIFICATE REQUEST-----

CSR bei CA zum Signieren vorlegen

Damit unsere CA den gerade erstellten CSR prüfen und signieren kann, müssen wir den Certificate Signing Request der CA vorlegen. Wir kopieren entweder den gerade erstellten CSR via scp zum Server auf dem unsere CA erstellt hatten, oder wir legen die CSR-Datei mit dem Editor direkt auf dem Server ab.

 # vim /etc/pki/CA/csrs/rsyslog.vml000037.dmz.nausch.org.csr.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIE+DCCAuACAQAwgbIxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAP
BgNVBAcMCFBsaWVuaW5nMRMwEQYDVQQKDApuYXVzY2gub3JnMRYwFAYDVQQLDA1J
VC1Nb25pdG9yaW5nMSkwJwYDVQQDDCByc3lzbG9nLnZtbDAwMDAzNy5kbXoubmF1
c2NoLm9yZzEnMCUGCSqGSIb3DQEJARYYZ3JheWxvZy1hZG1pbkBuYXVzY2gub3Jn
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6mVcmjs+qS1/8aWfs+PN
pFP7cDD9yL4A/QQqCPTq0mlmAi3F2bhTjdlafP16khJMq4POeorTDmAWh6CmIV6W
KzaH6YXxG/5Wh+NuMECe9/jyjwX6V9D7EJSkLhbtVcsiYeOsTBNscNrmi4tU9k7U
WFoYBvFhIJgP3EwwTu/Eswxjk4JKiZgua651xzrJYCWsWPza1IM1xpYs2W9eDJ+d
evIuq/AGW/VKdGICg5p24wTbn+5A1QOtRQ1pvjn0AHXbTfDpVnvlPj5jaSPJtAri
0c1WdkGLQ/P8LgHKIRZ9qSTlZZ0hvGS83eH3iTMoOE4JfF187B9nWsCsPbIymnPM
8sVBTBe3dcqtdjd+pvKFEMXj7pWUstJRzFmWyuQPlsF7iUJQYQFsMzIznXJXokWS
8L33R2/BUcC5Bf2pr6hs9psapeQrNAtiBLfDiaqDWlyCsNFyrAvg5JQ8RAuV6aWX
lu7pOLmSdImTMaZeyt342fjq/7NiSkWqHDUF/Cw22rJZr4JpLNdNbN8u/MFK9uH5
V7eDs7FOSDYeV5RlHqk/llYDIUYC3EpURvCZJZzIvyWK1h+6/atwzZbMKDY7ZrD7
SEdZeGlbaWypyqEjVnpH90nPJbUdN4OE/vmKvv++5ZOcwAWZ0xSmziPcdc4MpeNA
z/kQpkCTHyVR9n9cpHS3szkCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQDdJbdV
lK59JJpeTYTovBI3IKJk+f0Vg5qhWXL+Kivf+PMR8ArguQ6uuJPtozxIBlpadG1i
yZ34It6bXjm9ogn6n70+HYc38y+fNZpesMZ6ZgyGT/NsW/tLJZ+D7GTiQ61RkbdW
6/wATrQ2Ci89x1Nn5rCNEWjdGbXuJdnYDEkhVyjsysjqCYU7FFRyc1ha40whPtbm
tH0lGjHsodjHMbz7RB0vaZEaEY4CY7/0j8r8RTzvoTFUTp/DsqtoaWmTrBcCXK1w
n3OYuhJhHpTRkoqLk7D2dFg5+JYmerr8SGMJlSHujjZfx85bYRxr7XWhsZp0ZClt
A2R7boq1XYNizlSWxUdoemMqjDw8X1Q6T1GnrknopDFuWDSXdJ9tcsFVI+p1fyOL
Dsv3caARZFDHHj8PG81N2Tt5bKQ5ipRyM2Fa+weKDAJzd3LCnWym1Lky4ppu3P8z
3+51/024DO4RrKX2OcubspuY29uJjBgTaJmQHWWZIRAUt5GPDL0sHv0P/Z313Cob
jxU3wJhu6Q8NlsuHQ8Uefih+ytfrWOgyNIUpTLFWsVfG5XKmCjsmZK+8Hy9y7sdQ
xQmYV+aSWzCL+AXljFkbUxWW3ErestDbmmzOYDiclA88IWP/UPmiwWR4Av1SjEHu
eCfI2XQcMd3CtcmCSC3l4PPpUZYawNNYGzyRsA==
-----END CERTIFICATE REQUEST-----

CSR durch die CA prüfen und signieren

Nun prüfen wir die Angaben des CSR und signieren den öffentlichen Schlüssel des CSRs mit dem privaten Schlüssel unserer CA; dies wir auch als Zertifikatsgenerierung bezeichnet. Diese Arbeit erledigen wir mit Hilfe des folgenden openssl-Aufrufs. Auch hier sind die Eingaben zur besseren Unterscheidung fett und kursiv in der Farbe blau und die Rückmeldungen in der Farbe grau gekennzeichnet.

# openssl ca -in /etc/pki/CA/csrs/rsyslog.vml000037.dmz.nausch.org.csr.pem \
              -out /etc/pki/CA/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem -days 10950

Die Option days setzen wir dabei wieder auf 30 Jahre, was 10950 Tage entspricht. Bei der Frage nach der Passphrase des privaten Schlüssels geben wir das Passwort an, welches wir bei der Generierung unserer CA vergeben hatten.

