Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:web_c7:graylog2 [16.02.2017 11:08. ] – [/etc/sysconfig/graylog-server] django
+++ centos:web_c7:graylog2 [22.07.2019 14:42. ] (aktuell) – django
@@ Zeile 64: / Zeile 64: @@
   sub  2048R/60D31954 2013-09-16
-Diesen **Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4** vergleichen wir nun mit den Angaben auf der [[https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html|elasticsearch Dokumentationsseite]]. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nicht's mehr entgegen.
+Diesen **Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4** vergleichen wir nun mit den Angaben auf der [[https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html|elasticsearch Dokumentationsseite]]. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nichts mehr entgegen.
    # rpm --import /etc/pki/rpm-gpg/GPG-KEY-elasticsearch
@@ Zeile 70: / Zeile 70: @@
 Graylog selbst werden wir später aus dem Repository von **graylog** installieren. So bleibt zum einen der Konfigurationsaufwand überschaubar und wir werden mit Updates versorgt, wenn Änderungen und/oder Erweiterungen am Programmcode von graylog notwendig werden.
 Die Integration des benötigten Repositories erfolgt direkt mit nachfolgendem Befehl:
-   # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm
+   # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm
-Anschließend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.
+Anschliessend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.
    # vim /etc/yum.repos.d/graylog.repo
 <file bash /etc/yum.repos.d/graylog.repo>[graylog]
 name=graylog
-baseurl=https://packages.graylog2.org/repo/el/stable/2.2/$basearch/
+baseurl=https://packages.graylog2.org/repo/el/stable/2.3/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog
@@ Zeile 249: / Zeile 249: @@
 Im nächsten Schritt installieren wir nun noch elasticsearch als Suchmaschine/-server.
    # yum install elasticsearch -y
-Bei der Installation des RPMs werden unter anderem folgende Informationen angegeben:
-<code>...
-Running transaction check
-Running transaction test
-Transaction test succeeded
-Running transaction
-Creating elasticsearch group... OK
-Creating elasticsearch user... OK
-  Installing : elasticsearch-2.4.4-1.noarch                                                                                                                                 1/1
-### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
- sudo systemctl daemon-reload
- sudo systemctl enable elasticsearch.service
-### You can start elasticsearch service by executing
- sudo systemctl start elasticsearch.service
-  Verifying  : elasticsearch-2.4.4-1.noarch                                                                                                                                 1/1
-Installed:
-  elasticsearch.noarch 0:2.4.4-1
-</code>
-Bei dr späteren Konfiguration werden wir diese Schritte dann nachholen.
 Wollen wir wissen, welche Dateien und Verzeichnisse das Paket auf unseren Server packte, benutzen wir folgenden Befehl.
@@ Zeile 370: / Zeile 347: @@
 /var/log/elasticsearch
 /var/run/elasticsearch</code>
 ==== graylog ====
 Zu guter letzt installieren wir nun noch Pakete **graylog** sowie das Zusatzprogramm **pwgen** zum Generieren von Passwörtern, natürlich auch dieses mal mit Unterstützung von **YUM**.
@@ Zeile 378: / Zeile 356: @@
    # rpm -qil graylog-server
 <code>Name        : graylog-server
-Version     : 2.2.0
+Version     : 2.3.1
-Release     : 11
+Release     : 1
 Architecture: noarch
-Install Date: Wed 15 Feb 2017 04:21:21 PM CET
+Install Date: Wed 27 Sep 2017 11:26:28 AM CEST
 Group       : optional
-Size        : 106769271
+Size        : 110416070
 License     : GPLv3
-Signature   : RSA/SHA1, Thu 09 Feb 2017 12:43:00 PM CET, Key ID d44c1d8db1606f22
+Signature   : RSA/SHA1, Fri 25 Aug 2017 03:57:24 PM CEST, Key ID d44c1d8db1606f22
-Source RPM  : graylog-server-2.2.0-11.src.rpm
+Source RPM  : graylog-server-2.3.1-1.src.rpm
-Build Date  : Thu 09 Feb 2017 12:42:54 PM CET
+Build Date  : Fri 25 Aug 2017 03:57:17 PM CEST
-Build Host  : f89729f86e48
+Build Host  : 5ee9456006b4
 Relocations : /
 Packager    : Graylog, Inc. <hello@graylog.org>
@@ Zeile 407: / Zeile 385: @@
 /usr/share/graylog-server/lib/sigar/libsigar-amd64-linux.so
 /usr/share/graylog-server/lib/sigar/libsigar-x86-linux.so
-/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-beats-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-beats-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-collector-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-collector-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.2.0.jar</code>
+/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.3.1.jar</code>
@@ Zeile 473: / Zeile 451: @@
 </pre></html>
 Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.
    # less /var/log/mongodb/mongod.log
@@ Zeile 603: / Zeile 581: @@
   Created symlink from /etc/systemd/system/multi-user.target.wants/setra256.service to /etc/systemd/system/setra256.service.
 === automatischer Start des Daemon ===
@@ Zeile 738: / Zeile 714: @@
 Geben wir ein falsches Passwort ein, wird natürlich der Zugang verwehrt.
-   # mongo -u "graylog-user" -p "7h3FBI15n07ar0ckb4and" 127.0.0.1:27017/graylog
+   # mongo -u "graylog-user" -p "7h3FBI15ar0ckb4and" 127.0.0.1:27017/graylog
   MongoDB shell version: 2.6.12
@@ Zeile 1369: / Zeile 1345: @@
 Anschließend informieren wir den **systemd** über unser "updatesicheres" Startscript.
    systemctl daemon-reload
 === Start des Daemon ===
@@ Zeile 1519: / Zeile 1489: @@
    # vim /etc/graylog/server/server.conf
-<file bash /etc/graylog/server/server.conf># If you are running more than one instances of graylog2-server you have to select one of these
+<file bash /etc/graylog/server/server.conf>############################
+# GRAYLOG CONFIGURATION FILE
+############################
+#
+# This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding.
+# Characters that cannot be directly represented in this encoding can be written using Unicode escapes
+# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix.
+# For example, \u002c.
+#
+# * Entries are generally expected to be a single line of the form, one of the following:
+#
+# propertyName=propertyValue
+# propertyName:propertyValue
+#
+# * White space that appears between the property name and property value is ignored,
+#   so the following are equivalent:
+#
+# name=Stephen
+# name = Stephen
+#
+# * White space at the beginning of the line is also ignored.
+#
+# * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored.
+#
+# * The property value is generally terminated by the end of the line. White space following the
+#   property value is not ignored, and is treated as part of the property value.
+#
+# * A property value can span several lines if each line is terminated by a backslash (‘\’) character.
+#   For example:
+#
+# targetCities=\
+#         Detroit,\
+#         Chicago,\
+#         Los Angeles
+#
+#   This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored).
+#
+# * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively.
+#
+# * The backslash character must be escaped as a double backslash. For example:
+#
+# path=c:\\docs\\doc1
+#
+# If you are running more than one instances of Graylog server you have to select one of these
 # instances as master. The master will perform some periodical tasks that non-masters won't perform.
 is_master = true
 # The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
-# to use an absolute file path here if you are starting graylog2-server from init scripts or similar.
+# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
 node_id_file = /etc/graylog/server/node-id
 # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
 # Generate one by using for example: pwgen -N 1 -s 96
-# Django : 2015-12-28
+# Django : 2017-02-14
 # default: password_secret =
 password_secret = yCWAd48fvOmR7xAmcKezZ2C0v3mtaXCJjA7NfhBlSf98PTxHrf9SrCQDX2xgjCzrHpxoV5UNOEfQZsOP1gkWkYlDarD75tbtztPhR59O70yZchaJcyQTeHBZllQc8RcT
 # The default root user is named 'admin'
-# Django : 2015-12-28
+# Django : 2017-02-14
 # default: #root_username = admin
-root_username = admin
+root_username = graylog-admin
 # You MUST specify a hash password for the root user (which you only need to initially set up the
 # system and in case you lose connectivity to your authentication backend)
 # This password cannot be changed using the API or via the web interface. If you need to change it,
 # modify it in this file.
 # Create one by using for example: echo -n yourpassword | shasum -a 256
 # and put the resulting hash value into the following line
-# Django : 2015-12-28
+# Django : 2017-02-14
 # default: root_password_sha2 =
 root_password_sha2 = 38337fd07fd4ee02548053d7bed3ee33e3e0c593c2802941e2349fc52e80b98d
 # The email address of the root user.
 # Default is empty
-# Django : 2015-12-28
+# Django : 2017-02-14
 # default: #root_email = ""
-root_email = "graylog_admin@nausch.org"
+root_email = "graylog-admin@nausch.org"
-# The time zone setting of the root user.
+# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
-# The configured time zone must be parseable by http://www.joda.org/joda-time/apidocs/org/joda/time/DateTimeZone.html#forID-java.lang.String-
+# Default is UTC
-# Default is UTC
+# Django : 2017-02-14
-# Django : 2015-12-28
+# default: #root_timezone = UTC
-# default: #root_timezone = UTC
+root_timezone = Europe/Berlin
-root_timezone = Europe/Berlin
 # Set plugin directory here (relative or absolute)
 plugin_dir = /usr/share/graylog-server/plugin
-# REST API listen URI. Must be reachable by other graylog2-server nodes if you run a cluster.
+# REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.
-rest_listen_uri = http://127.0.0.1:12900/
+# When using Graylog Collectors, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
+# Django : 2017-02-14
+# default: rest_listen_uri = http://127.0.0.1:9000/api/
+rest_listen_uri = http://10.0.0.117:9000/api/
 # REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri
 # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used.
