Update input config and mount Graylog cert data

.gitignore

@@ -1,2 +1 @@
 .vagrant
-tmp

GELFTCPInput.json

@@ -1,13 +1,20 @@
 {
-  "title": "Fluentd",
+  "title": "td-agent",
   "type": "org.graylog2.inputs.gelf.tcp.GELFTCPInput",
   "global": true,
   "configuration": {
     "bind_address": "0.0.0.0",
     "decompress_size_limit": 8388608,
-    "recv_buffer_size": 1048576,
+    "max_message_size": 2097152,
     "number_worker_threads": 4,
-    "port": 12201
+    "port": 12201,
+    "recv_buffer_size": 1048576,
+    "tcp_keepalive": false,
+    "tls_cert_file": "/usr/share/graylog/certs/rootCA.crt",
+    "tls_client_auth": "required",
+    "tls_enable": true,
+    "tls_key_file": "/usr/share/graylog/certs/rootCA.key",
+    "user_null_delimiter": true
         },
   "node": null
 }

README.md

@@ -1,21 +1,22 @@
 # Graylog Demo
 
 
-This is a demonstration of Graylog, a centralized log management system featuring a shell provisioned CentOS 7 Vagrant box. To illustrate various log collection methods `httpd`, `rsyslog` and `docker` are installed and a simple WordPress instance is deployed via Docker Compose. Log collection incorporates td-agent (a version of Fluentd) to ship logs into a Graylog instance from containers, the syslog, and arbitrary filesystem logs.
+This is a demonstration of Graylog, a centralized log management system featuring a shell provisioned CentOS 7 Vagrant box. To illustrate various log collection methods `httpd`, `rsyslog` and `docker` are installed and a simple WordPress instance is deployed via Docker Compose. Log collection incorporates Fluentd to ship logs into a Graylog instance from containers, the syslog, and arbitrary filesystem logs.
 
 This demonstration assumes you are familiar with using Vagrant + VirtualBox to automate the installation of virtual machines, although you can reference the Vagrantfile's shell provisioning sections to manually set up a system if you so desire. Please install these prerequisites before attempting the quick start below.
 
 #### Notes about setup
-- This demonstration uses Traefik for some routing and the [xip.io](http://xip.io/) wildcard DNS service. If DNS fails to resolve for whatever reason you may want to set the domains to the IP inside your operating system's hosts file, e.g.
+- This demonstration uses Traefik for routing and the [xip.io](http://xip.io/) wildcard DNS service. If DNS fails to resolve for whatever reason you may want to set the domains to the IP inside your operating system's hosts file, e.g.
 
 ```
 172.28.128.30   traefik.172.28.128.30.xip.io
 172.28.128.30   graylog.172.28.128.30.xip.io
+172.28.128.30   wordpress.172.28.128.30.xip.io
 ```
 
-- Vagrant will provision two virtual machines with two consecutive private Class B addresses (starting from `172.28.128.30`). If you would like to change this base IP address to something different you will need to look through the project and find various references. Unfortunately, this is not a simple variable you can set for the entire project.
+- Vagrant will provision a virtual machine with a static private Class B address (specifically `172.28.128.30`). If you would like to change this IP address to something different you will need to change the `PRIVATE_NET_IP` variable and the scripted API calls in the `Vagrantfile`. You'll also need to modify the few wildcard DNS references to it in the two `docker-compose.yml` files.
 
-- Vagrant is set to allocate 4 cores and 4 GB of RAM per machine (this is 8 cores / 8 GB of memory total) you may need to adjust this for your machine if necessary.
+- Vagrant is set to allocate 4 cores and 4 GB of RAM, you may need to adjust this for your machine if necessary.
 
 - After deploying, Graylog takes the longest to become available and it may take 30 seconds to a few minutes to bring it up depending on your machine.
 
@@ -25,7 +26,7 @@ This demonstration assumes you are familiar with using Vagrant + VirtualBox to a
 
 
 ## Quick Start
-_This section assumes you will be using the default `172.28.128.30` and `172.28.128.31` IP addresses_
+_This section assumes you will be using the default `172.28.128.30` IP address_
 1. Clone the repository and navigate inside its directory
 2. Create and provision the VM using `vagrant up`
 3. Navigate to [http://graylog.172.28.128.30.xip.io:8080/](http://graylog.172.28.128.30.xip.io:8080/)
@@ -35,13 +36,13 @@ _This section assumes you will be using the default `172.28.128.30` and `172.28.
 7. Press the start button on the top right to start updating the feed every second
 