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/root-ca.key.pem:des-woas-blos-I-und-sunst-koana!
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan  4 10:08:53 2016 GMT
            Not After : Dec 27 10:08:53 2045 GMT
        Subject:
            countryName               = DE
            stateOrProvinceName       = Bayern
            organizationName          = nausch.org
            organizationalUnitName    = IT-Monitoring
            commonName                = rsyslog.vml000037.dmz.nausch.org
            emailAddress              = graylog-admin@nausch.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                93:2E:9C:FB:B3:9D:5B:55:8A:09:81:B4:FB:C2:CA:86:28:9E:EA:88
            X509v3 Authority Key Identifier: 
                keyid:F7:C3:04:70:25:38:2F:02:82:5D:5F:2F:7F:1B:66:97:43:9F:D8:0E

Certificate is to be certified until Dec 27 10:08:53 2045 GMT (10950 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Zertifikat ausgeben

 # openssl x509 -noout -text -in /etc/pki/CA/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=DE, ST=Bayern, L=Pliening, O=nausch.org, OU=Zertifizierungsstelle, CN=graylog CA/emailAddress=ca-admin@nausch.org
        Validity
            Not Before: Jan  4 10:08:53 2016 GMT
            Not After : Dec 27 10:08:53 2045 GMT
        Subject: C=DE, ST=Bayern, O=nausch.org, OU=IT-Monitoring, CN=rsyslog.vml000037.dmz.nausch.org/emailAddress=graylog-admin@nausch.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ea:65:5c:9a:3b:3e:a9:2d:7f:f1:a5:9f:b3:e3:
                    cd:a4:53:fb:70:30:fd:c8:be:00:fd:04:2a:08:f4:
                    ea:d2:69:66:02:2d:c5:d9:b8:53:8d:d9:5a:7c:fd:
                    7a:92:12:4c:ab:83:ce:7a:8a:d3:0e:60:16:87:a0:
                    a6:21:5e:96:2b:36:87:e9:85:f1:1b:fe:56:87:e3:
                    6e:30:40:9e:f7:f8:f2:8f:05:fa:57:d0:fb:10:94:
                    a4:2e:16:ed:55:cb:22:61:e3:ac:4c:13:6c:70:da:
                    e6:8b:8b:54:f6:4e:d4:58:5a:18:06:f1:61:20:98:
                    0f:dc:4c:30:4e:ef:c4:b3:0c:63:93:82:4a:89:98:
                    2e:6b:ae:75:c7:3a:c9:60:25:ac:58:fc:da:d4:83:
                    35:c6:96:2c:d9:6f:5e:0c:9f:9d:7a:f2:2e:ab:f0:
                    06:5b:f5:4a:74:62:02:83:9a:76:e3:04:db:9f:ee:
                    40:d5:03:ad:45:0d:69:be:39:f4:00:75:db:4d:f0:
                    e9:56:7b:e5:3e:3e:63:69:23:c9:b4:0a:e2:d1:cd:
                    56:76:41:8b:43:f3:fc:2e:01:ca:21:16:7d:a9:24:
                    e5:65:9d:21:bc:64:bc:dd:e1:f7:89:33:28:38:4e:
                    09:7c:5d:7c:ec:1f:67:5a:c0:ac:3d:b2:32:9a:73:
                    cc:f2:c5:41:4c:17:b7:75:ca:ad:76:37:7e:a6:f2:
                    85:10:c5:e3:ee:95:94:b2:d2:51:cc:59:96:ca:e4:
                    0f:96:c1:7b:89:42:50:61:01:6c:33:32:33:9d:72:
                    57:a2:45:92:f0:bd:f7:47:6f:c1:51:c0:b9:05:fd:
                    a9:af:a8:6c:f6:9b:1a:a5:e4:2b:34:0b:62:04:b7:
                    c3:89:aa:83:5a:5c:82:b0:d1:72:ac:0b:e0:e4:94:
                    3c:44:0b:95:e9:a5:97:96:ee:e9:38:b9:92:74:89:
                    93:31:a6:5e:ca:dd:f8:d9:f8:ea:ff:b3:62:4a:45:
                    aa:1c:35:05:fc:2c:36:da:b2:59:af:82:69:2c:d7:
                    4d:6c:df:2e:fc:c1:4a:f6:e1:f9:57:b7:83:b3:b1:
                    4e:48:36:1e:57:94:65:1e:a9:3f:96:56:03:21:46:
                    02:dc:4a:54:46:f0:99:25:9c:c8:bf:25:8a:d6:1f:
                    ba:fd:ab:70:cd:96:cc:28:36:3b:66:b0:fb:48:47:
                    59:78:69:5b:69:6c:a9:ca:a1:23:56:7a:47:f7:49:
                    cf:25:b5:1d:37:83:84:fe:f9:8a:be:ff:be:e5:93:
                    9c:c0:05:99:d3:14:a6:ce:23:dc:75:ce:0c:a5:e3:
                    40:cf:f9:10:a6:40:93:1f:25:51:f6:7f:5c:a4:74:
                    b7:b3:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                93:2E:9C:FB:B3:9D:5B:55:8A:09:81:B4:FB:C2:CA:86:28:9E:EA:88
            X509v3 Authority Key Identifier: 
                keyid:F7:C3:04:70:25:38:2F:02:82:5D:5F:2F:7F:1B:66:97:43:9F:D8:0E