-# If set, his will be promoted in the cluster discovery APIs, so other nodes may try to connect on
+# If set, this will be promoted in the cluster discovery APIs, so other nodes may try to connect on
 # this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri)
 # You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting
 # the scheme, host name or URI.
-#rest_transport_uri = http://192.168.1.1:12900/
+# This must not contain a wildcard address (0.0.0.0).
-# Django : 2015-12-28
+# Django : 2017-02.14
-# default: unset
+# default: #rest_transport_uri = http://192.168.1.1:9000/api/
-rest_transport_uri = http://127.0.0.1:12900/
+rest_transport_uri = http://10.0.0.117:9000/api/
 # Enable CORS headers for REST API. This is necessary for JS-clients accessing the server directly.
 # If these are disabled, modern browsers will not be able to retrieve resources from the server.
-# This is disabled by default. Uncomment the next line to enable it.
+# This is enabled by default. Uncomment the next line to disable it.
-#rest_enable_cors = true
+#rest_enable_cors = false
-# Django : 2015-12-28
-# default: unset
-rest_enable_cors = true
 # Enable GZIP support for REST API. This compresses API responses and therefore helps to reduce
-# overall round trip times. This is disabled by default. Uncomment the next line to enable it.
+# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
-#rest_enable_gzip = true
+#rest_enable_gzip = false
-# Django : 2015-12-28
-# default: unset
-rest_enable_gzip = true
 # Enable HTTPS support for the REST API. This secures the communication with the REST API with
 # TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
 # next line to enable it.
 #rest_enable_tls = true
-# The X.509 certificate file to use for securing the REST API.
+# The X.509 certificate chain file in PEM format to use for securing the REST API.
-#rest_tls_cert_file = /path/to/graylog2.crt
+#rest_tls_cert_file = /path/to/graylog.crt
-# The private key to use for securing the REST API.
+# The PKCS#8 private key file in PEM format to use for securing the REST API.
-#rest_tls_key_file = /path/to/graylog2.key
+#rest_tls_key_file = /path/to/graylog.key
 # The password to unlock the private key used for securing the REST API.
 #rest_tls_key_password = secret
-# The maximum size of a single HTTP chunk in bytes.
-#rest_max_chunk_size = 8192
 # The maximum size of the HTTP request headers in bytes.
 #rest_max_header_size = 8192
 # The maximal length of the initial HTTP/1.1 line in bytes.
 #rest_max_initial_line_length = 4096
-# The size of the execution handler thread pool used exclusively for serving the REST API.
+# The size of the thread pool used exclusively for serving the REST API.
 #rest_thread_pool_size = 16
+# Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
+# header. May be subnets, or hosts.
+#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
+# Enable the embedded Graylog web interface.
+# Default: true
+#web_enable = false
+# Web interface listen URI.
+# Configuring a path for the URI here effectively prefixes all URIs in the web interface. This is a replacement
+# for the application.context configuration parameter in pre-2.0 versions of the Graylog web interface.
+# Django : 2017-02-14
+# default: #web_listen_uri = http://127.0.0.1:9000/
+web_listen_uri = http://10.0.0.117:9000/
+# Web interface endpoint URI. This setting can be overriden on a per-request basis with the X-Graylog-Server-URL header.
+# Default: $rest_transport_uri
+# Django : 2017-02-16
+# default: #web_endpoint_uri =
+# Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.
+# If these are disabled, modern browsers will not be able to retrieve resources from the server.
+#web_enable_cors = false
+# Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce
+# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
+# Django : 2017-02-14
+# default: #web_enable_gzip = false
+web_enable_gzip = true
+# Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
+# using TLS to prevent request forgery and eavesdropping.
+# This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
+#web_enable_tls = true
+# The X.509 certificate chain file in PEM format to use for securing the web interface.
+#web_tls_cert_file = /path/to/graylog-web.crt
+# The PKCS#8 private key file in PEM format to use for securing the web interface.
+#web_tls_key_file = /path/to/graylog-web.key
+# The password to unlock the private key used for securing the web interface.
+#web_tls_key_password = secret
+# The maximum size of the HTTP request headers in bytes.
+#web_max_header_size = 8192
+# The maximal length of the initial HTTP/1.1 line in bytes.
+#web_max_initial_line_length = 4096
-# The size of the worker thread pool used exclusively for serving the REST API.
+# The size of the thread pool used exclusively for serving the web interface.
-#rest_worker_threads_max_pool_size = 16
+#web_thread_pool_size = 16
-# Embedded Elasticsearch configuration file
+# Configuration file for the embedded Elasticsearch instance in Graylog.
-# pay attention to the working directory of the server, maybe use an absolute path here
+# Pay attention to the working directory of the server, maybe use an absolute path here.
-#elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml
+# Default: empty
+#elasticsearch_config_file = /etc/graylog/server/elasticsearch.yml
 # Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
 # when to rotate the currently active write index.
 # It supports multiple rotation strategies:
 #   - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
 #   - "size" per index, use elasticsearch_max_size_per_index below to configure
 # valid values are "count", "size" and "time", default is "count"
-# Django : 2015-12-28
+#
-# default: rotation_strategy = count
+# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
-rotation_strategy = time
+#            to your previous 1.x settings so they will be migrated to the database!
+# Django : 2017-02-14
+# default: rotation_strategy = count
+rotation_strategy = time
 # (Approximate) maximum number of documents in an Elasticsearch index before a new index
 # is being created, also see no_retention and elasticsearch_max_number_of_indices.
 # Configure this if you used 'rotation_strategy = count' above.
-# Django : 2015-12-28
+#
-# default: elasticsearch_max_docs_per_index = 20000000
+# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
+#            to your previous 1.x settings so they will be migrated to the database!
+elasticsearch_max_docs_per_index = 20000000
 # (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
 # no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
 # Configure this if you used 'rotation_strategy = size' above.
-#elasticsearch_max_size_per_index = 1073741824
+#
+# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
+#            to your previous 1.x settings so they will be migrated to the database!
+#elasticsearch_max_size_per_index = 1073741824
 # (Approximate) maximum time before a new Elasticsearch index is being created, also see
 # no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
 # Configure this if you used 'rotation_strategy = time' above.
 # Please note that this rotation period does not look at the time specified in the received messages, but is
 # using the real clock value to decide when to rotate the index!
 # Specify the time using a duration and a suffix indicating which unit you want:
 #  1w  = 1 week
 #  1d  = 1 day
 #  12h = 12 hours
 # Permitted suffixes are: d for day, h for hour, m for minute, s for second.
-#elasticsearch_max_time_per_index = 1d
+#
-# Django : 2015-12-28
+# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
-# default: unset
+#            to your previous 1.x settings so they will be migrated to the database!
-elasticsearch_max_time_per_index = 1d
+#elasticsearch_max_time_per_index = 1d
 # Disable checking the version of Elasticsearch for being compatible with this Graylog release.
 # WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
 #elasticsearch_disable_version_check = true
 # Disable message retention on this node, i. e. disable Elasticsearch index rotation.
 #no_retention = false
 # How many indices do you want to keep?
-# Django : 2015-12-28
+#
-# default: elasticsearch_max_number_of_indices = 20
+# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
-elasticsearch_max_number_of_indices = 30
+#            to your previous 1.x settings so they will be migrated to the database!
+elasticsearch_max_number_of_indices = 20
 # Decide what happens with the oldest indices when the maximum number of indices is reached.
 # The following strategies are availble:
 #   - delete # Deletes the index completely (Default)
 #   - close # Closes the index and hides it from the system. Can be re-opened later.
-retention_strategy = delete
+#
+# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
+#            to your previous 1.x settings so they will be migrated to the database!
+retention_strategy = delete
 # How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
-# Django : 2015-12-28
+# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
-# default: elasticsearch_shards = 4
+#            to your previous settings so they will be migrated to the database!
-elasticsearch_shards = 1
+elasticsearch_shards = 4
 elasticsearch_replicas = 0
 # Prefix for all Elasticsearch indices and index aliases managed by Graylog.
-# Django : 2015-12-28
+#
-# default: elasticsearch_index_prefix = graylog2
+# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
-elasticsearch_index_prefix = graylog
+#            to your previous settings so they will be migrated to the database!
+elasticsearch_index_prefix = graylog
 # Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
-# # Default: graylog-internal
+# Default: graylog-internal
-#elasticsearch_template_name = graylog-internal
+#
+# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
+#            to your previous settings so they will be migrated to the database!
+#elasticsearch_template_name = graylog-internal
 # Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
-# be enabled with care. See also: https://www.graylog.org/documentation/general/queries/
+# be enabled with care. See also: http://docs.graylog.org/en/2.1/pages/queries.html
 allow_leading_wildcard_searches = false
 # Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
 # should only be enabled after making sure your Elasticsearch cluster has enough memory.
 allow_highlighting = false
 # settings to be passed to elasticsearch's client (overriding those in the provided elasticsearch_config_file)
 # all these
 # this must be the same as for your Elasticsearch cluster
-#elasticsearch_cluster_name = graylog2
+# Django : 2017-02-14
-# Django : 2015-12-28
+# default: #elasticsearch_cluster_name = graylog
-# default: unset
+elasticsearch_cluster_name = graylog
-elasticsearch_cluster_name = graylog
-# you could also leave this out, but makes it easier to identify the graylog2 client instance
+# The prefix being used to generate the Elasticsearch node name which makes it easier to identify the specific Graylog
-#elasticsearch_node_name = graylog2-server
+# server running the embedded Elasticsearch instance. The node name will be constructed by concatenating this prefix
-# Django : 2015-12-28
+# and the Graylog node ID (see node_id_file), for example "graylog-17052010-1234-5678-abcd-1337cafebabe".
