Setting up Graylog in a FreeNAS jail

First steps

Create a new jail

Add a new jail using the guides at freenas.org and enable ssh access if you want that.

All the commands from here on out are run as root.

Install packages

You need some packages

pkg install databases/mongodb textproc/elasticsearch2 graylog

Configure the system

Enable the services

Edit the rc.conf to enable the services that are going to run

vi /etc/rc.conf

Add:

elasticsearch_enable="YES"
graylog_enable="YES"
mongod_enable="YES"

Graylog configuration

Create a configuration password/salt to use.

pwgen -N 1 -s 96

Save the password

Get the hash for you root password

echo -n  | shasum -a 256

Save the hash

Edit the main configuration file

vi /usr/local/etc/graylog/server/server.conf

Set the following parameters:

is_master = true
password_secret = <password from pwgen>
root_password_sha2 = <root password hash>
rest_listen_uri = http://<jail ip>:12900/
elasticsearch_shards = 4

Leave the mongodb configuration be, but edit if you want to use authentication

Add Web configuration

web_enable = true
web_listen_uri = http://<jail ip>:9000/
web_enable_cors = true

Edit the log4j configuration

The log4j configuration has a bug. There are two root listeners defined, and that is not allowed.

vi /usr/local/etc/graylog/server/log4j2.xml

Change

<Root level="warn">
  <AppenderRef ref="STDOUT"/>
  <AppenderRef ref="graylog-internal-logs"/>
</Root>
  <Root level="error">
  <AppenderRef ref="FreeBSD-logs"/>
</Root>

to

<Root level="warn">
  <AppenderRef ref="STDOUT"/>
  <AppenderRef ref="graylog-internal-logs"/>
  <AppenderRef ref="FreeBSD-logs"/>
</Root>

Add node-id file

Create dir for graylog in /var

mkdir -p /var/graylog/server

Touch the node-id file to be used

touch /var/graylog/server/node-id

Let the Graylog user own the node-id file

chown graylog:graylog /var/graylog/server/node-id

Start the services

Start MongoDB

service start mongod

Start ElasticSearch

service elasticsearch start

Start graylog service

service graylog start

Conclusion

You now have a working Graylog server in a jail. Access it through http://<jail ip>:9000/ using admin as user and your jail root password as password.

Notes

Your graylog server is running as it’s own user. It does not have access to privileged ports (1-1024). If you want to have a syslog input you may need to run the service as root, or in some other way allow the service to access those ports.

Running it as root is not a good idea, but if you want to do it this is how:

Edit the rc.d file for graylog

vi /usr/local/etc/rc.d/graylog

Change the lines for user and group to root/wheel

: ${graylog_user:="root"}
: ${graylog_group:="wheel"}

Restart the graylog service

service graylog restart

 

Versions

These are the versions used

FreeNAS-11.1-RELEASE
elasticsearch2-2.4.6
graylog-2.4.3
mongodb-2.6.12_3
openjdk8-8.162.12_2
openjdk8-jre-8.162.12_2