Can I Send Graylog Alerts to Discord?

I’m using Discord to keep up with some technical discussion groups (e.g. TrueNAS and OBS) and I’ve even created a personal Discord server for my family. I’m also running Graylog for log aggregation of my home technology stack (switches, IP phones, Asterisk, Plex, Pihole, Router) and I was wondering if I could create automated alerts from Graylog to my Discord server? It is very timely as Graylog posted a blog entry just this past Friday on how to do this very thing. Now, before we go any further we need to be clear on what is required from a software perspective. You will need a working Graylog server version 4.0 or greater (I’m running version 4.0.5 on FreeBSD) and you will need to install and license the enterprise plug-in so that you can use the correlation engine. Don’t worry, the enterprise Graylog plugin is free for personal use under 5 GB of logs a day (I’m at like 400 Mb’s a day). You will also need a Discord server which are free to setup for personal use. Instructions for setting up Graylog can be found here and here.

Make sure you let your children know what you are up to.

Step 1: Inform Your Children

Children are super curious; they like to know when new network monitoring infrastructure is configured for your home network. I’ve found that a bit of subterfuge throws them off the scent.

Create a new #channel for your alerts

Step 2: In Discord, Setup a New Text Channel for Your Alerts (Optional)

This step is optional but useful if you want to separate alert content from your normal content in Discord. In your Text Channels menu for your Discord server (you must be the server owner or granted admin privs), you can click the plus icon to create a new text channel. I named mine graylog and defined a topic text. Click save. Please notice the Integrations menu item in the above graph. We will click on that next.

Add the Webhook which your Graylog server will call

Step 3: In Discord, Add a Webhook Integration

Within your text channel configuration you will see an Integrations menu item. Click Integrations and then click on Webhooks and New webhook.

You can add a unique icon to the automated messages

In the New Webhook dialog, you can name your webhook. I chose a descriptive name for this but yours can be more generic. Note the Channel the webhook will be in and you can copy the webhook URL (a url encoded string to your server). I got the Graylog icon from their Twitter feed @graylog2 account.

Graylog Event Definitions

Step 4: In Graylog, Add an Event Definition

In the Graylog Alerts menu, click Event Definitions and then the Create Event Definition button. I named my Event “SSHd Logon Open Too Long” to match to Graylog blog video which is linked at the start of this blog post. Click Next. I set the Condition Type to be “Event Correlation” and then set the Correlation rules to follow a sequence of events that are satisfied within 16 min. You can make it more or less but essentially I’m looking for SSH logins for more than 16 min.

The event rules you will correlate

I set Event #1 in the correlation to be the “SSHd Session Open” Event from my alerts. I added Event #2 and set it to “SSHd Session Closed” which SHOULD NOT OCCUR in the next 15 min. This means event #1 will fire and within 15 min a subsequent event #2 will not fire. The definition of those events will be covered later and is outside the scope of this article. click next.

Create a custom event field for the user_name

Step 5: Create Custom Event Field for User Name

Click Add Custom Field in the Fields item of the wizard. Set the name to user_name and click to make this a field key. Set the template to

template: ${source_user_name}

And make sure you do not click the value is required. Click Next.

Setup the Slack Notification (works with Discord as well)

Step 6: Setup the Notification to Discord

In the Notifications wizard item, click on the Add Notification button.

Add Notification dialog

Within Add Notification, you will set a descriptive title and description (I’ve again used the example they discussed in the Graylog blog video). You MUST select Notification type of Slack and you can change the highlight color. In the webhook URL field you will paste the URL copied from Step 3 above. Please append to the end of the Webhook URL “/slack” which will tell Discord this message has been formated for Slack and to handle that format type. You can specify the channel again and the custom message template. You can use your custom user_name filed in the message template. Click on the Execute Test Notification button to verify your test message is logged to Discord. Click Save and wait for your event notifications!


Upgraded to Graylog 4

FreeBSD package management recently updated their Graylog package from 3.3.0 to 4.0.5 with enterprise plugins! This article is as-of April 2021 and you should upgrade your FreeBSD os or Jail version to 12.2 and upgrade your packages (see below).

[rich@graylog ~]$ uname -a
FreeBSD graylog 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 f2858df162b(HEAD) TRUENAS  amd64

[rich@graylog ~]$ sudo pkg update
Updating FreeBSD repository catalogue...
[graylog] Fetching packagesite.txz: 100%    6 MiB   3.3MB/s    00:02    
Processing entries: 100%
FreeBSD repository update completed. 30499 packages processed.
All repositories are up to date.

