Creating SSL certificate for graylog 2
#Step 1 change the default password for Java CAcert store. Default password is changeit
If you have oracle java installed use the second line. If you have openjdk then use the first.
open java cacert store
sudo keytool -storepasswd -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
oracle java cacert store
sudo keytool -storepasswd -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
#Step 2 Generate Certs for Graylog
keytool -genkey -alias dns.name.of.server -keyalg RSA -validity 365 -keystore keystore.jks
openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -v2 des3 -out pkcs8-encrypted.pem -passout pass:'password'
keytool -list -v -keystore keystore.jks -alias dns.name.of.server
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
If you have oracle java use this line. The password it requests is the password you changed in step 1.
keytool -import -trustcacerts -file graylog-certificate.pem -alias dns.name.of.server -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
If you have openjdk use this line. The password it requests is the password you changed in step 1.
keytool -import -trustcacerts -file graylog-certificate.pem -alias dns.name.of.server -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
#Step 3 Setup graylog server.conf and move certificates to graylog folder
move all *.pem, *.p12, and *.jks files to /etc/graylog and chown graylog:graylog -R /etc/graylog so that the graylog user has access to them.
edit /etc/graylog/server.conf
change rest_listen_uri = http://dns.name.of.server:9000/api/
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/graylog-certificate.pem
rest_tls_key_file = /etc/graylog/graylog-key.pem
rest_tls_key_password = password (this is the password you assigned your cert from step 2. -passout pass:)
web_enable_tls = true
web_listen_uri = http://dns.name.of.server:9000/
web_tls_cert_file = /etc/graylog/graylog-certificate.pem
web_tls_key_file = /etc/graylog/graylog-key.pem
web_tls_key_password = password (Same as rest_tls_key_password.)
#Step 4 restart graylog and tail -f /var/log/graylog/server.log
If all goes well open chrome and go to https://dns.name.of.server:9000 and you should be able to log in.
#Sagan.pipeline This is the pipeline rule regex for handling Sagan alerts coming into graylog.
#Maltrail.pipeline This is the pipeline rule regex for handling Maltrail alerts coming into graylog.