Instalação Graylog para Coleta de Logs no pfSense com Oracle Linux

admin Graylog, pfSense

Envio dos logs pfSense para um servidor de logs Graylog no Oracle Linux 8.7

Download da ISO “Oracle Linux Server release 8.7”

https://yum.oracle.com/ISOS/OracleLinux/OL8/u7/x86_64/OracleLinux-R8-U7-x86_64-dvd.iso

Versão do sistema

cat /etc/oracle-release

Pré-requisito:

dnf -y install java-17-openjdk.x86_64

MongoDB

vim /etc/yum.repos.d/mongodb-org.repo
[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc
dnf -y update
yum install mongodb-org
systemctl daemon-reload
systemctl enable mongod.service
systemctl start mongod.service
systemctl --type=service --state=active | grep mongod

Verifique o status do SELinux

sestatus

Elasticsearch

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
dnf -y update
yum install elasticsearch-oss
tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: false
EOT
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service
systemctl --type=service --state=active | grep elasticsearch

Graylog

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.rpm
yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

vim /etc/graylog/server/server.conf

Adicione o resultado do comando abaixo na linha 57 do arquivo citado acima

pwgen -N 1 -s 96
password_secret =

Adicione o resultado do comando abaixo na linha 68

echo -n "Senha: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1


root_password_sha2 =

Linha 76

time zone linha = America/Sao_Paulo

Linha 105 

http_bind_adress = 0.0.0.0:9000
systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service
systemctl --type=service --state=active | grep graylog

SELinux

Dica: Instale o policycoreutils-python gerenciar o SELinux.

yum -y install policycoreutils-python-utils

Permitir que o servidor web acesse a rede

setsebool -P httpd_can_network_connect 1

*Se a política acima não estiver de acordo com sua política de segurança, você também pode permitir o acesso a cada porta individualmente:

semanage port -a -t http_port_t -p tcp 9000
semanage port -a -t http_port_t -p tcp 9200
semanage port -a -t mongod_port_t -p tcp 27017

Status

systemctl status mongod.service
systemctl status elasticsearch
systemctl status graylog
systemctl status firewalld

Acesso ao Graylog

http://192.168.0.37:9000

Liberando portas no firewall

ss -tnlp 
for i in 9000 9300 9200; do firewall-cmd --permanent --add-port=$i/tcp; done; firewall-cmd --reload
firewall-cmd --permanent --add-port=1514/udp; firewall-cmd --reload