-# default: unset
+# Default: graylog-
-elasticsearch_node_name = vml000117
+#elasticsearch_node_name_prefix = graylog-
-# we don't want the graylog2 server to store any data, or be master node
+# A comma-separated list of Elasticsearch nodes which Graylog is using to connect to the Elasticsearch cluster,
-# Django : 2015-12-28
+# see https://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-discovery-zen.html for details.
-# default: #elasticsearch_node_master = false
+# Default: 127.0.0.1
-#          #elasticsearch_node_data = false
+#elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
-elasticsearch_node_master = false
-elasticsearch_node_data = false
-# use a different port if you run multiple Elasticsearch nodes on one machine
+# Use multiple Elasticsearch nodes as seed
-#elasticsearch_transport_tcp_port = 9350
+#elasticsearch_discovery_zen_ping_unicast_hosts = 198.51.100.23:9300, 198.51.100.42:9300
-# we don't need to run the embedded HTTP server here
+# we don't want the Graylog server to store any data, or be master node
-# Django : 2015-12-28
+#elasticsearch_node_master = false
-# default: #elasticsearch_http_enabled = false
+#elasticsearch_node_data = false
-elasticsearch_http_enabled = false
-# Django : 2015-12-28
+# use a different port if you run multiple Elasticsearch nodes on one machine
-# default: #elasticsearch_discovery_zen_ping_multicast_enabled = false
+#elasticsearch_transport_tcp_port = 9350
-elasticsearch_discovery_zen_ping_multicast_enabled = false
-# Django : 2015-12-28
+# we don't need to run the embedded HTTP server here
-# default: #elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
+#elasticsearch_http_enabled = false
-elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
 # Change the following setting if you are running into problems with timeouts during Elasticsearch cluster discovery.
 # The setting is specified in milliseconds, the default is 5000ms (5 seconds).
 #elasticsearch_cluster_discovery_timeout = 5000
-# the following settings allow to change the bind addresses for the Elasticsearch client in graylog2
+# the following settings allow to change the bind addresses for the Elasticsearch client in Graylog
 # these settings are empty by default, letting Elasticsearch choose automatically,
 # override them here or in the 'elasticsearch_config_file' if you need to bind to a special address
-# refer to http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-network.html
+# refer to https://www.elastic.co/guide/en/elasticsearch/reference/2.3/modules-network.html
 # for special values here
 #elasticsearch_network_host =
 #elasticsearch_network_bind_host =
 #elasticsearch_network_publish_host =
 # The total amount of time discovery will look for other Elasticsearch nodes in the cluster
 # before giving up and declaring the current node master.
 #elasticsearch_discovery_initial_state_timeout = 3s
 # Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
 # All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
-# Elasticsearch documentation: http://www.elasticsearch.org/guide/reference/index-modules/analysis/
+# Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
 # Note that this setting only takes effect on newly created indices.
-elasticsearch_analyzer = standard
+#
+# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
+#            to your previous settings so they will be migrated to the database!
+elasticsearch_analyzer = standard
 # Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-range
 # calculations) based on a best-effort to restrict the runtime of Elasticsearch operations.
 # Default: 1m
 #elasticsearch_request_timeout = 1m
+# Global timeout for index optimization (force merge) requests.
+# Default: 1h
+#elasticsearch_index_optimization_timeout = 1h
+# Maximum number of concurrently running index optimization (force merge) jobs.
+# If you are using lots of different index sets, you might want to increase that number.
+# Default: 20
+#elasticsearch_index_optimization_jobs = 20
 # Time interval for index range information cleanups. This setting defines how often stale index range information
 # is being purged from the database.
 # Default: 1h
 #index_ranges_cleanup_interval = 1h
 # Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
 # module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
 # reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
 # that every outputbuffer processor manages its own batch and performs its own batch write calls.
 # ("outputbuffer_processors" variable)
 output_batch_size = 500
 # Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
 # batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
 # for this time period is less than output_batch_size * outputbuffer_processors.
 output_flush_interval = 1
 # As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
 # over again. To prevent this, the following configuration options define after how many faults an output will
 # not be tried again for an also configurable amount of seconds.
 output_fault_count_threshold = 5
 output_fault_penalty_seconds = 30
 # The number of parallel running processors.
 # Raise this number if your buffers are filling up.
 processbuffer_processors = 5
 outputbuffer_processors = 3
 #outputbuffer_processor_keep_alive_time = 5000
@@ Zeile 1802: / Zeile 1881: @@
 # UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
 #udp_recvbuffer_sizes = 1048576
 # Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
 # Possible types:
 #  - yielding
 #     Compromise between performance and CPU usage.
 #  - sleeping
 #     Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
 #  - blocking
 #     High throughput, low latency, higher CPU usage.
 #  - busy_spinning
 #     Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
 processor_wait_strategy = blocking
 # Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
 # For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
-# Start server with --statistics flag to see buffer utilization.
+# Must be a power of 2. (512, 1024, 2048, ...)
-# Must be a power of 2. (512, 1024, 2048, ...)
+ring_size = 65536
-ring_size = 65536
 inputbuffer_ring_size = 65536
 inputbuffer_processors = 2
 inputbuffer_wait_strategy = blocking
 # Enable the disk based message journal.
 message_journal_enabled = true
 # The directory which will be used to store the message journal. The directory must me exclusively used by Graylog and
 # must not contain any other files than the ones created by Graylog itself.
-message_journal_dir = /var/lib/graylog-server/journal
+#
+# ATTENTION:
+#   If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found'
+#   in the root directory, you need to create a sub directory for your journal.
+#   Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start.
+message_journal_dir = /var/lib/graylog-server/journal
 # Journal hold messages before they could be written to Elasticsearch.
 # For a maximum of 12 hours or 5 GB whichever happens first.
 # During normal operation the journal will be smaller.
 #message_journal_max_age = 12h
 #message_journal_max_size = 5gb
 #message_journal_flush_age = 1m
 #message_journal_flush_interval = 1000000
 #message_journal_segment_age = 1h
 #message_journal_segment_size = 100mb
 # Number of threads used exclusively for dispatching internal events. Default is 2.
 #async_eventbus_processors = 2
-# EXPERIMENTAL: Dead Letters
-# Every failed indexing attempt is logged by default and made visible in the web-interface. You can enable
-# the experimental dead letters feature to write every message that was not successfully indexed into the
-# MongoDB "dead_letters" collection to make sure that you never lose a message. The actual writing of dead
-# letter should work fine already but it is not heavily tested yet and will get more features in future
-# releases.
-dead_letters_enabled = false
 # How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
 # shutdown process. Set to 0 if you have no status checking load balancers in front.
 lb_recognition_period_seconds = 3
+# Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is
+# disabled if not set.
+#lb_throttle_threshold_percentage = 95
 # Every message is matched against the configured streams and it can happen that a stream contains rules which
 # take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking.
 # This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other
 # streams, Graylog limits the execution time for each stream.
 # The default values are noted below, the timeout is in milliseconds.
 # If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times
 # that stream is disabled and a notification is shown in the web interface.
 #stream_processing_timeout = 2000
 #stream_processing_max_faults = 3
 # Length of the interval in seconds in which the alert conditions for all streams should be checked
 # and alarms are being sent.
 #alert_check_interval = 60
-# Since 0.21 the graylog2 server supports pluggable output modules. This means a single message can be written to multiple
+# Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple
 # outputs. The next setting defines the timeout for a single output module, including the default output module where all
 # messages end up.
 #
 # Time in milliseconds to wait for all message outputs to finish writing a single message.
 #output_module_timeout = 10000
 # Time in milliseconds after which a detected stale master node is being rechecked on startup.
 #stale_master_timeout = 2000
 # Time in milliseconds which Graylog is waiting for all threads to stop on shutdown.
 #shutdown_timeout = 30000
 # MongoDB connection string
-# See http://docs.mongodb.org/manual/reference/connection-string/ for details
+# See https://docs.mongodb.com/manual/reference/connection-string/ for details
-# Django : 2015-12-28
+# Django : 2017-02-14
-# default: mongodb_uri = mongodb://localhost/graylog2
+# default: mongodb_uri = mongodb://localhost/graylog
-mongodb_uri = mongodb://graylog-user:R7xAmcKezZ2C0v3mtaXCJjA7Nf@127.0.0.1:27017/graylog
+mongodb_uri = mongodb://graylog-user:7h3FBI15n07ar0ckb4and@127.0.01:27017/graylog
 # Authenticate against the MongoDB server
-#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog2
+#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
 # Use a replica set instead of a single host
-#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog2
+#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog
 # Increase this value according to the maximum connections your MongoDB server can handle from a single client
 # if you encounter MongoDB connection problems.
-mongodb_max_connections = 100
+mongodb_max_connections = 1000
 # Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
 # If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
 # then 500 threads can block. More than that and an exception will be thrown.
-# http://api.mongodb.org/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
+# http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
 mongodb_threads_allowed_to_block_multiplier = 5
 # Drools Rule File (Use to rewrite incoming log messages)
-# See: https://www.graylog.org/documentation/general/rewriting/
+# See: http://docs.graylog.org/en/2.1/pages/drools.html
 #rules_file = /etc/graylog/server/rules.drl
 # Email transport
-#transport_email_enabled = false
+# Django : 2017-02-14
-#transport_email_hostname = mail.example.com
+# default: #transport_email_enabled = false
-#transport_email_port = 587
+#          #transport_email_hostname = mail.example.com
-#transport_email_use_auth = true
+#          #transport_email_port = 587
-#transport_email_use_tls = true
+#          #transport_email_use_auth = true
-#transport_email_use_ssl = true
+#          #transport_email_use_tls = true
-#transport_email_auth_username = you@example.com
+#          #transport_email_use_ssl = true
-#transport_email_auth_password = secret
+#          #transport_email_auth_username = you@example.com
-#transport_email_subject_prefix = [graylog2]
+#          #transport_email_auth_password = secret
-#transport_email_from_email = graylog2@example.com
+#          #transport_email_subject_prefix = [graylog]
-#
+#          #transport_email_from_email = graylog@example.com
-# Django : 2015-12-28
+transport_email_enabled = true
-# default: unset
+transport_email_hostname = smtp.dmz.nausch.org
-transport_email_enabled = true
+transport_email_port = 587
-transport_email_hostname = smtp.dmz.nausch.org
+transport_email_use_auth = true
-transport_email_port = 25
+transport_email_use_tls = true
-transport_email_use_auth = false
+transport_email_use_ssl = false
-transport_email_use_tls = false
-transport_email_use_ssl = false
 transport_email_auth_username = graylog-admin@nausch.org
-transport_email_auth_password = 6zmNsgdrD4x1!
