BusinessGPT - Security and Governance for Generative AI
Debian graylog logging server.docx
1. Debian installation
This guide describes the fastest way to install Graylog on Debian Linux 9 (Stretch). All links and packages are present at
the time of writing but might need to be updated later on.
Warning
This setup should not be done on publicly exposed servers. This guide does not cover security settings!
Prerequisites
If you’re starting from a minimal server setup, you will need to install these additional packages:
$ sudo apt update && sudo apt upgrade
$ sudo apt install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen dirmngr
MongoDB
The official MongoDB repository provides the most up-to-date version and is the recommended way of installing
MongoDB:
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
$ echo "deb http://repo.mongodb.org/apt/debian stretch/mongodb-org/4.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-
4.0.list
$ sudo apt-get update
$ sudo apt-get install -y mongodb-org
The last step is to enable MongoDB during the operating system’s startup:
$ sudo systemctl daemon-reload
$ sudo systemctl enable mongod.service
$ sudo systemctl restart mongod.service
2. Elasticsearch
Graylog can be used with Elasticsearch 6.x, please follow the installation instructions from the Elasticsearch installation
guide:
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
$ echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
$ sudo apt update && sudo apt install elasticsearch-oss
Make sure to modify the Elasticsearch configuration file ( /etc/elasticsearch/elasticsearch.yml ) and set the cluster name
to graylog additionally you need to uncomment (remove the # as first character) the line, and
add action.auto_create_index: false to the configuration file:
cluster.name: graylog
action.auto_create_index: false
After you have modified the configuration, you can start Elasticsearch:
$ sudo systemctl daemon-reload
$ sudo systemctl enable elasticsearch.service
$ sudo systemctl restart elasticsearch.service
Graylog
Now install the Graylog repository configuration and Graylog itself with the following commands:
$ wget https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.deb
$ sudo dpkg -i graylog-3.0-repository_latest.deb
$ sudo apt update && sudo apt install graylog-server
Follow the instructions in your /etc/graylog/server/server.conf and add password_secret and root_password_sha2 . These
settings are mandatory and without them, Graylog will not start!
You need to use the following command to create your root_password_sha2 :
3. echo -n "Enter Password: " && head -1 </dev/stdin | tr -d 'n' | sha256sum | cut -d" " -f1
To be able to connect to Graylog you should set http_bind_address to the public host name or a public IP address of the
machine you can connect to. More information about these settings can be found in Configuring the web interface.
Web interface
Edit on GitHub
Web interface
When your Graylog instance/cluster is up and running, the next thing you usually want to do is check out our web
interface, which offers you great capabilities for searching and analyzing your indexed data and configuring your Graylog
environment. Per default you can access it using your browser on http://<graylog-server>:9000/ .
Overview
The Graylog web interface was rewritten in JavaScript for 2.0 to be a client-side single-page browser application. This
means its code is running solely in your browser, fetching all data via HTTP(S) from the REST API of your Graylog server.
4. Note
The HTTP address must be accessible by everyone using the web interface. This means that Graylog must listen on a
public network interface or be exposed to one using a proxy, NAT or a load balancer!
Configuration Options
If our default settings do not work for you, there is a number of options in the Graylog server configuration file which you
can change to influence its behavior:
Setting Default Explanation
http_bind_a
ddress
127.0.0.1:9000 The network interface used by the Graylog HTTP interface.
http_publis
h_uri
If not
set, http://$http_bind_addr
ess will be used.
The HTTP URI of this Graylog node which is used to communicate with the other Graylog
nodes in the cluster and by all clients using the Graylog web interface.
http_extern
al_uri
If not
set, $http_publish_uri will
be used.
The public URI of Graylog which will be used by the Graylog web interface to
communicate with the Graylog REST API. Graylog web interface.
http_enable
_cors
true
This is necessary for JS-clients accessing the server directly. If disabled, modern browsers
will not be able to retrieve resources from the server.
5. Setting Default Explanation
http_enable
_gzip
true Serve web interface assets using compression to reduce overall roundtrip times.
http_max_he
ader_size
8192 The maximum size of the HTTP request headers in bytes.
http_thread
_pool_size
16 The size of the thread pool used exclusively for serving the HTTP interface.
http_enable
_tls
false
This secures the communication with the HTTP interface with TLS to prevent request
forgery and eavesdropping.
http_tls_ce
rt_file
(no default) The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
http_tls_ke
y_file
(no default) The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
http_tls_ke
y_password
(no default)
The password to unlock the private key used for securing the HTTP interface. (only
needed if the key is encryped)
6. How does the web interface connect to the Graylog server?
The web interface is fetching all information it is showing from the REST API of the Graylog server. Therefore it needs to
connect to it using HTTP(S). There are several ways how you can define which way the web interface connects to the
Graylog server. The URI used by the web interface is determined in this exact order:
If the HTTP(S) client going to the web interface port sends a X-Graylog-Server-URL header, which contains a valid URL, then this
is overriding everything else.
If http_external_uri is defined in the Graylog configuration file, this is used if the aforementioned header is not set.
If http_publish_uri is defined in the Graylog configuration file, this is used if the aforementioned http_external_uri is not set.
If none of the above are defined, http://$http_bind_address is used.
The web interface assets (e.g. the index.html , CSS and JavaScript files) are accessible at the URI root ( / by default) and
the REST API endpoints are accessible at the /api path.
Example:
Setting http_bind_address to 10.0.0.1:9000 configures the Graylog server with the following URLs.
Web interface: http://10.0.0.1:9000/
REST API: http://10.0.0.1:9000/api/
7. Apache httpd 2.x
Proxy web interface and API traffic using HTTP:
<VirtualHost *:80>
ServerName graylog.example.org
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "http://graylog.example.org/"
ProxyPass http://127.0.0.1:9000/
ProxyPassReverse http://127.0.0.1:9000/
</Location>
</VirtualHost>
Proxy web interface and API traffic using HTTPS (TLS):
<VirtualHost *:443>
ServerName graylog.example.org
ProxyRequests Off
SSLEngine on
# <- your SSL Settings here!
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
RequestHeader set X-Graylog-Server-URL "https://graylog.example.org/"
ProxyPass http://127.0.0.1:9000/