    Signature Algorithm: sha512WithRSAEncryption
         5a:54:5d:08:53:1d:39:ef:85:c0:af:8e:85:bf:c9:b4:03:49:
         b7:dc:4a:42:ab:46:1f:54:d7:8e:6c:cc:70:00:b0:da:c1:8c:
         d8:92:d1:f1:d9:4d:d9:8f:8a:ad:8e:db:56:1b:8c:c2:63:1d:
         c4:06:41:f2:07:cd:e3:09:4a:68:06:9d:42:cb:e7:05:86:93:
         26:8a:aa:11:fe:74:38:e2:27:9a:0f:a8:38:e3:ea:e6:63:a4:
         70:09:7d:01:69:cc:60:f7:c1:32:3a:d6:3d:9a:3d:e1:6f:8e:
         54:a7:bc:fe:de:9a:e1:f7:cb:75:65:c3:2e:39:34:8b:fc:42:
         f2:05:ea:7f:8b:11:90:d7:fc:17:e6:3e:a1:2c:6f:51:89:dc:
         da:60:12:77:99:2e:b3:20:2a:9b:63:b6:2b:83:60:3c:21:2b:
         8d:a7:b6:a1:7c:31:75:08:e9:49:a9:23:60:22:49:b8:26:11:
         74:00:a9:1e:0c:25:5b:0d:e2:1e:30:61:07:ca:6c:7e:10:92:
         d1:19:73:d9:11:53:8c:cc:50:2d:22:23:9d:de:af:02:c8:c0:
         07:d3:2e:42:15:1a:78:76:03:93:8c:d1:3a:50:19:05:e2:c0:
         6b:58:ae:58:96:10:93:6e:08:7f:b2:c1:53:5c:0e:d2:a7:28:
         e3:74:34:ad:d6:e2:5c:3b:6d:8f:a6:ab:69:b0:c8:b9:52:28:
         be:1f:df:2f:b6:e4:e2:e2:b5:b1:c1:e8:b2:cd:ae:01:7c:ee:
         a1:ae:0d:e2:58:f5:cf:d3:61:d9:48:e2:b0:2e:9a:6c:ce:28:
         bf:3d:02:67:48:ee:25:28:01:4b:e5:48:97:88:80:66:82:29:
         cf:55:da:67:1b:b1:6e:99:88:25:92:f6:fc:bc:6f:89:e0:a1:
         ce:b3:55:8e:39:5a:52:12:ca:06:b7:9a:c3:8a:89:a1:43:53:
         cf:70:8a:94:87:2f:42:24:3c:12:e9:87:fa:d3:9e:de:33:28:
         55:8c:9b:f1:aa:b4:4d:ba:7d:de:b7:33:bc:6b:e2:8a:82:d4:
         d8:ae:84:78:90:27:3d:e2:15:da:fe:3a:b4:df:46:38:5c:a8:
         5b:55:81:91:f2:38:20:2a:f9:28:5d:88:9d:b6:b4:d1:4b:07:
         26:a4:ef:ab:fa:e7:e9:34:61:01:8d:77:8d:ae:4b:b7:19:93:
         dd:64:16:90:a0:86:eb:c2:51:a2:0c:a3:91:b5:d8:cb:70:1b:
         f0:42:c8:71:19:60:1f:5e:6a:4f:66:2d:42:75:d2:c2:3f:82:
         b1:3c:c1:5e:67:7b:99:f9:b1:35:16:00:ff:f8:c0:e8:91:8f:
         99:f6:cf:7e:07:2e:48:57
 # cat /etc/pki/CA/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBnzELMAkGA1UEBhMCREUx
DzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwIUGxpZW5pbmcxEzARBgNVBAoMCm5h
dXNjaC5vcmcxHjAcBgNVBAsMFVplcnRpZml6aWVydW5nc3N0ZWxsZTETMBEGA1UE
AwwKZ3JheWxvZyBDQTEiMCAGCSqGSIb3DQEJARYTY2EtYWRtaW5AbmF1c2NoLm9y
ZzAeFw0xNjAxMDQxMDA4NTNaFw00NTEyMjcxMDA4NTNaMIGfMQswCQYDVQQGEwJE
RTEPMA0GA1UECAwGQmF5ZXJuMRMwEQYDVQQKDApuYXVzY2gub3JnMRYwFAYDVQQL
DA1JVC1Nb25pdG9yaW5nMSkwJwYDVQQDDCByc3lzbG9nLnZtbDAwMDAzNy5kbXou
bmF1c2NoLm9yZzEnMCUGCSqGSIb3DQEJARYYZ3JheWxvZy1hZG1pbkBuYXVzY2gu
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6mVcmjs+qS1/8aWf
s+PNpFP7cDD9yL4A/QQqCPTq0mlmAi3F2bhTjdlafP16khJMq4POeorTDmAWh6Cm
IV6WKzaH6YXxG/5Wh+NuMECe9/jyjwX6V9D7EJSkLhbtVcsiYeOsTBNscNrmi4tU
9k7UWFoYBvFhIJgP3EwwTu/Eswxjk4JKiZgua651xzrJYCWsWPza1IM1xpYs2W9e
DJ+devIuq/AGW/VKdGICg5p24wTbn+5A1QOtRQ1pvjn0AHXbTfDpVnvlPj5jaSPJ
tAri0c1WdkGLQ/P8LgHKIRZ9qSTlZZ0hvGS83eH3iTMoOE4JfF187B9nWsCsPbIy
mnPM8sVBTBe3dcqtdjd+pvKFEMXj7pWUstJRzFmWyuQPlsF7iUJQYQFsMzIznXJX
okWS8L33R2/BUcC5Bf2pr6hs9psapeQrNAtiBLfDiaqDWlyCsNFyrAvg5JQ8RAuV
6aWXlu7pOLmSdImTMaZeyt342fjq/7NiSkWqHDUF/Cw22rJZr4JpLNdNbN8u/MFK
9uH5V7eDs7FOSDYeV5RlHqk/llYDIUYC3EpURvCZJZzIvyWK1h+6/atwzZbMKDY7
ZrD7SEdZeGlbaWypyqEjVnpH90nPJbUdN4OE/vmKvv++5ZOcwAWZ0xSmziPcdc4M
peNAz/kQpkCTHyVR9n9cpHS3szkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FJMunPuznVtVigmBtPvCyoYonuqIMB8GA1UdIwQYMBaAFPfDBHAlOC8Cgl1fL38b
ZpdDn9gOMA0GCSqGSIb3DQEBDQUAA4ICAQBaVF0IUx0574XAr46Fv8m0A0m33EpC
q0YfVNeObMxwALDawYzYktHx2U3Zj4qtjttWG4zCYx3EBkHyB83jCUpoBp1Cy+cF
hpMmiqoR/nQ44ieaD6g44+rmY6RwCX0Bacxg98EyOtY9mj3hb45Up7z+3prh98t1
ZcMuOTSL/ELyBep/ixGQ1/wX5j6hLG9RidzaYBJ3mS6zICqbY7Yrg2A8ISuNp7ah
fDF1COlJqSNgIkm4JhF0AKkeDCVbDeIeMGEHymx+EJLRGXPZEVOMzFAtIiOd3q8C
yMAH0y5CFRp4dgOTjNE6UBkF4sBrWK5YlhCTbgh/ssFTXA7SpyjjdDSt1uJcO22P
pqtpsMi5Uii+H98vtuTi4rWxweiyza4BfO6hrg3iWPXP02HZSOKwLppszii/PQJn
SO4lKAFL5UiXiIBmginPVdpnG7FumYglkvb8vG+J4KHOs1WOOVpSEsoGt5rDiomh
Q1PPcIqUhy9CJDwS6Yf6057eMyhVjJvxqrRNun3etzO8a+KKgtTYroR4kCc94hXa
/jq030Y4XKhbVYGR8jggKvkoXYidtrTRSwcmpO+r+ufpNGEBjXeNrku3GZPdZBaQ
oIbrwlGiDKORtdjLcBvwQshxGWAfXmpPZi1CddLCP4KxPMFeZ3uZ+bE1FgD/+MDo
kY+Z9s9+By5IVw==
-----END CERTIFICATE-----

