Remote Syslog Server on FreeNas

xames

Patron
Joined
Jun 1, 2020
Messages
235
Is possible to install a remote syslog server over FreeNas/TrueNas? The forums i see are all to olds. I try papertrail.app but its too expensive to implement on long time.

Maybe with a docker with graylog inside, any ideas/tutorials for newbie?
 
Last edited:

elorimer

Contributor
Joined
Aug 26, 2019
Messages
194
Not sure where you are trying to send this. I send the log files from FreeNAS to my router, which collects all of the logs and then sends them along to a free account for the sister of papertrail.

I'm on 12 Beta, and while remote logging works, it is not yet restored to the System-General page.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
Papertrail is paid service where some gb is absorved. I really need and opensource one like graylog, but inside a jail.

I follow this tutorial, but is not working


It seems like bug over node-id step.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
It seems like bug over node-id step.
There are bigger problems than that--neither mongodb nor elasticsearch2 seems to exist in the package database. There's mongodb36, but even it's EOL and set to be removed by the end of the year. And it looks like graylog wants elasticsearch5. And the server.conf file doesn't exist, nor does log4j2.xml...

Lots of stuff missing there. But probably fixable.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
That Graylog tutorial is very old. This is what I had to do to get Graylog up and running in a jail:
  1. First, I created an 11.3-RELEASE basejail named graylog. (A clone jail will also work.)
  2. Then, I ran pkg update to initialize pkg.
  3. Next, I ran pkg install graylog, which creates the graylog user (UID 848) and group (GID 848), and installs several dependencies. The install notes say the jail needs to mount procfs, fdescfs, and needs a more liberal enforce_statfs than the default of 2.
    1. So I created sysctl tunables
      Code:
      security.jail.mount_allowed: 1
      security.jail.mount_procfs_allowed: 1
      security.jail.mount_fdescfs_allowed: 1
      security.jail.enforce_statfs: 1
      
    2. For the jail, I set iocage properties
      Code:
      allow_mount:1
      allow_mount_procfs:1
      mount_procfs:1
      mount_fdescfs:1
      enforce_statfs:1
      
  4. I restarted the jail to make these settings active.
  5. The pkg install graylog output also recommends installing mongodb36 and elasticsearch5. This was easily done via pkg install mongodb36 elasticsearch5.
  6. To activate these services, I used
    Code:
    sysrc elasticsearch_enable="YES"
    sysrc graylog_enable="YES"
    sysrc mongod_enable="YES"
  7. At this point, you can start ElasticSearch and MongoDB via service elasticsearch start and service mongod start.
  8. I also had to install pwgen via pkg install pwgen. This portion of the tutorial is OK.
    1. Create a Graylog admin password via pwgen -N 1 -s 96 > /tmp/glpwd.
    2. Create the hash via echo -n `cat /tmp/glpwd` | sha256 > /tmp/glphash.
  9. The tutorial section on configuring server.conf is extremely old, and is mostly incorrect.
    1. First, navigate to /usr/local/etc/graylog. Copy graylog.conf.example to graylog.conf.
    2. Copy log4j2.xml.example to log4j2.xml.
    3. chown graylog:graylog graylog.conf log4j2.xml to correct the ownership.
    4. log4j2.xml root listener is fine as-is, and doesn't need to be corrected. Leave it alone.
    5. All sorts of paths are wrong in the graylog.conf, use these settings instead:
      Code:
      node_id_file = /var/run/graylog/node-id
      bin_dir = /usr/local/share/graylog
      data_dir = /var/db/graylog
      plugin_dir = /usr/local/share/graylog/plugin
      message_journal_dir = /var/db/graylog/journal
      