+transport_email_auth_password = -7h3FBI15n07ar0ckb4and!
 transport_email_subject_prefix = [graylog]
-transport_email_from_email = graylog-admin@nausch.org
+transport_email_from_email = graylogadmin@nausch.org
 # Specify and uncomment this if you want to include links to the stream in your stream alert mails.
 # This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
-#transport_email_web_interface_url = https://graylog2.example.com
+# Django : 2017-02-14
-# Django : 2015-12-28
+# default: #transport_email_web_interface_url = https://graylog.example.com
-# default: transport_email_web_interface_url = https://graylog2.example.com
+transport_email_web_interface_url = https://graylog.nausch.org
-transport_email_web_interface_url = https://panopticon.nausch.org
 # The default connect timeout for outgoing HTTP connections.
@@ Zeile 1965: / Zeile 2041: @@
 # on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
 # cycled indices.
+#
+# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
+#            to your previous settings so they will be migrated to the database!
 #disable_index_optimization = true
 # Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch
 # on heavily used systems with large indices, but it will decrease search performance. The default is 1.
+#
+# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
+#            to your previous settings so they will be migrated to the database!
 #index_optimization_max_num_segments = 1
@@ Zeile 1977: / Zeile 2059: @@
 # Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds.
 #ldap_connection_timeout = 2000
-# Enable collection of Graylog-related metrics into MongoDB
-# WARNING: This will add *a lot* of data into your MongoDB database on a regular interval (1 second)!
-# DEPRECATED: This setting and the respective feature will be removed in a future version of Graylog.
-#enable_metrics_collection = false
 # Disable the use of SIGAR for collecting system stats
 #disable_sigar = false
-# Amount of time of inactivity after which collectors are flagged as inactive (Default: 1 minute)
-#collector_inactive_threshold = 1m
-# Amount of time after which inactive collectors are purged (Default: 14 days)
-#collector_expiration_threshold = 14d
 # The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second)
@@ Zeile 2003: / Zeile 2074: @@
 # A comma-separated list of content packs (files in "content_packs_dir") which should be applied on
 # the first start of Graylog.
-content_packs_auto_load = grok-patterns.json</file>
+# Default: empty
+content_packs_auto_load = grok-patterns.json
+# For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
+# of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
+# Should be rest_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
+proxied_requests_thread_pool_size = 32</file>
 === Start des Daemon ===
@@ Zeile 2015: / Zeile 2092: @@
 <font style="color: rgb(0, 255, 0)"><b>● </b></font><font style="color: rgb(0, 0, 0)">graylog-server.service - Graylog server
    Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
-   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Mon 2015-12-28 14:27:40 CET; 6s ago
+   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Fri 2017-02-17 12:11:05 CET; 33min ago
      Docs: http://docs.graylog.org/
- Main PID: 5057 (graylog-server)
+ Main PID: 2832 (graylog-server)
    CGroup: /system.slice/graylog-server.service
-           ├─5057 /bin/sh /usr/share/graylog-server/bin/graylog-server
+           ├─2832 /bin/sh /usr/share/graylog-server/bin/graylog-server
-           └─5058 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UsePa...
+           └─2833 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+Us...
-Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
+Feb 17 12:11:05 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
-Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...</font>
+Feb 17 12:11:05 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...</font>
 </pre></html>
 Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.
-   # /var/log/elasticsearch/elasticsearch.log
+   # /var/log/graylog-server/server.log
-<code>Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
+<code>2017-02-16T13:05:32.247+01:00 INFO  [CmdLineTool] Loaded plugin: Elastic Beats Input 2.2.0 [org.graylog.plugins.beats.BeatsInputPlugin]
-Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...
+-02-16T13:05:32.250+01:00 INFO  [CmdLineTool] Loaded plugin: Collector 2.2.0 [org.graylog.plugins.collector.CollectorPlugin]
-[root@vml000117 yum.repos.d]# tailf /var/log/graylog-server/server.log
+-02-16T13:05:32.252+01:00 INFO  [CmdLineTool] Loaded plugin: Enterprise Integration Plugin 2.2.0 [org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
--12-28T14:27:55.595+01:00 INFO  [discovery] [vml000117] graylog/j4zrCy-gQpqKTAMqM_XGkg
+-02-16T13:05:32.254+01:00 INFO  [CmdLineTool] Loaded plugin: MapWidgetPlugin 2.2.0 [org.graylog.plugins.map.MapWidgetPlugin]
--12-28T14:27:55.609+01:00 INFO  [RestApiService] Enabling CORS for REST API
+-02-16T13:05:32.255+01:00 INFO  [CmdLineTool] Loaded plugin: Pipeline Processor Plugin 2.2.0 [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
--12-28T14:27:58.627+01:00 WARN  [discovery] [vml000117] waited for 3s and no initial state was set by the discovery
+-02-16T13:05:32.257+01:00 INFO  [CmdLineTool] Loaded plugin: Anonymous Usage Statistics 2.2.0 [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
--12-28T14:27:58.627+01:00 INFO  [node] [vml000117] started
+-02-16T13:05:32.955+01:00 INFO  [CmdLineTool] Running with JVM arguments: -Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnable
--12-28T14:27:59.138+01:00 INFO  [service] [vml000117] detected_master [vml000117][EdAnadZuTiOjxFR7_Kvdrg][vml000117.dmz.nausch.org][inet[/10.0.0.117:9300]], added {[vml000117][EdAnadZuTiOjxFR7_Kvdrg][vml000117.dmz.nausch.org][inet[/10.0.0.117:9300]],}, reason: zen-disco-receive(from master [[vml000117][EdAnadZuTiOjxFR7_Kvdrg][vml000117.dmz.nausch.org][inet[/10.0.0.117:9300]]])
+d -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rp
--12-28T14:28:05.324+01:00 INFO  [IndexRotationThread] Deflector index <graylog_1> should be rotated, Pointing deflector to new index now!
+m
--12-28T14:28:05.324+01:00 INFO  [Deflector] Cycling deflector to next index now.
+-02-16T13:05:33.487+01:00 INFO  [Version] HV000001: Hibernate Validator null
--12-28T14:28:05.340+01:00 INFO  [Deflector] Cycling from <graylog_1> to <graylog_2>
+-02-16T13:05:39.765+01:00 INFO  [InputBufferImpl] Message journal is enabled.
--12-28T14:28:05.340+01:00 INFO  [Deflector] Creating index target <graylog_2>...
+-02-16T13:05:39.899+01:00 INFO  [NodeId] Node ID: 57cfc6d7-f241-4487-8661-f115d4f70fc8
--12-28T14:28:06.218+01:00 INFO  [Deflector] Waiting for index allocation of <graylog_2>
+-02-16T13:05:40.717+01:00 INFO  [LogManager] Loading logs.
--12-28T14:28:06.335+01:00 INFO  [Deflector] Done!
+-02-16T13:05:40.727+01:00 INFO  [LogManager] Logs loading complete.
--12-28T14:28:06.335+01:00 INFO  [Deflector] Pointing deflector to new target index....
+-02-16T13:05:40.805+01:00 INFO  [LogManager] Created log for partition [messagejournal,0] in /var/lib/graylog-server/journal with properties {file.delete.delay.ms -> 60000, compact -> false, max.mess
--12-28T14:28:06.531+01:00 INFO  [SystemJobManager] Submitted SystemJob <d4502600-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob]
+age.bytes -> 104857600, min.insync.replicas -> 1, segment.jitter.ms -> 0, index.interval.bytes -> 4096, min.cleanable.dirty.ratio -> 0.5, unclean.leader.election.enable -> true, retention.bytes -> 536870
--12-28T14:28:06.537+01:00 INFO  [CreateNewSingleIndexRangeJob] Calculating ranges for index graylog_1.
+, delete.retention.ms -> 86400000, flush.ms -> 60000, segment.bytes -> 104857600, segment.ms -> 3600000, retention.ms -> 43200000, flush.messages -> 1000000, segment.index.bytes -> 1048576}.
--12-28T14:28:06.610+01:00 INFO  [SystemJobManager] Submitted SystemJob <d4557d30-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.SetIndexReadOnlyJob]
+-02-16T13:05:40.806+01:00 INFO  [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
--12-28T14:28:06.658+01:00 INFO  [SystemJobManager] Submitted SystemJob <d461b230-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob]
+-02-16T13:05:41.219+01:00 INFO  [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy <BlockingWaitStrategy>, running 2 parallel message handlers.
--12-28T14:28:06.658+01:00 INFO  [Deflector] Done!
+-02-16T13:05:41.271+01:00 INFO  [cluster] Cluster created with settings {hosts=[127.0.01:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=5000}
--12-28T14:28:06.618+01:00 INFO  [CreateNewSingleIndexRangeJob] Calculating ranges for index graylog_2.