 #### Docker Test
-- Generate Docker logs by simply navigating to the WordPress install page: [http://172.28.128.31:8080](http://172.28.128.31:8080/wp-admin/install.php)
+- Generate Docker logs by simply navigating to the WordPress install page [http://wordpress.172.28.128.30.xip.io:8080/](http://wordpress.172.28.128.30.xip.io:8080/)
 
 #### File Test
-- Collect logs from Apache's `access_log` file by going to [http://172.28.128.31/](http://172.28.128.31/)
+- Collect logs from Apache's `access_log` file by going to [http://172.28.128.30/](http://172.28.128.30/)
 
 #### Syslog Test
-1. Go back to the terminal inside the project's directory and type `vagrant ssh systems` or `vagrant ssh graylog`
+1. Go back to the terminal inside the project's directory and type `vagrant ssh`
 2. You can test Syslog collection with `logger` e.g. `logger -t test Hello world` (or just wait for some to appear)
 
 ### Copyrights and Licenses

Vagrantfile

@@ -1,27 +1,18 @@
 # vi: set ft=ruby :
 
-PRIVATE_NET_IP = "172.28.128."
+PRIVATE_NET_IP = "172.28.128.30"
 
 Vagrant.configure("2") do |config|
+  config.vm.box = "centos/7"
+  config.vm.network "private_network", ip: PRIVATE_NET_IP
+  config.vm.synced_folder ".", "/vagrant", type: "nfs"
 
-  vmservers = ["graylog", "systems"]
-  last_octet = 30
-
-  vmservers.each do |server|
-    config.vm.define "#{server}" do |node|
-      node.vm.box = "centos/7"
-      node.vm.hostname = "#{server}"
-      node.vm.network "private_network", ip: PRIVATE_NET_IP + last_octet.to_s
-      node.vm.synced_folder ".", "/vagrant", type: "nfs"
-      last_octet = last_octet + 1
-
-      node.vm.provider "virtualbox" do |vbox|
+  config.vm.provider "virtualbox" do |vbox|
     vbox.memory = 4096
     vbox.cpus = 4
   end
 
-      # Common provision
-      node.vm.provision "shell", inline: <<-SHELL
+  config.vm.provision "shell", inline: <<-SHELL
 
     # Set SELinux to permissive
     setenforce 0
@@ -45,62 +36,80 @@ Vagrant.configure("2") do |config|
     # Convenience
     yum install -y vim
 
+    # Install jq
+    yum install -y epel-release
+    yum install -y jq
+
+    # Install apache
+    yum install -y httpd
+    systemctl start httpd
+    systemctl -q enable httpd
+
     # Install rsyslog
     yum install -y rsyslog
     systemctl start rsyslog
     systemctl -q enable rsyslog
 
+    # Install td-agent
+    cp /vagrant/td-agent.repo /etc/yum.repos.d/
+    yum check-update
+    yum install -y td-agent
+    td-agent-gem install fluent-plugin-gelf-hs gelf
+    cp /vagrant/td-agent.conf /etc/td-agent/td-agent.conf
+    mkdir -p /var/log/containers
+    chown -R td-agent:td-agent /var/log/containers
+    chmod -R 755 /var/log
+    systemctl restart td-agent
+    systemctl -q enable td-agent
+
     # Add rsyslog forwarding option if it does not exist
     if ! grep -q "127.0.0.1:5140" /etc/rsyslog.conf; then
       echo "*.* @127.0.0.1:5140" >> /etc/rsyslog.conf
       systemctl restart rsyslog
     fi
 
-        # Setup TLS
-        if [ ! -f /vagrant/tmp/ca_key.pem ]; then
-          echo "Generating TLS certificates..."
-          cd /vagrant/tmp
-          openssl req -newkey rsa:4096 \
-                      -x509 \
-                      -sha256 \
-                      -days 3650 \
-                      -nodes \
-                      -out ca_cert.pem \
-                      -keyout ca_key.pem \
-                      -subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
-                      2> /dev/null
-        fi
-
-        # Install td-agent
-        cp /vagrant/td-agent.repo /etc/yum.repos.d/
-        yum check-update
-        yum install -y td-agent
-        td-agent-gem install fluent-plugin-gelf-hs gelf
-        systemctl -q enable td-agent
-
   SHELL
 
-      # Commmon provision: install docker-compose
-      node.vm.provision "shell", path: "install-compose.sh"
+  # Install newest docker-compose
+  config.vm.provision "shell", path: "install-compose.sh"
 