      Note, you may need to manually create these directories and give them the correct ownership.
    6. Create the node-id via mkdir /var/run/graylog, touch /var/run/graylog/node-id, and chown -R graylog:graylog /var/run/graylog.
    7. The web configuration in the tutorial is old. Use these instead:
      Code:
      http_bind_address = <your jail IP>:9000
      http_enable_cors = true
    8. Insert the password and hash in these locations:
      Code:
      password_secret = <password from /tmp/glpwd>
      root_password_sha2 = <password hash from /tmp/glphash>
    9. Save the file, and delete the temporary password/hash files.
  10. At this point, you should be able to start Graylog via service graylog start.
  11. Login to Graylog at http://<your jail IP>:9000, using the account admin, and the password defined in the password_secret field of graylog.conf.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Create the hash via echo -n `cat /tmp/glpwd` | sha256 > /tmp/glphash.
Login to Graylog at http://<your jail IP>:9000, using the account admin, and the password defined in the password_secret field of graylog.conf.
From what I see in the Graylog docs, the hash is intended to be of what you intend to use as your admin password, not of the password_secret. And that makes sense--no password policy in the world would require (or even encourage) a password like "qH5ZASORVbSGYkAK662DomkqZ8pys4xu8aQsacS6a6fWDa4xAF8356a6uIQxRl5f60irSgjLIOksGGFJxzY2FzpEFmetisdQ"

Edit: Per those docs:
1596245545334.png
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
This is what I had to do to get Graylog up and running in a jail:
Thanks, that worked pretty well with the exception of the password thing I mentioned last night. Were you able to get it listening on the syslog port running as graylog, or did you need to have it run as root?
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
I didn't go any further, sorry. I suspect you'll need to run it as root for that to happen.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
Cool, thanks. The couple of things I've played with (FreeNAS and OPNsense) let you specify a port for the remote syslog server, so that's an easy workaround.

Edit: I'd add that the Graylog time zone needs to be set in graylog.conf too.

Edit 2: I was also able to install this under 12.0-BETA, even though I couldn't find all the jail options mentioned above. It seems to work there too.
 
Last edited:

xames

Patron
Joined
Jun 1, 2020
Messages
235
Then it works? you can open the gui of graylog over FreeNas/TrueNas, external connection of inputs working? Could be fantastic, i run kiwi syslog but its pay in 14 days, all stuff same thinks, Graylog better.

Thanks Samuel i follow the detailed instructions tomorrow morning in spain.

I don't know what and where exactly is "I created sysctl tunables", and "touch" not working the other day.

iocage properties: allow mount i found all the other where are?
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
you can open the gui of graylog over FreeNas/TrueNas
I have no idea what you mean here. It's its own web application, with its own IP address, and it would be a completely different and unrelated web GUI.
external connection of inputs working?
My OPNsense box is logging to my graylog jail just fine. Whatever applications you're wanting to send the log output there will need to be able to use a port above 1024 with this installation--the standard port for syslog is 514, but FreeNAS/TrueNAS and OPNsense, at least, can be configured to use whatever port you like.
I don't know what and where exactly is "I created sysctl tunables",
The manual will tell you.

But with respect to Samuel, I think the instructions could be clarified a bit--I'll see if I can take a crack at it tomorrow.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
Could be fine to be easy to install like a plugin.

My command: sysctl security.jail.mount_fdescfs_allowed show me :0
How to change to 1? I don't see in manual.

  1. chmod graylog:graylog graylog.conf log4j2.xml to correct the ownership? don't work.

I enable a syslog on udp port 514, and i send remotely unifi controller, but seems not to receive, the ports are default open on a jail or how it works?

Thanks.
 
Last edited:

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
Last edited:

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
To change the ownership, make sure you're root inside the jail, and are inside the /usr/local/etc/graylog directory; i.e., cd /usr/local/etc/graylog.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
I enter with ssh in the freenas then inside jail directory and inside the /usr/local/etc/graylog directory, but error:
chmod: invalid file mode: graylog:graylog

I really don't know why that necessary, but.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,456
chmod graylog:graylog graylog.conf log4j2.xml to correct the ownership? don't work.
It's an error in the guide. The correct command is "chown", not "chmod".
Can this services start automatically on reboots?
They will, as long as the jail is set to start on boot.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,398
It's an error in the guide. The correct command is "chown", not "chmod".

Thanks for pointing that out. I've corrected my original steps.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
These are the jail properties, i cannot find the
mount_fdescfs:1 and enforce_statfs:1

allow_set_hostname
allow_sysvipc
allow_raw_sockets
allow_chflags
allow_mlock
allow_vmm
allow_quotas
allow_socket_af
allow_mount
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
Input 5f26b7aa1559cb6ab29aabd6 has failed to start on node 453fd7fc-0e3d-414d-aca0-c8496367d940 for this reason: »Permission denied
 
Top