[rich@graylog ~]$ pkg search graylog
graylog-4.0.5_2         Tool for centralized log collection

[rich@graylog ~] sudo pkg install graylog

Now Graylog software is written in Java and distributed as JAR (Java ARchive) files so you really don’t need to wait for FreeBSD packaging to upgrade your server. In fact, just a few weeks before I wrote this I had upgraded the server manually by downloading the latest Graylog Jars from website and putting them in the appropriate server directory. This works but was very manual and could be prone to error. The FreeBSD package automates everything and makes it simple I will not discuss my manual upgrade process and suggest to you to just use the official package noted above (v4.0.5). I even applied the FreeBSD package over my manual upgrade and it handled everything gracefully (by backing up the jars I placed as .prev versions).

There are numerous enhancements to Graylog and the software pkg upgrade process was relatively straight forward. PLEASE NOTE that I had to upgrade Elasticsearch to either version 6 or 7 (I was on version 5). This is noted in the FreeBSD graylog-4.0.5_2 pkg release notes that you must upgrade Elasticsearch (it doesn’t tell you how).

If you attempt to start the graylog service on your FreeBSD instance without first upgrading Elasticsearch and you are running version 5 or below then the web interface will fail to start and the graylog server will repeatedly log an error connecting to Elasticsearch.

If you have data in your Elasticsearch version 5 instance and you use FreeBSD package manager to install elasticsearch6 then it will upgrade the binaries and remove the elesticsearch5 package. It left the data intact in my experiance and I had to do a bit of editing of the elasticsearch config yaml file to start the new elasticsearch6 instance. The edits were very minor. I essentially had my old version 5 yaml config file up and diffed it against the new version 6 example and updated accordingly. I didn’t take notes of my edits but again they were version small.

You may also need to update your graylog config xml file although your mileage might vary. The connection details to elasticsearch changes slightly from my version 5 to version 6 so I had to edit in graylog config.

I restarted the graylog service again and tailed the /var/log/graylog/server.log to verify that it successfully restarted. I was able to login again to the web interface and verified none of my data was lost and that my graylog server was healthy. I took an immediate archive of the data to compressed gzip tar file just in case. The reader will note I took a backup after the upgrade not before… I should have taken a backup before if I was being truly risk averse as a rollback option. tsk, tsk on me…

New Graylog Features of Note

Dark Interface Mode

Slack & Discord Notification Support (I’ve discussed Discord Notifications in another post)

Life in lockdown Software

Linux Speedrun of Mega Man 2 streamed on Twitch

So I finally set myself up on Twitch tonight and streamed for an hour of Mega Man 2; I had zero viewers… Listen, I wasn’t expecting a following and primarily I did it to push myself. I’m using a 100% open-source platform for twitch streaming using OBS (open broadcast system studio) running on Pop OS Linux. I’m using an open source live split software called flitter. It’s within an xTerm (don’t use alpha channel enabled terms in OBS) and it uses a simple text file for configuration. I’m using Higan for my NES/Famicom emulator with a rom of Mega Man 2 that runs at 60 frames per second. And I have a camera on me while I’m playing to capture the reactions. All on one computer (not a particularly powerful one btw) running Linux and streaming the output to Twitch. I now have one follower, my son.

My son imparted some of his hard earned wisdom on Streaming to me. He said make sure your audio quality is good. Get a good mic, test the levels and make sure I’m speaking over the game (but you can still hear the game audio). He said this is really important. The video can be sorta crappy but the audio quality better be good. He recommended a few good quality mic’s and he uses an external audio mixer to set the mic levels. He also recommended I record, not stream for the first few sessions and then watch it back to make sure it sounds and looks good.