erstellte Zertifikat dem rsyslog-Daemon auf dem Clientrechner zur Verfügung stellen

Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem rsyslog-Daemon auf dem Client-Rechner zur Verfügung. Entweder kopieren wir das Zertifikat via scp auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab.

 # vim /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
-----BEGIN CERTIFICATE-----
MIIGNjCCBB6gAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBnzELMAkGA1UEBhMCREUx
DzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwIUGxpZW5pbmcxEzARBgNVBAoMCm5h
dXNjaC5vcmcxHjAcBgNVBAsMFVplcnRpZml6aWVydW5nc3N0ZWxsZTETMBEGA1UE
AwwKZ3JheWxvZyBDQTEiMCAGCSqGSIb3DQEJARYTY2EtYWRtaW5AbmF1c2NoLm9y
ZzAeFw0xNjAxMDQxMDA4NTNaFw00NTEyMjcxMDA4NTNaMIGfMQswCQYDVQQGEwJE
RTEPMA0GA1UECAwGQmF5ZXJuMRMwEQYDVQQKDApuYXVzY2gub3JnMRYwFAYDVQQL
DA1JVC1Nb25pdG9yaW5nMSkwJwYDVQQDDCByc3lzbG9nLnZtbDAwMDAzNy5kbXou
bmF1c2NoLm9yZzEnMCUGCSqGSIb3DQEJARYYZ3JheWxvZy1hZG1pbkBuYXVzY2gu
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6mVcmjs+qS1/8aWf
s+PNpFP7cDD9yL4A/QQqCPTq0mlmAi3F2bhTjdlafP16khJMq4POeorTDmAWh6Cm
IV6WKzaH6YXxG/5Wh+NuMECe9/jyjwX6V9D7EJSkLhbtVcsiYeOsTBNscNrmi4tU
9k7UWFoYBvFhIJgP3EwwTu/Eswxjk4JKiZgua651xzrJYCWsWPza1IM1xpYs2W9e
DJ+devIuq/AGW/VKdGICg5p24wTbn+5A1QOtRQ1pvjn0AHXbTfDpVnvlPj5jaSPJ
tAri0c1WdkGLQ/P8LgHKIRZ9qSTlZZ0hvGS83eH3iTMoOE4JfF187B9nWsCsPbIy
mnPM8sVBTBe3dcqtdjd+pvKFEMXj7pWUstJRzFmWyuQPlsF7iUJQYQFsMzIznXJX
okWS8L33R2/BUcC5Bf2pr6hs9psapeQrNAtiBLfDiaqDWlyCsNFyrAvg5JQ8RAuV
6aWXlu7pOLmSdImTMaZeyt342fjq/7NiSkWqHDUF/Cw22rJZr4JpLNdNbN8u/MFK
9uH5V7eDs7FOSDYeV5RlHqk/llYDIUYC3EpURvCZJZzIvyWK1h+6/atwzZbMKDY7
ZrD7SEdZeGlbaWypyqEjVnpH90nPJbUdN4OE/vmKvv++5ZOcwAWZ0xSmziPcdc4M
peNAz/kQpkCTHyVR9n9cpHS3szkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FJMunPuznVtVigmBtPvCyoYonuqIMB8GA1UdIwQYMBaAFPfDBHAlOC8Cgl1fL38b
ZpdDn9gOMA0GCSqGSIb3DQEBDQUAA4ICAQBaVF0IUx0574XAr46Fv8m0A0m33EpC
q0YfVNeObMxwALDawYzYktHx2U3Zj4qtjttWG4zCYx3EBkHyB83jCUpoBp1Cy+cF
hpMmiqoR/nQ44ieaD6g44+rmY6RwCX0Bacxg98EyOtY9mj3hb45Up7z+3prh98t1
ZcMuOTSL/ELyBep/ixGQ1/wX5j6hLG9RidzaYBJ3mS6zICqbY7Yrg2A8ISuNp7ah
fDF1COlJqSNgIkm4JhF0AKkeDCVbDeIeMGEHymx+EJLRGXPZEVOMzFAtIiOd3q8C
yMAH0y5CFRp4dgOTjNE6UBkF4sBrWK5YlhCTbgh/ssFTXA7SpyjjdDSt1uJcO22P
pqtpsMi5Uii+H98vtuTi4rWxweiyza4BfO6hrg3iWPXP02HZSOKwLppszii/PQJn
SO4lKAFL5UiXiIBmginPVdpnG7FumYglkvb8vG+J4KHOs1WOOVpSEsoGt5rDiomh
Q1PPcIqUhy9CJDwS6Yf6057eMyhVjJvxqrRNun3etzO8a+KKgtTYroR4kCc94hXa
/jq030Y4XKhbVYGR8jggKvkoXYidtrTRSwcmpO+r+ufpNGEBjXeNrku3GZPdZBaQ
oIbrwlGiDKORtdjLcBvwQshxGWAfXmpPZi1CddLCP4KxPMFeZ3uZ+bE1FgD/+MDo
kY+Z9s9+By5IVw==
-----END CERTIFICATE-----