+-02-16T13:05:41.394+01:00 INFO  [cluster] No server chosen by ReadPreferenceServerSelector{readPreference=primary} from cluster description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, ser
--12-28T14:28:06.720+01:00 INFO  [MongoIndexRangeService] Calculated range of [graylog_1] in [182ms].
+verDescriptions=[ServerDescription{address=127.0.01:27017, type=UNKNOWN, state=CONNECTING}]}. Waiting for 30000 ms before timing out
--12-28T14:28:06.807+01:00 INFO  [CreateNewSingleIndexRangeJob] Created ranges for index graylog_1.
+-02-16T13:05:41.497+01:00 INFO  [connection] Opened connection [connectionId{localValue:1, serverValue:1}] to 127.0.01:27017
--12-28T14:28:06.807+01:00 INFO  [SystemJobManager] SystemJob <d4502600-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob] finished in 269ms.
+-02-16T13:05:41.504+01:00 INFO  [cluster] Monitor thread successfully connected to server with description ServerDescription{address=127.0.01:27017, type=STANDALONE, state=CONNECTED, ok=true, version
--12-28T14:28:06.879+01:00 INFO  [MongoIndexRangeService] Calculated range of [graylog_2] in [180ms].
+=ServerVersion{versionList=[2, 6, 12]}, minWireVersion=0, maxWireVersion=2, maxDocumentSize=16777216, roundTripTimeNanos=1297292}
--12-28T14:28:06.930+01:00 INFO  [CreateNewSingleIndexRangeJob] Created ranges for index graylog_2.
+-02-16T13:05:41.527+01:00 INFO  [connection] Opened connection [connectionId{localValue:2, serverValue:2}] to 127.0.01:27017
--12-28T14:28:06.931+01:00 INFO  [SystemJobManager] SystemJob <d461b230-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob] finished in 312ms.
+-02-16T13:05:42.486+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] version[2.4.4], pid[2500], build[fcbb46d/2017-01-03T11:33:16Z]
--12-28T14:28:08.315+01:00 INFO  [RestApiService] Adding security context factory: <org.graylog2.security.ShiroSecurityContextFactory@79ffbf1a>
+-02-16T13:05:42.486+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] initializing ...
--12-28T14:28:08.354+01:00 INFO  [RestApiService] Started REST API at <http://127.0.0.1:12900/>
+-02-16T13:05:42.498+01:00 INFO  [plugins] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] modules [], plugins [graylog-monitor], sites []
--12-28T14:28:08.355+01:00 INFO  [ServiceManagerListener] Services are healthy
+-02-16T13:05:46.715+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] initialized
--12-28T14:28:08.357+01:00 INFO  [ServerBootstrap] Services started, startup times in ms: {InputSetupService [RUNNING]=5, OutputSetupService [RUNNING]=32, BufferSynchronizerService [RUNNING]=33, MetricsReporterService [RUNNING]=36, JournalReader [RUNNING]=45, KafkaJournal [RUNNING]=45, PeriodicalsService [RUNNING]=304, IndexerSetupService [RUNNING]=4286, RestApiService [RUNNING]=13364}
+-02-16T13:05:46.885+01:00 INFO  [ProcessBuffer] Initialized ProcessBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
--12-28T14:28:08.360+01:00 INFO  [ServerBootstrap] Graylog server up and running.
+-02-16T13:05:50.440+01:00 INFO  [RulesEngineProvider] No static rules file loaded.
--12-28T14:28:08.361+01:00 INFO  [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]</code>
+-02-16T13:05:50.926+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:50.936+01:00 INFO  [OutputBuffer] Initialized OutputBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
+-02-16T13:05:51.353+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:51.439+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:51.546+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:51.686+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:52.601+01:00 INFO  [RoleServiceImpl] Admin role is missing or invalid, re-adding it as a built-in role.
+-02-16T13:05:52.779+01:00 INFO  [RoleServiceImpl] Reader role is missing or invalid, re-adding it as a built-in role.
+-02-16T13:05:53.824+01:00 INFO  [connection] Opened connection [connectionId{localValue:3, serverValue:3}] to 127.0.01:27017
+-02-16T13:05:54.030+01:00 INFO  [ServerBootstrap] Graylog server 2.2.0+d9681cb starting up
+-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] JRE: Oracle Corporation 1.8.0_121 on Linux 3.10.0-514.6.1.el7.x86_64
+-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] Deployment: rpm
+-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] OS: CentOS Linux 7 (Core) (centos)
+-02-16T13:05:54.032+01:00 INFO  [ServerBootstrap] Arch: amd64
+-02-16T13:05:54.050+01:00 WARN  [DeadEventLoggingListener] Received unhandled event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus <AsyncEventBus{graylog-eventbus}>
+-02-16T13:05:54.129+01:00 INFO  [PeriodicalsService] Starting 26 periodicals ...</code>
+Mit einer Abfrage der geöffneten Ports, sehen wir unsere neu definierten Ports, wie z.B. den Port **9000** des JAVA-Prozesses, der die WEB-GUI bedient.
+   # netstat -tulpen
+<code>Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
+tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          33371      3352/master
+tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      184        18750      1172/mongod
+tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      996        18406      1129/java
+tcp6       0      0 ::1:9200                :::*                    LISTEN      996        19313      1129/java
+tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      996        19239      1129/java
+tcp6       0      0 ::1:9300                :::*                    LISTEN      996        19234      1129/java
+tcp6       0      0 127.0.0.1:9350          :::*                    LISTEN      995        31315      2833/java
+tcp6       0      0 ::1:9350                :::*                    LISTEN      995        31818      2833/java
+tcp6       0      0 10.0.0.117:9000         :::*                    LISTEN      995        31876      2833/java
+udp6       0      0 :::10514                :::*                                995        31584      2833/java</code>
 === automatischer Start des Daemon ===
 Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.
@@ Zeile 2074: / Zeile 2180: @@
   enabled
-==== graylog-web ====
+==== Apache Reverse-Proxy ====
-Die Konfiguration des **graylog-server Daemons** haben wir im vorherigen Kapitel erfolgreich abgeschlossen. Was nun noch fehlt, ist die **graylog-web** GUI. Die Installation des zugehörigen RPM-Paketes **graylog-web** hatten wir bereits im Abschnitt **[[centos:web_c7:graylog#graylog1|Installation von graylog]]** erledigt.
-=== /etc/sysconfig/graylog-web ===
-Zunächst binden wir den Web-Server auf //**loclahost**// unseres Syslog-Hosts.
-   # vim /etc/sysconfig/graylog-web
-<file bash /etc/sysconfig/graylog-web># HTTP server settings.
-# Django : 2015-12-28
-# default: GRAYLOG_WEB_HTTP_ADDRESS="0.0.0.0"
-GRAYLOG_WEB_HTTP_ADDRESS="10.0.0.117"
-GRAYLOG_WEB_HTTP_PORT="9000"
-# Might be used to adjust the Java heap size. (i.e. "-Xms1024m -Xmx2048m")
-GRAYLOG_WEB_JAVA_OPTS=""
-# Pass some extra args to graylog-web. (i.e. "-d" to enable debug mode or "-java-home /usr/lib/jvm/java-1.8.0")
-GRAYLOG_WEB_ARGS=""
-# Program that will be used to wrap the graylog-web command. Useful to
-# support programs like authbind.
-GRAYLOG_COMMAND_WRAPPER=""</file>
-=== Apache Reverse-Proxy ===
 Da der **graylog-web**-Daemon __ohne__ Root-Rechte gestartet wird, können wir nur unprivilegierte Ports (Ports größer als 1024) definieren. Da wir aber die Graylog-Web-GUI auch von außen, über einen TLS geschützten Transportkanal ansprechen wollen, nutzen wir einen Apache-vHOST als Reverse-Proxy.
 Dazu legen wir uns folgende vHOST-Datei an.
    # vim /etc/httpd/conf.d/graylog.conf
 <file apache /etc/httpd/conf.d/graylog.conf>#
-# Django : 2015-12-28
+# Django : 2017-02-14
 #          vHost graylog
 #
-<VirtualHost 10.0.0.117:80>
+# Variablen der Hostvariablen
+Define vhost graylog
+Define errors_log logs/${vhost}_error.log
+Define access_log logs/${vhost}_access.log
+Define ssl_log logs/${vhost}_ssl_request.lo
+<VirtualHost 10.0.0.97:80>
     ServerAdmin webmaster@nausch.org
-    ServerName graylog.nausch.org
+    ServerName ${vhost}.nausch.org
     RewriteEngine on
@@ Zeile 2116: / Zeile 2208: @@
     # Welche Logdateien sollen beschrieben werden
-    CustomLog logs/graylog_access.log combined
+    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
-    ErrorLog  logs/graylog_error.log
+    ErrorLog  ${errors_log}
-</VirtualHost>
+    CustomLog ${access_log} combined env=!dontlog
-<VirtualHost 10.0.0.117:443>
+</VirtualHost>
-    ServerAdmin webmaster@nausch.org
+<VirtualHost 10.0.0.97:443>
-    ServerName graylog.nausch.org
+    ServerAdmin webmaster@nausch.org
-    ServerPath /
+    ServerName ${vhost}.nausch.org
+    ServerPath /
     # Wer soll Zugriff auf die Webseite(n) bekommen?
     <Proxy *>
         Options +FollowSymLinks +Multiviews -Indexes
         AllowOverride None
@@ Zeile 2133: / Zeile 2226: @@
         AuthLDAPUrl ldaps://openldap.dmz.nausch.org:636/ou=People,dc=nausch,dc=org?uid
         AuthLDAPBindDN cn=Technischer_User,dc=nausch,dc=org
-        AuthLDAPBindPassword "e1n531f!D4xIi57n393I1354u!"