Why am I doing this? A few reasons. One, I like Mega Man 2 and the challenge of playing it well and getting a decent speedrun appeals to me. I’ve watched some of top speedruns and they so some crazy stuff. Two, I want to prove that you don’t need Windows 10 to do streaming/speedrunning — Linux and open source software is perfectly viable for Twitch streaming. Three, I wanted to prove to Cam that he can do all his creation/streaming/broadcasting if he switched to Linux. What do you think? Any games you’d like me to play? Leave a comment to let me know. My Twitch handle is rpavlovsky but I might change it, I don’t know…


The “Christmas Star”

<from NASA>Skywatchers are in for an end-of-year treat. What has become known popularly as the “Christmas Star” is an especially vibrant planetary conjunction easily visible in the evening sky over the next two weeks as the bright planets Jupiter and Saturn come together, culminating on the night of Dec. 21.</NASA>

Full story

This photo was taken with my Canon 50D using a 300mm lens. I’m not super knowledgeable on all things Camera. The full RAW image is huge, this is a small export of it taken from my front porch in Cypress, Texas.


Reporting Network Threats with Graylog

In an average 5 min time-span my network firewall is scanned about 25-50 times (+/-). It is scanned from all over the world including Morocco, Hong Kong, Los Angeles, Moscow, Beijing and London (to name a few). I’m sure sophisticated and not-so-sophisticated hackers are using VPN’s or TOR to show they are in another location or to hide their tracks. What are they trying to accomplish? Well, basically, they are checking if any doors are unlocked to try and get access or information. In computer network security this means network services are running either unlocked, unprotected or protected with weak or known passwords. Most folks would be unaware in such a circumstance to poor network security until they get hacked. Some folks purposely leave hosts exposed with services to capture details on hacker methods (those are called honeypots). I noticed that I have a lot of port scanning of 1433 (MS Sql Server), 21 (FTP), 22 (SSH) and 23 (Telnet) among many others. If those ports are listened to by a service on my home network that is exposed to the general internet then these scans will pick that up and essentially report back that I have a running service. Additionally, they could be trying known generic passwords or any security vulnerabilities.

This report was generated with live syslog data from my wifi router which is being ingested by Graylog and processing done on the router log messages to lookup any known threats. These threat and Geo Location lookups are built-in features of Graylog.

More detail on how to set this up on your own Graylog instance can be found at and

I found a useful blog that identified items to check when setting this up.

  1. Check your processing order, your order is wrong, if you use pipeline rules. Please move your Message Filter chain before Pipeline Processor.
  2. Check if your geoip lookup table works. Put a internet ip address to section Test Lookup in field Key, and it should return GEO information.
  3. If not, check your data adaptor if you use correct Database type for your downloaded file. I use GeoLite2-City.mmdb and Database type: City Database. If you use only Country database, change correct type.
  4. Best is to put MaxDB databases to /etc/graylog/server directory, check if graylog service can read file.
  5. You need extracted field with ip addresss, for example src_ip with only ip adresses to use in lookup table. I couldn’t see any ip field in your fields screenshot. So create extractor or pipeline rule for ip field extraction first.
  6. You can use geo ip lookup table in several parts: Extractor, Converter, Decorator or Pipeline Rule.
  7. There is no special geoip map icon in field.
  8. If you want to create World Map widget, create widget from field src_ip_geo_location (or Show top values) and change Visualization type to World Map.
  9. If you use Selinux (CentOS, RHEL) try to disable to check, if it’s not blocking access to geoip db file.

The full thread is available here


Building your own Alexa skill using AWS Lambda and Python (Part 1)

While I resisted the pull of the ‘smart speaker’ for a little while, I have to admit having Amazon Music and an Echo has been one of the most enjoyable things I’ve bought for myself over the past couple of years. Maybe it’s my age, but voice activation still seems very cool to me, but I’m middle aged, quite often tired and like most adults, I have a lot of dull stuff to do in my life. ‘Aha…… Katie, why not automate away that toil……’

So yes, that’s why I thought it would be fun (and help me reawaken some tech skills) to build my own app. Of course, their is info out there already on this, but I found a lot of it stopped a bit short, or jumped right into the code writing. So here’s my write up of the first part of it which is the basic interaction between you and Alexa. After that I’ll do write ups of how to use lambda a bit more to actually have functionality.

You will need:

  • A developer account for the Alexa Skills Kit (ASK)/ Alexa Developer Console.
  • An AWS account: . You can get an account with a free tier to use AWS lambda assuming you don’t exceed 1 million requests a month. (You’ll need to provide a payment method to get the account)
  • Some basic python coding skills
  • A brilliant idea!

Alexa Developer Console

This is where you create the voice interaction model. It’s a web based IDE- nothing to download, and it has it’s own test environment. I used the following tutorial, but I found it simpler to write up my own notes.