Ein Zertifikat revoken

Will man ein ausgestelltes Zertifikat zurückziehen (revoken) nutzen wir ebenfalls das Programm openssl.

 # openssl ca -revoke /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/root-ca.key.pem:
Revoking Certificate 02.
Data Base Updated

Nachdem wir die benötigten Schlüssel und Zertifikate erfolgreich erstellt haben, machen wir uns nun an die Konfiguration des graylog-server.

Speicherort für Client-Zertifikate

Damit der graylog-server die zur Einlieferung von syslog-Daten berechtigten Clients prüfen kann, benötigt dieser ein Verzeichnis, in dem wir die Clientzertifikate ablegen können.

Zunächst erstellen wir uns ein Verzeichnis.

 # mkdir /etc/pki/tls/graylog-client-certs

Anschließend kopieren wir das Clientzertifikat unseres Clientrechners vml000037 in das Clientverzeichnis.

 # cp /etc/pki/CA/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem /etc/pki/tls/graylog-client-certs/

X.509 Dateien

Bevor wir die Konfiguration über die WEB-GUI unseres graylog-Webservers vornehmen, rufen wir uns die benötigten Zertifikate und Schlüssel noch einmal kurz in Erinnerung. So können wir später die Pfadangaben einfach via cut 'n' paste kopieren.

CA Root-Zertifikat

 # ll /etc/pki/CA/certs/root-ca.certifikate.pem 
-rw-r--r--. 1 root root 2167 Jan  3 23:57 /etc/pki/CA/certs/root-ca.certifikate.pem

private Schlüssel zum Zertifikat

 # ll /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem 
-r--------. 1 root root 3243 Jan  4 00:12 /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem

Server-Zertifikat

 # ll /etc/pki/tls/certs/graylog-server.dmz.nausch.org.certificate.pem 
-rw-r--r--. 1 root root 2212 Jan  4 00:32 /etc/pki/tls/certs/graylog-server.dmz.nausch.org.certificate.pem

graylog Input

Nun öffnen wir den zu konfigurierenden Input in der WEB-GUI mit dem Browser unserer Wahl.

 $ firefox https://graylog.nausch.org/system/inputs

Folgende Optionen sind für die TLS-Aktivierung wichtig:

  • Port = 6514
  • TLS cert file (optional) = /etc/pki/tls/certs/graylog-server.dmz.nausch.org.certificate.pem
  • TLS private key file (optional) = /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem
  • TLS client authentication (optional) = required
  • TLS Client Auth Trusted Certs (optional) = /etc/pki/tls/graylog-client-certs
  • Enable TLS (optional) * TCP keepalive (optional)

Bild: graylog Konfiguration Input (TCP/TLS)

Über die Schaltfläche [ Update input ] verlassen und speichern wir unsere Änderungen.

Mit dem Update des Inputs wird auch der Port 6514 geöffnet; dies können wir mit Hilfe von netstat auch abfragen.

 # netstat -tulpen | grep 6514
tcp6       0      0 :::6514                 :::*                    LISTEN      988        9660525    1391/java

iptables Paketfilter

Damit sich unsere Clients auch mit dem Port 6514 verbinden können, benötigen wir eine passende Firewall-Regel, die wir nun noch anlegen müssen.

 # firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="6514" destination address="10.0.0.117/32" accept"
success

Zum Aktivieren führen wir einen reload des firewalld Daemon durch.

 # firewall-cmd --reload

Zu guter letzt prüfen wir nun mit Hilfe von telnet, ob wir uns vom client vml000037 mit dem Port 6514 unseres graylog-servers vml000117 verbinden können

 # telnet vml000117 6514
Trying 10.0.0.117...
Connected to 10.0.0.117.
Escape character is '^]'.

Connection closed by foreign host.

Damit der rsyslog-Daemon TLS-gesicherte Verbindungen aufbauen kann, muss dieser über das Modul lmnsd_gtls verfügen. Dieses Modul ist Bestandteil des RPM-Paketes rsyslog-gnutls.

rsyslog-gnutls Modul installieren

In aller Regel wird das RPM rsyslog-gnutlsnoch nicht installiert sein, so dass wir dieses nun mit Hilfe von yum noch nachholen müssen.