-      # Graylog specific provision
-      if server == "graylog"
-        node.vm.provision "shell", inline: <<-SHELL
-
-          cp /vagrant/td-agent-server.conf /etc/td-agent/td-agent.conf
-          mkdir -p /var/log/graylog_buffer
-          chown -R td-agent:td-agent /var/log/graylog_buffer
-          systemctl restart td-agent
-
-          # Install jq
-          yum install -y epel-release
-          yum install -y jq
-
-          # Start Graylog
+  # Start compose services and add default input
+  config.vm.provision "shell", inline: <<-SHELL
+    # Bring up containers
     cd /vagrant
     /usr/local/bin/docker-compose up -d 2> /dev/null
+    cd /vagrant/wordpress
+    /usr/local/bin/docker-compose up -d 2> /dev/null
+
+    # Create directories and ensure they are empty
+    mkdir -p /home/vagrant/certs/
+    rm -r /home/vagrant/certs/
+    mkdir -p /home/vagrant/certs/{td-agent,graylog}
+
+    # Generate Graylog's CA
+    cd /home/vagrant/certs
+    openssl genrsa -out graylog/rootCA.key 4096 2> /dev/null
+    openssl req -x509 -new -nodes -key graylog/rootCA.key -sha256 -days 1024 \
+        -out graylog/rootCA.crt -subj "/C=US/ST=GA/O=MyOrg/CN=localhost" \
+        2> /dev/null
+
+    # Generate td-agent's keys
+    openssl genrsa -out td-agent/td-agent.key 4096 2> /dev/null
+    openssl req -new -sha256 -key td-agent/td-agent.key \
+        -subj "/C=US/ST=GA/O=MyOrg/CN=localhost" -out td-agent/td-agent.csr \
+        2> /dev/null
+
+    # Sign td-agent's keys
+    openssl x509 -req -in td-agent/td-agent.csr -CA graylog/rootCA.crt \
+        -CAkey graylog/rootCA.key -CAcreateserial -days 1024 -sha256 \
+        -out td-agent/td-agent-signed.crt 2> /dev/null
+
+    # Fix permissions
+    chown -R vagrant:vagrant /home/vagrant/
+    chown -R 1100:1100 /home/vagrant/certs/graylog
 
     # Wait 120 seconds for Graylog to come online
+    cd /vagrant
     SECONDS=0
     while true
     do
@@ -148,31 +157,6 @@ Vagrant.configure("2") do |config|
         -u admin:admin \
         "http://graylog.172.28.128.30.xip.io:8080/api/system/inputs" \
         -d @GELFTCPInput.json
-
   SHELL
 
-      elsif server == "systems"
-        node.vm.provision "shell", inline: <<-SHELL
-
-          # Install apache
-          yum install -y httpd
-          systemctl start httpd
-          systemctl -q enable httpd
-
-          # Configure td-agent
-          cp /vagrant/td-agent.conf /etc/td-agent/td-agent.conf
-          mkdir -p /var/log/containers /var/log/fluentd_buffer
-          chown -R td-agent:td-agent /var/log/containers /var/log/fluentd_buffer
-          chmod -R 755 /var/log
-          systemctl restart td-agent
-
-          # Bring up WordPress test containers
-          cd /vagrant/wordpress
-          /usr/local/bin/docker-compose up -d 2> /dev/null
-
-        SHELL
-
-      end
-    end
-  end
 end

docker-compose.yml

@@ -3,7 +3,7 @@ version: '3.7'
 services:
 
   traefik:
-    image: traefik:2.2.1
+    image: traefik:2.1.4
     restart: always
     networks:
       - traefik-net
@@ -24,27 +24,15 @@ services:
       - "traefik.enable=true"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-    logging:
-      driver: "fluentd"
-      options:
-       fluentd-address: "tcp://127.0.0.1:24224"
-       fluentd-async-connect: "true"
-       tag: traefik
 
   mongo:
-    image: mongo:4.2.8
+    image: mongo:4.2.2
     restart: always
     networks:
       - graylog
-    logging:
-      driver: "fluentd"
-      options:
-       fluentd-address: "tcp://127.0.0.1:24224"
-       fluentd-async-connect: "true"
-       tag: graylog.db
 
