Setting up a centralised log server using Graylog on Ubuntu 16.04 LTS – Part Two

Now that we have a working installation of Graylog (Part One), it is time to make some configuration changes to improve security by enabling SSL/TLS.

The first step is to generate a suitable certificate/key pair. This post will assume you have access to a CA in order to obtain the required signed certificates.

We will use OpenSSL on the Graylog server to create our private key and our certificate signing request or CSR.

First step is to create a request template, fire up your favourite text editor and create a file similar to below.

Note that you will need to change the values in the [req_distinguished_name] and [alt_names] sections to suit your own requirements.

Save the file as graylog.cnf

 

Create the private key, entering a secure password when prompted

openssl genrsa -aes128 -out graylog.key 4096

and create the CSR using the private key and the template.

openssl req -sha256 -key graylog.key -new -out graylog.csr -config graylog.cnf

Submit the graylog.csr file to your preferred CA ensuring you receive the certificate as a Base64 encoded PEM file.

 

Graylog needs the private key in PKCS8 format so we need to do a quick conversion.

openssl pkcs8 -in graylog.key -topk8 -out graylogPKCS8.key -passout pass:<Your private key password>

 

Now we need to create a new directory to house our PKCS8 private key and certificate.

sudo mkdir /etc/graylog/ssl

Copy the certificate and graylogPKCS8.key into this newly created folder.

To assist in securing these files we will change some permissions on the folder

sudo chgrp graylog /etc/graylog/ssl

sudo chmod 755 /etc/graylog/ssl

Now we will set the permissions on the files, first promoting ourselves to the root user

sudo su

cd /etc/graylog/ssl

chmod 644 <Certificate file name>

chgrp graylog graylogPKCS8.key

chmod 640 graylogPKCS8.key

exit

 

OK, now if we used an internal CA to sign our certificate we will need to make sure that our Graylog server trusts the CA. If you used a public CA you shouldn’t have to do this section.

Create a new directory for your root certificate in /usr/local/share/ca-certificates/

sudo mkdir /usr/local/share/ca-certificates/MyCA

sudo chmod 755 /usr/local/share/ca-certificates/MyCA

Copy the root certificate of your internal CA to this new folder in PEM format and then set appropriate permissions

sudo chmod 644 /usr/local/share/ca-certificates/MyCA/MyCARoot.cer

Now run the following to add the cert to your servers root CA list.

sudo update-ca-certificates

We also need to add the CA certificate to our Java keystore with the following command:

sudo keytool -keystore /etc/ssl/certs/java/cacerts -importcert -alias MyCA -file /usr/local/share/ca-certificates/MyCA/MyCARoot.cer

 

Alright, now that all our certificates are in place it is time to update our Graylog configuration file.

Using your preferred text editor, open the file /etc/graylog/server/server.conf

Look for the following lines and update:

rest_enable_tls = true

rest_tls_cert_file = /etc/graylog/ssl/<Certificate Name>

rest_tls_key_file = /etc/graylog/ssl/graylogPKCS8.key

rest_tls_key_password = <Password we used to create our private key>

web_enable_tls = true

web_tls_cert_file = /etc/graylog/ssl/<Certificate Name>

web_tls_key_file = /etc/graylog/ssl/graylogPKCS8.key

web_tls_key_password = <Password we used to create our private key>

 

The last change we need to make is to configure some SSL options for the JVM that runs the web server process to ensure it only accepts secure encryption algorithms.

Create a file in /etc/graylog/server called security.options and enter the following lines

jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1, TLSv1.1, 3DES_EDE_CBC, EC keySize < 160, RSA keySize < 2048, DH keySize < 2048, DSA keySize < 2048, DHE keySize < 2048, ECDH keySize < 2048, ECDHE keySize < 2048
jdk.certpath.disabledAlgorithms=MD2, MD4, MD5, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048

Now edit the file /etc/default/graylog-server.

Look for the GRAYLOG_SERVER_JAVA_OPTS section and add in the following options

-Djava.security.properties=/etc/graylog/server/security.properties

-Djdk.tls.ephemeralDHKeySize=2048

It should look something like this:

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -Djdk.tls.ephemeralDHKeySize=2048 -Djava.security.properties=/etc/graylog/server/security.properties -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow"

Save and exit.

 

Now we are ready to restart Graylog with our new settings.

sudo systemctl restart graylog-server.service

After a short while we should be able to access our newly TLS secured Graylog server at https://<FQDN of Graylog Server>:9000

 

Check the system and graylog log files to assist in troubleshooting any startup issues.

sudo tail --f /var/log/syslog

sudo tail --f /var/log/graylog-server/server.log

Job done!

In the next post in this series, we will configure Active Directory as an external authentication source.

 

Leave a Reply

Your email address will not be published. Required fields are marked *