 # yum install rsyslog-gnutls -y

Den Inhalt dieses Paketes können wir wir folgt bei Bedarf ermitteln.

 # rpm -qil rsyslog-gnutls
Name        : rsyslog-gnutls
Version     : 7.4.7
Release     : 12.el7
Architecture: x86_64
Install Date: Sun 03 Jan 2016 02:12:09 PM CET
Group       : System Environment/Daemons
Size        : 33480
License     : (GPLv3+ and ASL 2.0)
Signature   : RSA/SHA256, Wed 25 Nov 2015 04:37:32 PM CET, Key ID 24c6a8a7f4a80eb5
Source RPM  : rsyslog-7.4.7-12.el7.src.rpm
Build Date  : Fri 20 Nov 2015 12:34:35 PM CET
Build Host  : worker1.bsys.centos.org
Relocations : (not relocatable)
Packager    : CentOS BuildSystem <http://bugs.centos.org>
Vendor      : CentOS
URL         : http://www.rsyslog.com/
Summary     : TLS protocol support for rsyslog
Description :
The rsyslog-gnutls package contains the rsyslog plugins that provide the
ability to receive syslog messages via upcoming syslog-transport-tls
IETF standard protocol.
/usr/lib64/rsyslog/lmnsd_gtls.so

X.509 Dateien

Wie schon bei der Konfiguration des graylog-server's, rufen wir uns auch hier nochmal die benötigten ins Gedächtnis. Lassen sich so so einfache Typo-Fehler bveim Bearbeiten vermeiden.

Root CA Zertifikat

 # ll /etc/pki/CA/certs/root-ca.certifikate.pem
-rw-r--r--. 1 root root 2167 Jan  4 12:18 /etc/pki/CA/certs/root-ca.certifikate.pem

Client-Zertifikat

 # ll /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem 
-rw-r--r--. 1 root root 2216 Jan  4 11:13 /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem

Schlüssel zum Client-Zertifikat

 # ll /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem 
-r--------. 1 root root 3243 Jan  4 10:57 /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem

rsyslog konfigurieren

Nun bearbeiten wir die Konfigurationsdatei unseres rsyslog-Daemon und hinterlegen dort die entsprechenden Pfadangaben zu dem lmnsd_gtls-Modul, der Schlüsseldatei und den Zertifikaten. Die wichtigsten Änderungen sind hier noch einmal zusammengefasst:

  • $DefaultNetstreamDriver gtls
  • $DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/root-ca.nausch.org.pem
  • $DefaultNetstreamDriverCertFile /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
  • $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem
  • $ActionSendStreamDriverAuthMode x509/name
  • $ActionSendStreamDriverPermittedPeer graylog-server.dmz.nausch.org
  • $ActionSendStreamDriverMode 1

Alle Änderungen in der Konfigurationsdatei sind mit dem Namen Django : <Datumsstempel> versehen.

 # vim /etc/rsyslog.conf
/etc/rsyslog.conf
# rsyslog configuration file
 
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
 
#### MODULES ####
 
# Django : 2016-01-03
# default: unset
$DefaultNetstreamDriver gtls #make gtls driver the default
 
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
# Django : 2017-09-26
# default: $ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability
 
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
 
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
 
 
#### GLOBAL DIRECTIVES ####
 
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
 
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
 
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
 
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
# Django : 2017-09-26
# default: $OmitLocalLogging on
 
# File to store the position in the journal
# Django : 2017-09-26
# default: $IMJournalStateFile imjournal.state
 
# Django : 2016-01-03 - certificate files for TLS
# default: unset
$DefaultNetstreamDriverCAFile   /etc/pki/ca-trust/source/anchors/root-ca.nausch.org.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
$DefaultNetstreamDriverKeyFile  /etc/pki/tls/private/rsyslog.vml000037.dmz.nausch.org.key.pem
 
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer graylog-server.dmz.nausch.org
#          run driver in TLS-only mode
$ActionSendStreamDriverMode 1
 
#### RULES ####
 
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
 
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
 
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
 
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
 
 
# Log cron stuff
cron.*                                                  /var/log/cron
 
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
 
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
 
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
 
# Django : 2015-07-14 Logging für OpenLDAP-Server aktiviert
local4.*                                                -/var/log/ldap.log
#
 
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
#
# Django : 2015-06-12
#$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
#*.* @@10.0.0.117:514;GRAYLOGRFC5424
# Django : 2016-01-03
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @@10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
#
# ### end of the forwarding rule ###

Zum Aktivieren der Änderungen führen wir nun einmal einen Reboot des rsyslog-Daemon durch.

 # systemctl restart rsyslog.service

Im Syslog unseres Servers wir der erfolgreiche Neustart des rsyslog-Daemon entsprechend positiv vermerkt.

 # tailf /var/log/messages
Jan  4 12:34:45 vml000037 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="28477" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan  4 12:34:45 vml000037 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="28869" x-info="http://www.rsyslog.com"] start

Rufen wir nun wieder die Web-GUI unseres graylog-Webservers auf, wird sowohl die aktive Verbindung wie auch die bereits übertragenen Daten angezeigt.

 $ firefox https://graylog.nausch.org/system/inputs

Bild: konfigurierter graylog Input Kanal mit TLS

Alles in allem können wir feststellen, dass mit einem überschaubaren Aufwand, die Kommunikation zwischen den rsyslog-Clients und unserem graylog-server sicher und nur noch von authorisierten Quellen gestattet werden kann.

