Get graylog running on port 80 instead of 9000

If you are building a single service server (and if you are doing anything with log files the chances are that you are... then you might want to get Graylog working on a convenient port, like 80 rather than the default 9000.

By default ports below 1024 are privileged and normal applications are not allowed to run on them.

If you search the internet there are loads of conversations about how to do it the right way... well that is too complicated for me, so here's a quick and dirty way to get it set up.

Just run the service using the root user rather than the graylog user - yeah I know, all kinds of a bad idea if this is externally facing, but if it's internal then I think it'll be alright.

In Ubuntu:

sudo vim /etc/graylog/server/server.conf

Change the port number for rest_listen_uri and web_listen_uri to 80

sudo vim  /usr/lib/systemd/system/graylog-server.service

Change
User=graylog to User=root
Group=graylog to Group=root

Exit and run
systemctl deamon-reload
to apply the changes you just made

Configuring Graylog for LDAP and Active Directory

Configuring LDAP and Active Directory authentication for graylog is pretty simple.

Server configuration

Go to http://<graylog_server>/system/authentication/config/legacy-ldap

Tick "Enable LDAP" duh!

Set the server type - in my case it's Active Directory

Server address ldap:// <IP address or FQDN of your domain controller> : 389

If you are using this externally, you really should be using ldaps to  ensure that your authentication between the graylog server and the DC is encrypted... in fact it's best practice to do this as standard

System username: This is the full URL for a user who has permissions to browse the AD. In my case I create a service account user just for this purpose. They don't have any other access and don;t forget to set the account and password to never expire.

CN=LDAP-Authentication-Only,OU=Service-Accounts,OU=Users,DC=uk,DC=company,DC=local

Don't know what the full URL is? Just install Softera LDAP Browser and look at the properties for your user and you can extract the URL.

System password: <The service account password>

Test Server connection.. go on... get a green message before proceeding!

User mapping

Search Base DN: You don't want to search the whole AD, so this allows you to specify the folder that you want to search below. Usually this is your Users OU - again use Softera to find the full URL

OU=Users,DC=uk,DC=company,DC=local

User search pattern: This is used to make sure you only have user objects and search for the samAccount name - basically it means you can log in with your short username e.g. jsmith rather than your full email address. Just use the setting they tell you: 

(&(objectClass=user)(sAMAccountName={0}))

Display Name Attribute: How you want your user to appear, I just used displayName, but you could use cn if you wanted "Firstname Lastname" 

At this stage, you can now go to step 5 and do a login test... hopefully it should all go well, and you can save your changes and anyone in the AD can log on!

If it fails, make sure you are not using a username that is already in the graylog user database... this caught me out and I had to delete the local user before it would work.

Group Mapping

The first time you log in with an AD accoint you will notice that you don't have a search option, this is because Graylog have decided that they want regular users to use streams. 

If you want AD users to be admins (and have search capabilities) you need to set up Group Mappings.

First thing to do is set up a couple of Security Groups in AD. I chose to call them "Graylog Users" and "Graylog Admins"

Group Search Base is very similar to the Search Base DN you just set up.. but in this case point it to the OU that has all your groups below it.

OU=Groups,DC=uk,DC=company,DC=local

Group Search Pattern should be set up to tell Graylog to search for groups with a particular string, in my case I used:

(&(objectClass=group)(cn=Graylog*))

Note that this is CaSe SeNsItIve

Group Name Attribute should be cn

Default User Role defines what permissions everyone is created with when they log on for the first time. I left mine at Reader - basic access as I don't want everyone able to break my system.

You should no save your changes. 

Now it's time to map your Active Directory groups to Graylog roles by going to http://<graylog_server>/system/ldap/groups

Just pick your AD groups and assign the permissions you want for members of that group.

Congratulations you have set it up..now log on with your AD/LDAP user and start playing :)

Static addresses with Graylog

Graylog is a great tool for storing your syslog data.
Even better, they provide a virtual appliance to simplify downloading.
Probably the first thing you will want to do is give it a static IP address (as most network devices don't allow you to use a name as a syslog destination).

So first log on to the console and:
vim /etc/network/interfaces

change 

iface eth0 inet dhcp

to

iface eth0 inet static
    address 10.0.0.41
    netmask 255.255.255.0
    network 10.0.0.0
    broadcast 10.0.0.255
    gateway 10.0.0.1
    dns-nameservers 10.0.0.1 8.8.8.8
    dns-domain acme.com
    dns-search acme.com

Using your IP addresses obviously!

exit, and run:

ifdown eth0
ifup eth0

to restart networking with the new settings.

Now you need to tell graylog that things have changed, so just run 

sudo graylog-ctl reconfigure

This will go through all the settings and ensure it works with the new IP address