forksand-it-manual/source/resources/apps/graylog/README.md

# Clone Debian Stretch template, set up IPs, hostname, ssh keys
apt update
apt -y dist-upgrade

# Install graylog
# Install deps
apt -y install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen

# Set up repo:
wget -q -O - https://packages.graylog2.org/repo/debian/keyring.gpg | apt-key add
echo "deb https://packages.graylog2.org/repo/debian/ stable 2.4" > /etc/apt/sources.list.d/graylog.list
# Disable apt cache, comment out proxy in /etc/apt/apt.conf
apt update
apt install graylog-server

# Set a password:
echo -n password | sha256sum
# Set that to in /etc/graylog/server/server.conf:
password_secret =
# Set also:
root_password_sha2 =

# Set these:
rest_listen_uri = http://10.22.22.109:9000/api/
web_listen_uri = http://10.22.22.109:9000/
elasticsearch_hosts = http://10.22.22.118:9200
mongodb_uri = mongodb://10.22.22.119:27017/graylog




# Open up firewall on server:
-A INPUT -p tcp --dport 9000 -j ACCEPT
# Syslog UDP
-A INPUT -p udp --dport  514 -j ACCEPT
# Syslog UDP alt port
-A INPUT -p udp --dport 5144 -j ACCEPT
# Syslog TCP
-A INPUT -p tcp --dport  514 -j ACCEPT
# Syslog TCP alt port
-A INPUT -p tcp --dport 5144 -j ACCEPT



# Start service:
systemctl daemon-reload
systemctl start graylog-server.service

# Start on boot:
systemctl enable graylog-server.service



### XXX Backups
### XXX Prometheus :)


# Add clients
# Add to /etc/rsyslog.d:

# UDP (use this):
echo "*.* @10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format" > /etc/rsyslog.d/graylog.conf

# TCP:
#echo "*.* @@10.22.22.109:5144;RSYSLOG_SyslogProtocol23Format" > /etc/rsyslog.d/graylog.conf

# Maybe?
#echo 'action(type="omfwd" target="10.22.22.109" port="5144" template="RSYSLOG_SyslogProtocol23Format")' > /etc/rsyslog.d/graylog.conf

systemctl restart rsyslog