Here’s my translation of the Alexa terms:

  1. A name for your skill ie. ” Alexa, open <insert cool name here>”- that’s the invocation name. I recommend making it simple as you may forget it….. I did, more than once.
  2. Intents could be translated as ‘functions’ of the app. With utterances being the phrases you may say, to initiate those ‘functions’.
  3. Within the utterances, you can set variables- which translates as ‘slots’. You can set the available value of the slot.
  4. Set your endpoint- ie. link it to the code in AWS Lamda


Invocation: Bin check

Intents: Check_next

Utterance: When is the next {bin_type} collection

Intent Slots: bin_type

Slot Type: waste_type with user utterances: garden waste; rubbish etc.

Once you have it all set up you’ll need to ‘build model’.

But really, that won’t do anything on it’s own. That’s where lambda comes in.

To get ready for the next bit I recommend going to the Endpoint menu to show your ‘Skill ID’ which you’ll need for later:

AWS Lambda:

For this I assume you’ve set up an AWS account and are on the Lambda service.

Firstly, You’re going to need to create a new function.

Choose a name (I went for ‘Bins’), and choose the language in which you’ll write the function. I went for Python and left the default IAM selection.

Now press ‘Create function’.

Once created you’ll see the IDE with the following at the top. This is how you link it to the ASK work you did earlier. At the following :

Click “Add trigger”. You want to choose “Alexa Skills Kit”

The following should appear and you can add the Skill ID I highlighted earlier. Click Add.

You now want to do the reverse. At the top right of the functions screen you should see the following. Copy this ready to link it back.

Right. Now back to the ASK console. Back to the Endpoints section and copy and past your function ID in. Notice you have regional options if perhaps in your Alexa skill, a reference to pants might warrant a different response if your end user is in the UK or the US………

Save the end points and …. ta da……. you’ve linked your alexa skill to a function! Sure it doesn’t do anything yet….. but hey. That’s part 2…..

Hardware Software

Debugging Poor Internet Service at Home

From March 2020 to the present I have worked from home; I am fortunate that my company allows me such freedom. I am interested in returning to the office next year but I enjoy knowing that I can work from home fairly efficiently and that my company invested in their infrastructure to facilitate a mass migration from the office to almost entire WFH overnight. My home Internet access, powered by Comcast Xfinity, and my personal computer needed upgrades though to reach the level of performance I required to do my job (more on my desktop computer in a future post). Prior to Covid-19, my home network was not slouch, but I honestly didn’t use it except nights and weekends. Middling performance was sort-of ok — I mean it wasn’t but I’m not going to call Comcast to complain if my Internet drops occasionally. Raw network speed is important but stability is the most important factor. If I’m on a call with my supervisor (or a team meeting), I don’t want the Zoom call to hang or drop. This adds a level of stress on me as my home Internet connection is now a requirement for not only me working from home but also my daughter completing her school-work.

Let me first define what a poor Internet connection looks and feels like. As I mentioned, I have a Comcast Xfinity Cable Internet connection; specifically I have the Performance Plus package which is 600 Mb down and 20 Mb up (notice the little b in that statement). Megabits stands for a million bits (a one or a zero) and it’s a common trick that network service providers play. A byte is 8 bits, bytes are what file sizes are measured in. The large Megabit number feels impressive but btyes are a better measure of file transfer speed and usage. Honestly though, it doesn’t matter as long as you know what you need and most importantly you don’t overpay for bandwidth you don’t know or vice versa. Comcast offers a Gigabit internet connection for a bit more money each month; I’m not going to bite at that until I can prove that my issues/limitations are caused by the bandwidth cap and not some other weak link in the chain (you are only as fast as the slowest link in the proverbial network chain).

Remember that scene in “The Matrix” where Neo swallows the blue pill? You may ask, which Matrix movie which I would respond “There is only one Matrix movie”, but I digress…. You know that sound that is made when Neo swallows the pill, it is a very distinct sound of stuttering audio. That is the sound that Zoom (or other video conferencing apps) make audio or video lags. This sound kills a meeting and impacts your ability to WFH. A more nefarious version of this issue is when the Audio/Video of a Zoom call is coming in fine for you since the download speed is typically much higher bandwidth but your meeting recipients see a stuttering mess when it comes to your audio/video feed. That stuttering audio sound should be familiar to many as it’s the result of poor Internet connection. There can be many reasons for this sound and we’ll go through them one by one to triage the problem.