Zertifikatsgenerierung und Clientkonfiguration

Zertifikatserstellung optimieren

Um nun bei der Generierung der Zertifikats-Requests und der Erstellung der zugehörigen Zertifikate nicht jedesmal die benötigten Angaben erneut eintippen zu müssen werden wir nun die wiederkehrenden Informationen in der Konfigurationsdatei /etc/pki/tls/openssl.cnf hinterlegen.

 # vim /etc/pki/tls/openssl.cnf
/etc/pki/tls/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
 
# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd
 
# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids
 
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
 
[ new_oids ]
 
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
 
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
 
####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section
 
####################################################################
[ CA_default ]
 
dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.
 
# Django : 2017-02-14
# default: certificate	= $dir/cacert.pem 	# The CA certificate
certificate	= $dir/certs/root-ca.certifikate.pem
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
# Django : 2017-02-14
# default: private_key	= $dir/private/cakey.pem   # The private key
private_key	= $dir/private/root-ca.key.pem
RANDFILE	= $dir/private/.rand	# private random number file
 
x509_extensions	= usr_cert		# The extentions to add to the cert
 
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
 
# Extension copying option: use with caution.
# copy_extensions = copy
 
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext
 
# Django : 2017-02-14
# default: default_days	= 365			# how long to certify for
default_days	= 10950 
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use SHA-256 by default
preserve	= no			# keep passed DN ordering
 
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match
 
# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
 
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
 
####################################################################
[ req ]
# Django : 2017-02-14
# default: default_bits		= 2048
default_bits		= 4096
default_md		= sha256
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
 
# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
 
# req_extensions = v3_req # The extensions to add to a certificate request
 
[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
# Django : 2017-02-14
# default: countryName_default		= XX
countryName_default		= DE
countryName_min			= 2
countryName_max			= 2
 
stateOrProvinceName		= State or Province Name (full name)
# Django : 2017-02-14
# default: #stateOrProvinceName_default	= Default Province
stateOrProvinceName_default	= Bayern
 
localityName			= Locality Name (eg, city)
# Django : 2017-02-14
# default: localityName_default		= Default City
localityName_default		= Pliening 
 
0.organizationName		= Organization Name (eg, company)
# Django : 2017-02-14
# default: 0.organizationName_default	= Default Company Ltd
0.organizationName_default	= nausch.org
 
# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd
 
organizationalUnitName		= Organizational Unit Name (eg, section)
# Django : 2017-02-14
# default: #organizationalUnitName_default	=
organizationalUnitName_default	= IT-Monitoring
 
commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64
 
emailAddress			= Email Address
emailAddress_max		= 64
# Django : 2017-02-14
# default: unset
emailAddress_default		= graylog-admin@nausch.org
 
# SET-ex3			= SET extension number 3
 
[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
 
unstructuredName		= An optional company name
 
[ usr_cert ]
 
# These extensions are added when 'ca' signs a request.
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= server
 
# For an object signing certificate this would be used.
# nsCertType = objsign
 
# For normal client use this is typical
# nsCertType = client, email
 
# and for everything including object signing:
# nsCertType = client, email, objsign
 
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
 
# Copy subject details
# issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
 
[ v3_req ]
 
# Extensions to add to a certificate request
 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
[ v3_ca ]
 
 
# Extensions for a typical CA
 
 
# PKIX recommendation.
 
subjectKeyIdentifier=hash
 
authorityKeyIdentifier=keyid:always,issuer
 
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
 
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
 
# Some might want this also
# nsCertType = sslCA, emailCA
 
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
 
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
 
[ crl_ext ]
 
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
 
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
 
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
 
basicConstraints=CA:FALSE
 
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
 
# This is OK for an SSL server.
# nsCertType			= server
 
# For an object signing certificate this would be used.
# nsCertType = objsign
 
# For normal client use this is typical
# nsCertType = client, email
 
# and for everything including object signing:
# nsCertType = client, email, objsign
 
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 
# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"
 
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
 
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
 
# Copy subject details
# issuerAltName=issuer:copy
 
#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
 
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 
####################################################################
[ tsa ]
 
default_tsa = tsa_config1	# the default TSA section
 
[ tsa_config1 ]
 
# These are used by the TSA reply generation only.
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)

Bearbeitungsschritte bei neunen rsyslog Clients

Bei einem neune Client, den wir an unseren graylog Server anbinden wollen, sind nun zusammengefasst folgende Schritte nötig (im nachfolgenden Beispiel für Host vml000137):

  • auf dem graylog Server:
    1. Schlüssel für den rsyslog-Client erzeugen
       # openssl genrsa -out /etc/pki/tls/clientkey.pem -aes256 4096
    2. Passphrase des gerade erzeiugten Client-Schlüssels entfernen
       # openssl rsa -in /etc/pki/tls/clientkey.pem -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
    3. Schlüssel mit passphrase vernichten
       # shred -u /etc/pki/tls/clientkey.pem
    4. Schlüssel auf den Clientrechner transferieren
       # cat /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
       # vim /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
    5. Zertificatsrequest erzeugen
       # openssl req -new -key /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem \
                 -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem -nodes
    6. Zertifikatsrequest der eigenen CA vorlegen.
       # cp -a /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem \
                  /etc/pki/CA/csrs/ 
    7. Zertifikatsrequest durch die CA bearbeiten und Zertifikat erzeugen.
       # openssl ca -in /etc/pki/CA/csrs/rsyslog.vml000137.dmz.nausch.org.csr.pem \
                 -out /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
    8. Zertifikat ausgeben und auf den Client-/rsyslog-Host transferieren.
       # cat /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
       # vim /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
    9. Clientzertifikat dem graylog Server bekannt machden.
       # cp /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem \
                 /etc/pki/tls/graylog-client-certs/
    10. Root CA Zertifikat dem Client zur Verfügung stellen.
       # cat /etc/pki/CA/certs/root-ca.certifikate.pem
       # vim /etc/pki/CA/certs/root-ca.certifikate.pem
    11. rsyslog-gnutls auf dem Client installieren.
       # yum install rsyslog-gnutls -y
    12. originale rsyslog-Konfigurationsdatei sichern.
       # cp -a /etc/rsyslog.conf /etc/rsyslog.conf.orig
    13. rsyslog konfigurieren.
       # vim /etc/rsyslog.conf
      /etc/rsyslog.conf
      # rsyslog configuration file
       
      # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
      # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
       
      #### MODULES ####
       
      # Django : 2017-2-14
      # default: unset
      $DefaultNetstreamDriver gtls #make gtls driver the default
       
      # The imjournal module bellow is now used as a message source instead of imuxsock.
      $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      # Django : 2017-09-26
      # default: $ModLoad imjournal # provides access to the systemd journal
      #$ModLoad imklog # reads kernel messages (the same are read from journald)
      #$ModLoad immark  # provides --MARK-- message capability
       
      # Provides UDP syslog reception
      #$ModLoad imudp
      #$UDPServerRun 514
       
      # Provides TCP syslog reception
      #$ModLoad imtcp
      #$InputTCPServerRun 514
       
       
      #### GLOBAL DIRECTIVES ####
       
      # Where to place auxiliary files
      $WorkDirectory /var/lib/rsyslog
       
      # Use default timestamp format
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
       
      # File syncing capability is disabled by default. This feature is usually not required,
      # not useful and an extreme performance hit
      #$ActionFileEnableSync on
       
      # Include all config files in /etc/rsyslog.d/
      $IncludeConfig /etc/rsyslog.d/*.conf
       
      # Turn off message reception via local log socket;
      # local messages are retrieved through imjournal now.
      # Django : 2017-09-26
      # default: $OmitLocalLogging on
       
      # File to store the position in the journal
      # Django : 2017-09-26
      # default: $IMJournalStateFile imjournal.state
       
      # Django : 2017-02-14 - certificate files for TLS
      # default: unset
      $DefaultNetstreamDriverCAFile   /etc/pki/ca-trust/source/anchors/root-ca.nausch.org.pem
      $DefaultNetstreamDriverCertFile /etc/pki/tls/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
      $DefaultNetstreamDriverKeyFile  /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
       
      $ActionSendStreamDriverAuthMode x509/name
      $ActionSendStreamDriverPermittedPeer graylog-server.dmz.nausch.org
      #          run driver in TLS-only mode
      $ActionSendStreamDriverMode 1
       
      #### RULES ####
       
      # Log all kernel messages to the console.
      # Logging much else clutters up the screen.
      #kern.*                                                 /dev/console
       
      # Log anything (except mail) of level info or higher.
      # Don't log private authentication messages!
      *.info;mail.none;authpriv.none;cron.none                /var/log/messages
       
      # The authpriv file has restricted access.
      authpriv.*                                              /var/log/secure
       
      # Log all the mail messages in one place.
      mail.*                                                  -/var/log/maillog
       
       
      # Log cron stuff
      cron.*                                                  /var/log/cron
       
      # Everybody gets emergency messages
      *.emerg                                                 :omusrmsg:*
       
      # Save news errors of level crit and higher in a special file.
      uucp,news.crit                                          /var/log/spooler
       
      # Save boot messages also to boot.log
      local7.*                                                /var/log/boot.log
       
       
      # ### begin forwarding rule ###
      # The statement between the begin ... end define a SINGLE forwarding
      # rule. They belong together, do NOT split them. If you create multiple
      # forwarding rules, duplicate the whole block!
      # Remote Logging (we use TCP for reliable delivery)
      #
      # An on-disk queue is created for this action. If the remote host is
      # down, messages are spooled to disk and sent when it is up again.
      #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
      #$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
      #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
      #$ActionQueueType LinkedList   # run asynchronously
      #$ActionResumeRetryCount -1    # infinite retries if host is down
      # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
      #*.* @@remote-host:514
      #
      # Django : 2017-02-14
      $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
      *.* @10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
      #
      # ### end of the forwarding rule ###
    14. rsyslog-Daemon neu starten zum Aktivieren der Konfigurationsänderung.
       # systemctl restart rsyslog.service

FAZIT:

Mit Hilfe dieser 14 Bearbeitungsschritte kann nicht nur der Übertragungsweg zwischen rsyslog-client und graylog-server abgesichert und sondern auch der Zugriff des Clients auf den zentralen syslog-server geregelt werden.

Mit einfachen Boardmitteln unseres CentOS 7 Servers kann somit ein wesentlicher Beitrag zur Vertraulichkeit und Integrität von syslog-informationen geleistet werden und ein ungesicherte und ungeschützte Übertragung von sensitiven syslog-Informationen sollten der Vergangenheit angehören. Auch wenn der ungeübten Admin diesen Umstand bis jetzt erfolgreich verdrängte!

Links


1)
User Datagram Protocol
2)
Transmission Control Protocol
3) , 5)
Transport Layer Security
4)
Secure Sockets Layer
6)
Certificate Authority
7) , 9) , 10)
Certificate Signing Request
8)
Certification Authority
Cookies helfen bei der Bereitstellung von Inhalten. Durch die Nutzung dieser Seiten erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Rechner gespeichert werden. Weitere Information
  • centos/web_c7/graylog2.txt
  • Zuletzt geändert: 20.04.2018 10:29.
  • (Externe Bearbeitung)