First steps
Create a new jail
Add a new jail using the guides at freenas.org and enable ssh access if you want that.
All the commands from here on out are run as root.
Install packages
You need some packages
pkg install databases/mongodb textproc/elasticsearch2 graylog
Configure the system
Enable the services
Edit the rc.conf to enable the services that are going to run
vi /etc/rc.conf
Add:
elasticsearch_enable="YES" graylog_enable="YES" mongod_enable="YES"
Graylog configuration
Create a configuration password/salt to use.
pwgen -N 1 -s 96
Save the password
Get the hash for you root password
echo -n | shasum -a 256
Save the hash
Edit the main configuration file
vi /usr/local/etc/graylog/server/server.conf
Set the following parameters:
is_master = true password_secret = <password from pwgen> root_password_sha2 = <root password hash> rest_listen_uri = http://<jail ip>:12900/ elasticsearch_shards = 4
Leave the mongodb configuration be, but edit if you want to use authentication
Add Web configuration
web_enable = true web_listen_uri = http://<jail ip>:9000/ web_enable_cors = true
Edit the log4j configuration
The log4j configuration has a bug. There are two root listeners defined, and that is not allowed.
vi /usr/local/etc/graylog/server/log4j2.xml
Change
<Root level="warn"> <AppenderRef ref="STDOUT"/> <AppenderRef ref="graylog-internal-logs"/> </Root> <Root level="error"> <AppenderRef ref="FreeBSD-logs"/> </Root>
to
<Root level="warn"> <AppenderRef ref="STDOUT"/> <AppenderRef ref="graylog-internal-logs"/> <AppenderRef ref="FreeBSD-logs"/> </Root>
Add node-id file
Create dir for graylog in /var
mkdir -p /var/graylog/server
Touch the node-id file to be used
touch /var/graylog/server/node-id
Let the Graylog user own the node-id file
chown graylog:graylog /var/graylog/server/node-id
Start the services
Start MongoDB
service start mongod
Start ElasticSearch
service elasticsearch start
Start graylog service
service graylog start
Conclusion
You now have a working Graylog server in a jail. Access it through http://<jail ip>:9000/ using admin as user and your jail root password as password.
Notes
Your graylog server is running as it’s own user. It does not have access to privileged ports (1-1024). If you want to have a syslog input you may need to run the service as root, or in some other way allow the service to access those ports.
Running it as root is not a good idea, but if you want to do it this is how:
Edit the rc.d file for graylog
vi /usr/local/etc/rc.d/graylog
Change the lines for user and group to root/wheel
: ${graylog_user:="root"} : ${graylog_group:="wheel"}
Restart the graylog service
service graylog restart
Versions
These are the versions used
FreeNAS-11.1-RELEASE elasticsearch2-2.4.6 graylog-2.4.3 mongodb-2.6.12_3 openjdk8-8.162.12_2 openjdk8-jre-8.162.12_2