   elasticsearch:
-    image: elasticsearch:6.8.10
+    image: elasticsearch:6.8.6
     restart: always
     environment:
       - http:host=0.0.0.0
@@ -57,15 +45,9 @@ services:
         hard: -1
     networks:
       - graylog
-    logging:
-      driver: "fluentd"
-      options:
-       fluentd-address: "tcp://127.0.0.1:24224"
-       fluentd-async-connect: "true"
-       tag: graylog.elasticsearch
 
   graylog:
-    image: graylog/graylog:3.3.2
+    image: graylog/graylog:3.2.2
     restart: always
     environment:
       - GRAYLOG_PASSWORD_SECRET=LongerPassword01
@@ -77,6 +59,8 @@ services:
       - "traefik.http.services.graylog.loadbalancer.server.port=9000"
       - "traefik.docker.network=vagrant_traefik-net"
       - "traefik.enable=true"
+    volumes:
+      - /home/vagrant/certs/graylog:/usr/share/graylog/certs
     networks:
       - graylog
       - traefik-net
@@ -94,12 +78,6 @@ services:
       - 12201:12201
       # GELF UDP
       - 12201:12201/udp
-    logging:
-      driver: "fluentd"
-      options:
-       fluentd-address: "tcp://127.0.0.1:24224"
-       fluentd-async-connect: "true"
-       tag: graylog
 
 networks:
   traefik-net:

td-agent-server.conf

@@ -1,42 +0,0 @@
-<source>
-  @type forward
-  port 2514
-  <transport tls>
-    version TLSv1_2
-    insecure true
-    cert_path /vagrant/tmp/ca_cert.pem
-    private_key_path /vagrant/tmp/ca_key.pem
-  </transport>
-</source>
-
-<source>
-  @type forward
-  port 24224
-</source>
-
-<source>
-  @type syslog
-  port 5140
-  tag system.local
-</source>
-
-<filter httpd.access>
-  @type parser
-  key_name message
-  reserve_data true
-  <parse>
-    @type apache2
-  </parse>
-</filter>
-
-<match **>
-  @type gelf
-  protocol tcp
-  host localhost
-  port 12201
-  <buffer>
-    @type file
-    path /var/log/graylog_buffer
-    flush_interval 0s
-  </buffer>
-</match>

td-agent.conf

@@ -15,7 +15,7 @@
   pos_file /var/log/td-agent/access_log.pos
   tag httpd.access
   <parse>
-    @type none
+    @type apache2
   </parse>
 </source>
 
@@ -26,14 +26,9 @@
     path /var/log/containers/${tag}
     append true
     <buffer tag>
-      @type file
-      path /var/log/containers/buffer
-      flush_interval 0s
+      timekey 5s
+      flush_mode immediate
     </buffer>
-    <format>
-      @type single_value
-      message_key log
-    </format>
   </store>
   <store>
     @type rewrite_tag_filter
@@ -46,17 +41,12 @@
 </match>
 
 <match **>
-  @type forward
-  transport tls
-  tls_cert_path /vagrant/tmp/ca_cert.pem
-  <server>
-    name example.com
-    host 172.28.128.30
-    port 2514
-  </server>
-  <buffer>
-    @type file
-    path /var/log/fluentd_buffer
-    flush_interval 0s
-  </buffer>
+  @type gelf
+  protocol tcp
+  host localhost
+  port 12201
+  tls true
+  tls_options {"cert":"/home/vagrant/certs/td-agent/td-agent-signed.crt",
+               "key":"/home/vagrant/certs/td-agent/td-agent.key"}
+  flush_interval 5s
 </match>

wordpress/docker-compose.yml

@@ -11,25 +11,26 @@ services:
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: Password1
       MYSQL_RANDOM_ROOT_PASSWORD: '1'
-    logging:
-      driver: "fluentd"
-      options:
-       fluentd-address: "tcp://127.0.0.1:24224"
-       fluentd-async-connect: "true"
-       tag: devel.kris.db
+    networks:
+      - default
 
   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     restart: always
-    ports:
-      - 8080:80
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: Password1
       WORDPRESS_DB_NAME: wordpress
+    networks:
+      - default
+      - traefik-net
+    labels:
+      - "traefik.http.routers.wordpress.rule=Host(`wordpress.172.28.128.30.xip.io`)"
+      - "traefik.docker.network=vagrant_traefik-net"
+      - "traefik.enable=true"
     logging:
       driver: "fluentd"
       options:
@@ -37,5 +38,10 @@ services:
        fluentd-async-connect: "true"
        tag: devel.kris
 
+networks:
+  traefik-net:
+    external:
+      name: vagrant_traefik-net
+
 volumes:
   db_data: {}