+        AuthLDAPBindPassword "e1n531f!D4xIi57n38103034u!"
         AuthLDAPBindAuthoritative on
-        Require ldap-user django icinga2
+        Require ldap-user graylog-admin
     </Proxy>
     # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests weitergeleitet werden?
     ProxyRequests Off
-    ProxyPreserveHost On
+    ProxyPass / https://10.0.0.117/
-    ProxyPass / http://127.0.0.1:9000/
+    ProxyPassReverse / https://10.0.0.117/
-    ProxyPassReverse / http://127.0.0.1:9000/
+    <Location />
+        RequestHeader set X-Graylog-Server-URL "https://graylog.nausch.org/api/"
+        ProxyPass  http://10.0.0.117:9000/
+        ProxyPassReverse http://10.0.0.117:9000/
+    </Location>
+    <Location /api/>
+        ProxyPass http://10.0.0.117:9000/api/
+        ProxyPassReverse http://10.0.0.117:9000/api/
+    </Location>
     # Welche Logdateien sollen beschrieben werden
-    CustomLog logs/graylog_access.log combined
+    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
-    ErrorLog  logs/graylog_error.log
+    ErrorLog  ${errors_log}
+    CustomLog ${access_log} combined env=!dontlog
+    CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
     # Absicherung der Übertragung mit Hilfe von TLS
-    # Konfiguration bei Verwendung von mod_gnutls
+    # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
-    <IfModule !mod_ssl.c>
+    SSLEngine on
-        <IfModule mod_gnutls.c>
+    # Definition der anzubietenden Protokolle
-            # Django : 2015-10-29 - TLS-Verschlüsselung mit Hilfe von mod_gnutls
+    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-            GnuTLSEnable on
+    # Definition der Cipher
-            # Definition der anzubietenden Protokolle und Ciphers
+    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384
-            GnuTLSPriorities PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-ARCFOUR-128:+COMP-NULL:+CURVE-SECP384R1:+CURVE-SECP521R1
+    # Schlüsseldatei, mit der der CSR erstellt wurde
-            # Schlüsseldatei, mit der der CSR erstellt wurde
+    SSLCertificateKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
-            GnuTLSKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
+    # Zertifikatsdatei, die von der CA signiert wurde
-            # Zertifikatsdatei inkl. ggf. notwendiger Zwischen- und Root-Zertifikaten
+    SSLCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificate_161118.pem
-            # 1) Server-Zertifikat, 2) Intermediate-Root-Zertifikat und 3) Root-Zertifikat der CA
+    # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
-            GnuTLSCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificatechain_150612.pem
+    SSLCertificateChainFile /etc/pki/tls/certs/AlphaSSL_Intermediate.certificate.pem
-            # Definition der Schlüssellänge für DHE und ECDHE
+    # Änderung der Cipherorder der Clients verneinen
-            # DHE Schlüssel mit einer Schlüssellänge von 4096 Bit verwenden; dieser wird 1x pro Tag via cronjob
+    SSLHonorCipherOrder on
-            # (/etc/cron.daily/edh_keygen) neu generiert und der Neustart des nginx-Daemon veranlasst!
+    # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
-            GnuTLSDHFile /etc/pki/tls/private/dh_4096.pem
+    SSLCompression off
-            # Session-Tickets für Clients nicht anbieten (dieser könnte versuchen über Tickets die Session zu cachen).
+    # Online Certificate Status Protocol stapling zum Prüfen des Gültigkeitsstatus des Serverzertifikats.
-            GnuTLSSessionTickets off
+    SSLUseStapling on
-        </IfModule>
+    SSLStaplingResponderTimeout 5
-    </IfModule>
+    SSLStaplingReturnResponderErrors off
-    # Konfiguration bei Verwendung von mod_ssl
-    <IfModule mod_ssl.c>
-        <IfModule !mod_gnutls.c>
-           # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
-            SSLEngine on
-            # Definition der anzubietenden Protokolle
-            SSLProtocol All -SSLv2 -SSLv3
-            # Definition der Cipher
-            SSLCipherSuite "AES256+EECDH +AEAD"
-            # Schlüsseldatei, mit der der CSR erstellt wurde
-            SSLCertificateKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
-            # Zertifikatsdatei, die von der CA signiert wurde
-            SSLCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificate_150612.pem
-            # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
-            SSLCertificateChainFile /etc/pki/tls/certs/CAcert_class3.pem
-            # Änderung der Cipherorder der Clienets verneinen
-            SSLHonorCipherOrder on
-            # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
-            SSLCompression off
-        </IfModule>
-    </IfModule>
-    # special stuff ###
     # HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt,
     # dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
-    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
     # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
@@ Zeile 2201: / Zeile 2283: @@
     # this particular website if it was disabled by the user.
     # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    Header set X-XSS-Protection "1; mode=block"
+    Header always set X-Xss-Protection "1; mode=block"
     # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
@@ Zeile 2209: / Zeile 2291: @@
     # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
     # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
-    Header set X-Content-Type-Options nosniff
+    # Sofern die Datei auch den entsprechenden MIME-Typ "text/css" entspricht, soll der Browser
+    # CSS-Dateien nur als CSS interprätieren.
+    Header always set X-Content-Type-Options nosniff
     # config to don't allow the browser to render the page inside an frame or iframe
@@ Zeile 2215: / Zeile 2299: @@
     # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
     # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
-    header set X-Frame-Options SAMEORIGIN
+    header always set X-Frame-Options DENY
+    # hide server header (apache and php version)
+    Header always unset Server
+    # Only allow JavaScript from the same domain to be run.
+    # don't allow inline JavaScript to run.
+    Header always set X-Content-Security-Policy "allow 'self';"
+    # Add Secure and HTTP only attributes to cookies
+    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+    # prevent Clickjacking Attack
+    Header always set X-Frame-Options "SAMEORIGIN"
+    # hkpk-stuff
+    Header always set Public-Key-Pins "pin-sha256=\"nMiOpb6vUnjCoWCkPZkDaG4D8SNWzFTsQf2ZfruLno0=\"; pin-sha256=\"INhxSQ38nCS6ijaAAyo4xAhAZj9xeL3X4ak+GGiM2fo=\"; max-age=2592000; report-uri=\"https://nausch.report-uri.io/r/default/hpkp/enforce\""
 </VirtualHost>
 </file>
@@ Zeile 2228: / Zeile 2327: @@
    # systemctl restart httpd.service
-=== /etc/graylog/web/web.conf ===
-Die installationsspezifische kundenindividuelle Konfiguration der **graylog-web GUI** wird über dessen Konfigurationsdatei //**/etc/graylog/web/web.conf**// vorgenommen.
-Wie schon bei der Konfiguration des **[[centos:web_c7:graylog#etc_graylog_server_serverconf|graylog-servers]]** erstellen wir uns, vor der Bearbeitung der Konfigurationsdatei, noch einen **Passwort-Hash**, mit dem die Nutzerpassworte verschlüsselt werden. Diesen hash-Wert erstellen wir wie folgt:
-   # pwgen -N 1 -s 128
-  KM2OhCgRuTJe9f7bOr0uOtGcX45TB5kmF4L4Ty44bRUlu1y2qh0eDbs613Bv4QFk0ftGzuASpSW5DDBqpSKIlcdI39WdVHBSo33AoPZgKiABd7G7FduhKIMZVjiE7lod
-Diese beiden Werte hinterlegen wir nun in der Konfigurationsdatei unseres **graylog-web**-Daemon und passen anschließend die Konfigurationsoptionen unserer Umgebung an. Änderungen an den Default-Werten sind mit **Django : <Zeitstempel>** gekennzeichnet
-   # vim /etc/graylog/web/web.conf
-<file bash /etc/graylog/web/web.conf># graylog2-server REST URIs (one or more, comma separated) For example: "http://127.0.0.1:12900/,http://127.0.0.1:12910/"
-# Django : 2015-12-28
-# default: graylog2-server.uris=""
-graylog2-server.uris="http://127.0.0.1:12900/"
-# Learn how to configure custom logging in the documentation:
-#    http://docs.graylog.org/en/latest/pages/installation.html#manual-setup-graylog-web-interface-on-linux
-# Secret key
-# ~~~~~
-# The secret key is used to secure cryptographics functions. Set this to a long and randomly generated string.
-# If you deploy your application to several instances be sure to use the same key!
-# Generate for example with: pwgen -N 1 -s 96
-# Django : 2015-12-28
-# default: application.secret=""
-application.secret="KM2OhCgRuTJe9f7bOr0uOtGcX45TB5kmF4L4Ty44bRUlu1y2qh0eDbs613Bv4QFk0ftGzuASpSW5DDBqpSKIlcdI39WdVHBSo33AoPZgKiABd7G7FduhKIMZVjiE7lod"
-# Web interface timezone
-# Graylog stores all timestamps in UTC. To properly display times, set the default timezone of the interface.
-# If you leave this out, Graylog will pick your system default as the timezone. Usually you will want to configure it explicitly.
-# timezone="Europe/Berlin"
-# Django : 2015-12-28
-# default: unset
-timezone="Europe/Berlin"
-# Message field limit
-# Your web interface can cause high load in your browser when you have a lot of different message fields. The default
-# limit of message fields is 100. Set it to 0 if you always want to get all fields. They are for example used in the
-# search result sidebar or for autocompletion of field names.
-field_list_limit=100
-# Use this to run Graylog with a path prefix
-#application.context=/graylog2
-# You usually do not want to change this.
