Load Balancing Graylog with NGINX: Ultimate Guide

Graylog NGINX Load Balancing Guide

In cybersecurity, “Load Balancing Graylog with Nginx: The Ultimate Guide” is your reference guide. This guide helps to install Nginx. Imagine your Graylog, already proficient at managing vast log data, now enhanced with the Nginx load balancing capability to ensure peak performance.

NGINX ensures your Graylog cluster isn’t over-taxed, similar to a well-organized team where work is evenly distributed. This guide walks you through integrating NGINX with Graylog, from basic setups to sample configurations. It’s your go-to manual for scalable log management and SIEM with Graylog. Welcome to the next level of log management and SIEM.

How Do Nginx And Graylog Go Together?

Graylog is often deployed as multiple servers working together. In order to make the most out of this setup, incoming traffic has to be given directions to the correct server to process that message.   This is where nginx creates a great harmony of technology. The incoming traffic can be either HTTP traffic of users wanting to access the web interface of Graylog itself, or it could be encrypted agent data collected from systems around the world. Adding additional resources to be spread around a pool of servers gets simple once the initial setup is complete.

Load Balancing Sample Configuration

Many applications require load balancers as a fundamental part of the overall scalability of application services. Graylog can leverage a software or hardware load balancer to ensure incoming requests are distributed across the Graylog servers.

To setup a Graylog cluster you can follow the official install guide for graylog

We will use this configuration as a reference for your Graylog installation to follow through on the important configuration in this document. The Graylog install will have the following details:

Graylog Server Info Example

Hosts:

  • graylog1.example.com:
  • graylog2.example.com:
  • graylog3.example.com:
    Each host is listening on port 9000

 

Graylog Ports: 

  • 5044 for the Beats Input
  • 5514 for the Syslog Input
    (Feel free to add more of your choice)

 

Nginx Details:

  • Installation for RPM and Ubuntu
  • TLS with self assigned certificates and installation
  • NGINX configuration for load balancing for Graylog

 

Installing NGINX

Ubuntu Server

Execute the following command:
sudo apt update && sudo apt upgrade -y 

After the update, install Nginx,
sudo apt install nginx -y

Check if the services are up and running
sudo systemctl status nginx

On RHEL / CentOS Server

Install the EPEL repository
sudo yum install epel-release

Update the repository
sudo yum update

Install nginx
sudo yum install nginx

Check if the services are available and running
sudo systemctl status nginx

Changes to Nginx Configuration

Nginx configuration resides at the following location:
/etc/nginx.conf

Make a backup copy of the nginx.conf and open the file with your favorite editor
sudo cp nginx.conf nginx.conf.backup

In the example below, we have an Nginx Load Balancer used for HTTP Load Balancing
HTTP proxy for group of Graylog Servers

This section defines the upstream directive.

upstream graylog {
  server graylog1.example.com:9000;
  server graylog2.example.com:9000;
  server graylog3.example.com:9000;
}

Requests are passed to a server group with the name of the group specified in the proxy_pass directive.

server {
  listen *:80;
  location / {
    proxy_pass http://graylog;
    }
  }

The group consists of three servers, and by default Nginx uses Round-Robin to send the traffic across all three servers.

Enable HTTPS For Nginx

In the example below, a self-signed SSL certificate is used. However for production setups it’s recommended to use certificates that are signed by a Trusted Certificate Authority.

Within the load balancer, enable SSL setup for HTTPS Communication,  the following example uses a self-signed ssl-certificate via openssl.

Install Open SSL

In Ubuntu server
sudo apt-get install openssl

In Rhel / CentOS server
yum install openssl

Generate SSL Certificate
Single command to create a self signed certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Add the following files directive under – /etc/nginx/snippets/self-signed.conf
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Add the following snippet under – /etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Disable strict transport security for now. You can uncomment the following

# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Update the Nginx.conf file with the location of the SSL related configuration files

server {

listen *:443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;

location / {
proxy_pass http://graylog;
}

Load Balancing Graylog Inputs

In this example we have included two ports as noted in the summary.  We will show a BEATS input on port 5044 and Syslog on port 5514 with the designated error log locations.

stream {
        upstream graylog_input_beats-plain {
                server graylog1.example.com:5044 max_fails=3 fail_timeout=30s;
                server graylog2.example.com:5044 max_fails=3 fail_timeout=30s;
                server graylog3.example.com:5044 max_fails=3 fail_timeout=30s;
        }

        server {
                listen 5044;
                proxy_pass graylog_input_beats-plain;
                proxy_timeout 1s;
                error_log /var/log/nginx/graylog_input_beats-plain_error.log;
        }
        
        upstream graylog_input_syslog-plain {
                server graylog1.example.com:5514 max_fails=3 fail_timeout=30s;
                server graylog2.example.com:5514 max_fails=3 fail_timeout=30s;
                server graylog3.example.com:5514 max_fails=3 fail_timeout=30s;
        }

        server {
                listen 5514;
                proxy_pass graylog_input_syslog-plain;
                proxy_timeout 1s;
                error_log /var/log/nginx/graylog_input_syslog-plain_error.log;
        }
}

Diving Deeper Into NGINX

As you dive deeper into Nginx, you will find there are many additional things you may consider when deploying it.  Graylog offers Illuminate Nginx Content that will provide insights into your logs inside of Nginx. A configuration guide is available to setup logging from Nginx into Graylog. Monitoring your Nginx Proxy and Load Balancer will provide insight into security and performance.

A list of events that can be monitored are:

  • HTTP Request methods
  • HTTP Response Codes
  • HTTP Referrers
  • Network Bytes by source over time
  • Monitoring Web User agents, versions and types
  • Error Logs by Severity
  • IP Geolocation from connecting clients

 

Graylog and NGINX for Performance and Security

With Graylog Security, built on the Graylog platform, you get centralized log management that gives you the “two for one” operations and security tool you need. Graylog Security delivers high-fidelity alerts with a lightning-fast search speed that reduces investigations by hours, days, and weeks. See our documentation for integrations with NGINX

Using Graylog, you have the functionality of a Security Information and Event Management (SIEM) tool without the complexity and cost that usually come with them. With our easy-to-use interface and cloud-native capabilities, you reduce the overall total cost of ownership. You save money by leveraging cloud storage capabilities while eliminating the need to hire or train security team members who can use a proprietary query language.

 

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.