Graylog2

Deploy
# java
yum install java-1.8.0-openjdk-headless -y

# MongoDB
cat << EOF >> /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=0
enabled=1
EOF

yum install -y mongodb-org mongodb-org mongodb-org-mongos mongodb-org-shell mongodb-org-tools
systemctl enable mongod.service
systemctl start mongod.service

# Elasticsearch
cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=0
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

yum install elasticsearch -y

echo cluster.name: graylog >> /etc/elasticsearch/elasticsearch.yml
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service

# Graylog 2.5
cat << EOF >> /etc/yum.repos.d/graylog2.repo
[graylog]
name=graylog
baseurl=https://packages.graylog2.org/repo/el/stable/2.5/$basearch/
gpgcheck=0
EOF

yum install graylog-server pwgen -y

vi /etc/graylog/server/server.conf
# password_secret = `pwgen -N 1 -s 96`
# root_password_sha2 = `echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1`
# rest_listen_uri = http://10.0.0.5:9000/api/
# rest_transport_uri = https://fqdn.addr.com/api/
# web_listen_uri = http://10.0.0.5:9000/

systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service

# nginx
yum install nginx -y
cat <> /etc/nginx/conf.d/graylog2.conf
server {
    listen 80 default_server;
    listen 443 ssl http2;
    ssl_certificate         /etc/nginx/ssl/log.crt;
    ssl_certificate_key     /etc/nginx/ssl/log.key;
    location / {
        proxy_pass  http://127.0.0.1:9000;
        proxy_redirect          off;
        proxy_connect_timeout   30;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
    }
}
EOF
systemctl enable nginx
systemctl restart nginx

Nginx connection
access_log syslog:server=10.0.0.5:1514,tag=nginx combined;
error_log  syslog:server=10.0.0.5:1514,tag=nginx;
Apache connection
# https://github.com/Graylog2/apache-mod_log_gelf

wget https://github.com/Graylog2/apache-mod_log_gelf/releases/download/0.2.0/libapache2-mod-gelf-0.2.0-1.x86_64.rpm
rpm -ivh libapache2-mod-gelf-0.2.0-1.x86_64.rpm

cat << EOF >> /etc/httpd/conf.modules.d/02-gelf.conf
 LoadModule log_gelf_module /usr/lib64/httpd/modules/mod_log_gelf.so
 GelfEnabled On
 GelfUrl "udp://graylog2-host:12201"
 GelfSource "app-httpd"
 GelfHeader "HTTP_CF_CONNECTING_IP"
 GelfFacility "apache-gelf"
 GelfCookie "tracking"
 GelfFields "ABDXhmsvRti"
EOF
Syslog connection
echo *.* @graylog.host:1514 >> /etc/rsyslog.conf
Squid connection
# Syslog
# GROK parse rule for graylog:
# %{DATA:Squid_hostname} (%{DATA:Squid_process}): %{DATA:UNWANTED} %{DATA:UNWANTED} %{DATA:Username} %{IPV4:Client_IP} %{DATA:Status_result}/%{NUMBER:Status_code} %{NUMBER:Size} %{DATA:Method} %{DATA:URL} %{DATA:Remote_ip} %{DATA:Content-Type}
logformat squid %tl %ul %>a %Ss/%03>Hs %h","short_message":"%rm %ru HTTP/%rv","level":6,"timestamp":"%tl","_client_ip":"%>a","_squid_ip":"%la","_server_ip":"%st","_reply_size":"%Hs","_http_method":"%rm","_http_referer":"%{Referer}>h","_user_agent":"%{User-Agent}>h","_squid_request_status":"%Ss","_squid_hierarchy_status":"%Sh","_from_squid":"true"}
access_log udp://10.0.0.5:12201 graylog_vhost