-application.global=lib.Global
-# Global timeout for communication with Graylog server nodes; default: 5s
-#timeout.DEFAULT=5s
-# Accept any server certificate without checking for validity; required if using self-signed certificates.
-# Default: true
-# graylog2.client.accept-any-certificate=true
-</file>
-=== Start des Daemon ===
-Nun ist es an der Zeit den die Web-GUI **graylog-web** zu starten.
-   # systemctl start graylog-web.service
-Den Serverstatus können wir wie folgt abfragen.
-   # systemctl status graylog-web.service
-<html><pre class="code">
-<font style="color: rgb(0, 255, 0)"><b>● </b></font><font style="color: rgb(0, 0, 0)">graylog-web.service - Graylog web interface
-   Loaded: loaded (/usr/lib/systemd/system/graylog-web.service; enabled; vendor preset: disabled)
-   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Mon 2015-12-28 15:21:52 CET; 11s ago
-     Docs: http://docs.graylog.org/
- Main PID: 8767 (graylog-web)
-   CGroup: /system.slice/graylog-web.service
-           ├─8767 /bin/sh /usr/share/graylog-web/bin/graylog-web
-           └─8768 java -Xms1024m -Xmx1024m -XX:ReservedCodeCacheSize=128m -Dconfig.file=/etc/graylog/web/web.conf -Dlogger.file=/etc/graylog/web/logback.xml -Dpidfile.path=/dev/...
-Dec 28 15:21:52 vml000117.dmz.nausch.org systemd[1]: Started Graylog web interface.
-Dec 28 15:21:52 vml000117.dmz.nausch.org systemd[1]: Starting Graylog web interface...
-Dec 28 15:21:53 vml000117.dmz.nausch.org graylog-web[8767]: Play server process ID is 8768</font>
-</pre></html>
-Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.
-   # /var/log/graylog-web/application.log
-<code>2015-12-28T15:21:56.752+01:00 - [INFO] - from play in main
-Application started (Prod)
--12-28T15:21:56.812+01:00 - [INFO] - from play in main
-Listening for HTTP on /10.0.0.117:9000</code>
-=== automatischer Start des Daemon ===
-Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.
-   # systemctl enable graylog-web.service
-  Created symlink from /etc/systemd/system/multi-user.target.wants/graylog-web.service to /usr/lib/systemd/system/graylog-web.service.
-Wollen wir wissen, ob die Autostartfunktion bereits gesetzt ist, verwenden wir diesen Aufruf.
-   # systemctl is-enabled graylog-web.service
-  enabled
 ==== Paketfilter/Firewall  ====
-=== graylog-web ===
+=== graylog v2 WEB-GUI ===
 Unter **CentOS 7** wird als Standard-Firewall die dynamische **firewalld** verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbindungen kurz getrennt werden. Sondern unsere Änderungen können **//on-the-fly//** aktiviert oder auch wieder deaktiviert werden.
@@ Zeile 2353: / Zeile 2356: @@
    # ps aux | grep graylog-server
-<code bash>graylog   1382  0.0  0.0 113116  1404 ?        Ss    2015   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server
+<code bash>graylog   2832  0.0  0.0 113120  1368 ?        Ss   12:11   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server
-graylog   1391  3.4 17.4 3875072 1396880 ?     Sl    2015 190:29 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configuration=file:///etc/graylog/server/log4j.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np</code>
+graylog   2833  7.1 13.2 3874092 1087156 ?     Sl   12:11   4:39 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
+root      3965  0.0  0.0 112648   924 pts/0    R+   13:16   0:00 grep --color=auto graylog-server</code>
 Somit können wir keine bei der Definition von **[[https://graylog.nausch.org/system/inputs|Eingangskanälen]]** (Inputs) keine dieser privilegierte Ports direkt ansprechen. Bei vielen Netzwerkgeräten, wie Router, Switche oder Telefone kann man bei der Definition des Syslog-Dienstes nur den Namen bzw. IP-Adresse des Zielservers angeben, nicht aber die den vordefinierten Port **514**.
@@ Zeile 2388: / Zeile 2392: @@
 Nachdem wir unseren graylog-Server erfolgreich vorbereitet haben, werden wir nun unsere Linux-Hosts so konfigurieren, dass diese ihre syslog-Meldungen zu unserem zentralem syslog-/graylog-Server senden.
-Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäß dem **[[https://www.ietf.org/rfc/rfc5424.txt|RFC 5424]]** formatiert werden.
+Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäss dem **[[https://www.ietf.org/rfc/rfc5424.txt|RFC 5424]]**, insbesondere ist darauf zu achten dass die Meldungen dem **[[http://www.rsyslog.com/tag/rfc5424/|RSYSLOG_SyslogProtocol23Format]]** entsprechend formatiert werden.
 ==== UDP ====
@@ Zeile 2411: / Zeile 2415: @@
 #*.* @@remote-host:514
 #
-# Django : 2015-06-12
+# Django : 2017-02-14
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @10.0.0.117:514;GRAYLOGRFC5424
+*.* @10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
 #
 # ### end of the forwarding rule ###</code>
@@ Zeile 2441: / Zeile 2445: @@
 #*.* @@remote-host:514
 #
-# Django : 2015-06-12
+# Django : 2017-02-14
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @@10.0.0.117:514;GRAYLOGRFC5424
+*.* @@10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
 #
 # ### end of the forwarding rule ###</code>
@@ Zeile 2612: / Zeile 2616: @@
 -rw-r--r--. 1 root root 3 Jan  3 19:40 serial</code>
+<code>/etc/pki/CA
+├── certs
+├── crl
+├── csrs
+├── index.txt
+├── newcerts
+├── private
+└── serial</code>
+Die CA-Konfigurationsdatei passen wir noch unseren Wünschen entsprechend an.
+   # vim /etc/pki/tls/openssl.cnf
+<file bash /etc/pki/tls/openssl.cnf>#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= /etc/pki/CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+# Django : 2017-02-14
+# default: certificate  = $dir/cacert.pem       # The CA certificate
+certificate     = $dir/certs/root-ca.certifikate.pem
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+# Django : 2017-02-14
+# default: private_key	= $dir/private/cakey.pem   # The private key
+private_key	= $dir/private/root-ca.key.pem
+RANDFILE	= $dir/private/.rand	# private random number file
+x509_extensions	= usr_cert		# The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use SHA-256 by default
+preserve	= no			# keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= XX
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= Default Province
+localityName			= Locality Name (eg, city)
+localityName_default		= Default City
+.organizationName		= Organization Name (eg, company)
+.organizationName_default	= Default Company Ltd
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+# SET-ex3			= SET extension number 3
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+unstructuredName		= An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+####################################################################
+[ tsa ]
+default_tsa = tsa_config1	# the default TSA section
+[ tsa_config1 ]
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)</file>
 === privaten Schlüssel und selbstsigniertes Root CA Zertifikat erstellen ===
 Als erstes werden wir uns nun den privaten Schlüssel unserer Root CA generieren, in zugehöriges Zertifikat erzeugen und dieses mit dem privaten Schlüssel der CA unterschreiben; all das passiert bei nachfolgendem Befehlsaufruf. Zur besseren Unterscheidung sind die Eingaben sowohl kursiv und fett gedruckt in der Farbe <html><font style="color: rgb(0, 0, 255)"><i><b>blau</b></i></font></html> und die Rückmeldungen in der Farbe <html><font style="color: rgb(102, 102, 102)"><b>grau</b></font></html> gekennzeichnet.
@@ Zeile 2643: / Zeile 3015: @@
 <font style="color: rgb(102, 102, 102)">Email Address []:</font><font style="color: rgb(0, 0, 255)"><b><i>ca-admin@nausch.org</i></b></font>
 </pre></html>
+Sowohl Zertifikat und der Schlüssel des gerade erzeugten Root Zertifikates liegen nun in unserem CA-Systemverzeichnis.
+<code>/etc/pki/CA
+├── certs
+│   └── root-ca.certifikate.pem
+├── crl
+├── csrs
+├── index.txt
+├── newcerts
+├── private
+│   └── root-ca.key.pem
+└── serial</code>
 === privaten Schlüssel der Root CA schützen ===
@@ Zeile 2868: / Zeile 3252: @@
 <html><pre class="code">
 <font style="color: rgb(0, 0, 0)"># </font><font style="color: rgb(0, 0, 255)"><b><i>openssl pkcs8 -topk8 -in /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem \
-          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem -outform pem -nocrypt</i></b></font>
+          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem \
+          -outform pem -nocrypt</i></b></font>
 </pre></html>
@@ Zeile 3070: / Zeile 3455: @@
 </pre></html>
-=== erstellte Zertifikat dem gralog-server zur Verfügung stellen ===
+=== erstellte Zertifikat dem graylog-server zur Verfügung stellen ===
 Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Hierzu kopieren wir einfach das gerade generierte Zertifikat an Ort und Stelle.
    # cp /etc/pki/CA/certs/graylog-server.dmz.nausch.org.certificate.pem /etc/pki/tls/certs/
@@ Zeile 3565: / Zeile 3950: @@
 kY+Z9s9+By5IVw==
 -----END CERTIFICATE-----</code>
 === erstellte Zertifikat dem rsyslog-Daemon auf dem Clientrechner zur Verfügung stellen ===
-Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Entweder kopieren wir das Zertifikat via **scp** auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab.
+Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem rsyslog-Daemon auf dem Client-Rechner zur Verfügung. Entweder kopieren wir das Zertifikat via **scp** auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab.
    # vim /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
@@ Zeile 3607: / Zeile 3993: @@
 kY+Z9s9+By5IVw==
 -----END CERTIFICATE-----</code>
+=== Ein Zertifikat revoken ===
+Will man ein ausgestelltes Zertifikat zurückziehen (revoken) nutzen wir ebenfalls das Programm **openssl**.
+   # openssl ca -revoke /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
+  Using configuration from /etc/pki/tls/openssl.cnf
+  Enter pass phrase for /etc/pki/CA/private/root-ca.key.pem:
+  Revoking Certificate 02.
+  Data Base Updated
 ===== Konfiguration graylog-server =====
@@ Zeile 3753: / Zeile 4149: @@
 # The imjournal module bellow is now used as a message source instead of imuxsock.
 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
-$ModLoad imjournal # provides access to the systemd journal
+# Django : 2017-09-26
+# default: $ModLoad imjournal # provides access to the systemd journal
 #$ModLoad imklog # reads kernel messages (the same are read from journald)
 #$ModLoad immark  # provides --MARK-- message capability
@@ Zeile 3783: / Zeile 4180: @@
 # Turn off message reception via local log socket;
 # local messages are retrieved through imjournal now.
-$OmitLocalLogging on
+# Django : 2017-09-26
+# default: $OmitLocalLogging on
 # File to store the position in the journal
-$IMJournalStateFile imjournal.state
+# Django : 2017-09-26
+# default: $IMJournalStateFile imjournal.state
 # Django : 2016-01-03 - certificate files for TLS
@@ Zeile 3853: / Zeile 4252: @@
 # Django : 2016-01-03
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @@10.0.0.117:6514;GRAYLOGRFC5424
+*.* @@10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
 #
 # ### end of the forwarding rule ###</file>
@@ Zeile 3873: / Zeile 4272: @@
 Alles in allem können wir feststellen, dass mit einem überschaubaren Aufwand, die Kommunikation zwischen den rsyslog-Clients und unserem graylog-server sicher und nur noch von authorisierten Quellen gestattet werden kann.
+==== Zertifikatsgenerierung und Clientkonfiguration ====
+==== Zertifikatserstellung optimieren ====
+Um nun bei der Generierung der Zertifikats-Requests und der Erstellung der zugehörigen Zertifikate nicht jedesmal die benötigten Angaben erneut eintippen zu müssen werden wir nun die wiederkehrenden Informationen in der Konfigurationsdatei //**/etc/pki/tls/openssl.cnf**// hinterlegen.
+   # vim /etc/pki/tls/openssl.cnf
+<file bash /etc/pki/tls/openssl.cnf>#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= /etc/pki/CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+# Django : 2017-02-14
+# default: certificate	= $dir/cacert.pem 	# The CA certificate
+certificate	= $dir/certs/root-ca.certifikate.pem
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+# Django : 2017-02-14
+# default: private_key	= $dir/private/cakey.pem   # The private key
+private_key	= $dir/private/root-ca.key.pem
+RANDFILE	= $dir/private/.rand	# private random number file
+x509_extensions	= usr_cert		# The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+# Django : 2017-02-14
+# default: default_days	= 365			# how long to certify for
+default_days	= 10950
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use SHA-256 by default
+preserve	= no			# keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+# Django : 2017-02-14
+# default: default_bits		= 2048
+default_bits		= 4096
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+# Django : 2017-02-14
+# default: countryName_default		= XX
+countryName_default		= DE
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+# Django : 2017-02-14
+# default: #stateOrProvinceName_default	= Default Province
+stateOrProvinceName_default	= Bayern
+localityName			= Locality Name (eg, city)
+# Django : 2017-02-14
+# default: localityName_default		= Default City
+localityName_default		= Pliening
+.organizationName		= Organization Name (eg, company)
+# Django : 2017-02-14
+# default: 0.organizationName_default	= Default Company Ltd
+.organizationName_default	= nausch.org
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+organizationalUnitName		= Organizational Unit Name (eg, section)
+# Django : 2017-02-14
+# default: #organizationalUnitName_default	=
+organizationalUnitName_default	= IT-Monitoring
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+# Django : 2017-02-14
+# default: unset
+emailAddress_default		= graylog-admin@nausch.org
+# SET-ex3			= SET extension number 3
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+unstructuredName		= An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+####################################################################
+[ tsa ]
+default_tsa = tsa_config1	# the default TSA section
+[ tsa_config1 ]
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)</file>
+==== Bearbeitungsschritte bei neunen rsyslog Clients ====
+Bei einem neune Client, den wir an unseren graylog Server anbinden wollen, sind nun zusammengefasst folgende Schritte nötig (im nachfolgenden Beispiel für Host vml000137):
+  * auf dem **graylog** Server:
+    - Schlüssel für den rsyslog-Client erzeugen <code> # openssl genrsa -out /etc/pki/tls/clientkey.pem -aes256 4096</code>
+    - Passphrase des gerade erzeiugten Client-Schlüssels entfernen <code> # openssl rsa -in /etc/pki/tls/clientkey.pem -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code>
+    - Schlüssel mit passphrase vernichten <code> # shred -u /etc/pki/tls/clientkey.pem</code>
+    - Schlüssel auf den Clientrechner transferieren <code> # cat /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code><code> # vim /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code>
+    - Zertificatsrequest erzeugen <code> # openssl req -new -key /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem \
+           -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem -nodes</code>
+    - Zertifikatsrequest der eigenen CA vorlegen. <code> # cp -a /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem \
+            /etc/pki/CA/csrs/ </code>
+    - Zertifikatsrequest durch die CA bearbeiten und Zertifikat erzeugen. <code> # openssl ca -in /etc/pki/CA/csrs/rsyslog.vml000137.dmz.nausch.org.csr.pem \
+           -out /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code>
+    - Zertifikat ausgeben und auf den Client-/rsyslog-Host transferieren.<code> # cat /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code><code> # vim /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code>
+    - Clientzertifikat dem graylog Server bekannt machden. <code> # cp /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem \
+           /etc/pki/tls/graylog-client-certs/</code>
+    - Root CA Zertifikat dem Client zur Verfügung stellen. <code> # cat /etc/pki/CA/certs/root-ca.certifikate.pem</code><code> # vim /etc/pki/CA/certs/root-ca.certifikate.pem</code>
+    - **rsyslog-gnutls** auf dem Client installieren. <code> # yum install rsyslog-gnutls -y</code>
+    - originale rsyslog-Konfigurationsdatei sichern. <code> # cp -a /etc/rsyslog.conf /etc/rsyslog.conf.orig</code>
+    - rsyslog konfigurieren. <code> # vim /etc/rsyslog.conf</code><file bash /etc/rsyslog.conf># rsyslog configuration file
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+#### MODULES ####
+# Django : 2017-2-14
+# default: unset
+$DefaultNetstreamDriver gtls #make gtls driver the default
+# The imjournal module bellow is now used as a message source instead of imuxsock.
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+# Django : 2017-09-26
+# default: $ModLoad imjournal # provides access to the systemd journal
+#$ModLoad imklog # reads kernel messages (the same are read from journald)
+#$ModLoad immark  # provides --MARK-- message capability
+# Provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+# Provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+#### GLOBAL DIRECTIVES ####
+# Where to place auxiliary files
+$WorkDirectory /var/lib/rsyslog
+# Use default timestamp format
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+# File syncing capability is disabled by default. This feature is usually not required,
+# not useful and an extreme performance hit
+#$ActionFileEnableSync on
+# Include all config files in /etc/rsyslog.d/
+$IncludeConfig /etc/rsyslog.d/*.conf
+# Turn off message reception via local log socket;
+# local messages are retrieved through imjournal now.
+# Django : 2017-09-26
+# default: $OmitLocalLogging on
+# File to store the position in the journal
+# Django : 2017-09-26
+# default: $IMJournalStateFile imjournal.state
+# Django : 2017-02-14 - certificate files for TLS
+# default: unset
+$DefaultNetstreamDriverCAFile   /etc/pki/ca-trust/source/anchors/root-ca.nausch.org.pem
+$DefaultNetstreamDriverCertFile /etc/pki/tls/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
+$DefaultNetstreamDriverKeyFile  /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer graylog-server.dmz.nausch.org
+#          run driver in TLS-only mode
+$ActionSendStreamDriverMode 1
+#### RULES ####
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none                /var/log/messages
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+# Log cron stuff
+cron.*                                                  /var/log/cron
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+# ### begin forwarding rule ###
+# The statement between the begin ... end define a SINGLE forwarding
+# rule. They belong together, do NOT split them. If you create multiple
+# forwarding rules, duplicate the whole block!
+# Remote Logging (we use TCP for reliable delivery)
+#
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
+#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList   # run asynchronously
+#$ActionResumeRetryCount -1    # infinite retries if host is down
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host:514
+#
+# Django : 2017-02-14
+$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
+*.* @10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
+#
+# ### end of the forwarding rule ###</file>
+    - rsyslog-Daemon neu starten zum Aktivieren der Konfigurationsänderung.<code> # systemctl restart rsyslog.service</code>
+<WRAP center round important 90%>
+**FAZIT**:
+Mit Hilfe dieser 14 Bearbeitungsschritte kann nicht nur der Übertragungsweg zwischen rsyslog-client und graylog-server abgesichert und sondern auch der Zugriff des Clients auf den zentralen syslog-server geregelt werden.
+Mit einfachen Boardmitteln unseres CentOS 7 Servers kann somit ein wesentlicher Beitrag zur Vertraulichkeit und Integrität von syslog-informationen geleistet werden und ein ungesicherte und ungeschützte Übertragung von sensitiven syslog-Informationen sollten der Vergangenheit angehören. Auch wenn der ungeübten Admin diesen Umstand bis jetzt erfolgreich verdrängte!
+</WRAP>
 ====== Links ======
@@ Zeile 3879: / Zeile 4800: @@
   * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
-~~DISCUSSION~~