Step 1: Call Comcast and Complain

If you are a technical person and you know a bit about computers and networking, this is going to be the hardest step. Calling the 800 number can be a frustrating experience for technical-minded individuals. Please remember to be courteous and kind to those who answer the phone. They must run thru their approved script of troubleshooting activities and mostly they speak to non-technically minded individuals — so cut them some slack! Your conversation will always start with, “Let’s reboot your cable modem to see if that fixes the issue”. I’m sure in many cases that would do the trick, but we (my cultured friends) are technically minded and we’ve already done that step. They will send a signal to your cable modem to assess connectivity and reboot as needed. I have not seen this script but it seems a required step before they move on to other steps. Every call or conversation starts with, “can we reboot your cable modem Mr./Mrs <insert your name>?” or the familiar question of “Is your computer directly connected to the cable modem?”. If you own your own WiFi router, Comcast doesn’t want to spend tech time debugging issues with your hardware. They will suggest you connect directly to the cable modem to cut out the middle-man. You should humor them as ultimately you want to show the problem of poor internet performance is repeatable when you are directly connected to the cable modem and therefore the root cause of the problem isn’t your WiFi router. As you progress through the scripted questions, where you want to end up is “We will schedule a technician to visit your residence.”

Step 1a: Repeat calls or Power issues

Don’t laugh. I literally had to have repeat calls with Comcast to investigate the issue. They would attempt to “flash” my modem or “send a signal” to my modem to correct the problem. I have no idea what they did in these situations but it generally meant you had to end the call and monitor performance for a few days and call back if there was a repeat. On one call I got a tech who asked me if I had a UPS (uninterruptable power supply) connected to my Cable Modem and my WiFi router. I replied no which was the honest truth; I’d always had been thinking of getting one but I hadn’t yet. The tech explained that power fluctuations can result in cable modem issues and recommend I install a UPS. I did as was told and purchased an APC Back-UPS NS 1250 (used) from Goodwill for like $30 USD. The batteries were of course spent on the unit I received so I purchased new batteries online for approx $45 USD. The unit has a nice LCD display and it “cleans” the power signal to your sensitive electronics as well as providing a short term battery backup in case of power issues. This did not resolve my issue and I had to call back after the UPS was installed and the issue reoccurred. Keep pushing for a tech to visit your house…

Step 2: Tech Visit – Part 1

Comcast techs are in a separate division from the customer support team and therefore can only see details that are documented in problem tickets or cases. It’s important to have the customer support representative and/or the Comcast technician to document the issue thoroughly in the ticket for improved hand off between teams. The first Comcast tech arrived in the early Summer and after some quick checks in my backyard, he diagnosed that my cable line from my access point on my house to the demarcation point in my back yard had to be redone. I suppose my dogs had dug a portion of the cable up and compromised the copper wire and shielding. He reran the cable in less than an hour but the cable was laying on top of the grass in the backyard. He explained that another person would contact me in a few days to come and dig a trench for the cable and shield it in protective PVC. This was hot, sweaty work in the middle of Summer and I’m thankful for their service. Now that the wire was safely in the ground, I was sure this would resolve my poor Internet performance issues. It did not… I mean I’m sure it resolved some issues but it didn’t resolve “the” issue.


Installing Graylog 3 in a TrueNAS 12.0 Jail (FreeBSD)

Graylog is an enterprise log aggregation and management framework similar to Splunk. Graylog, the company, is based in Houston, Texas (yay!) and boasts over 40k installations. What am I trying to accomplish by using Graylog at home? Well, my initial requirement is to collect logs from my network routers and incorporate that into my existing network monitoring using InfluxDB and Grafana. I’m a client of Comcast Xfinity and my network performance has really been poor in mid to late 2020. After multiple calls to Comcast and several tech visits, I’ve setup my own monitoring to “show” Comcast that I’m not getting the bandwidth they are billing me for. Log retention is low on my routers and cable modem (data rolls off quickly), a goal of this project is to retain at least 30-90 days of log messages from all network devices.

While I didn’t find this other post until after I wrote my post; I will cross link to this other post on essentially the same thing 😉

In TrueNAS Core 12.0, use the add Jail wizard

Step 1: Create the Graylog Jail

I’ll setup Graylog in a TrueNAS Core 12.0 Jail which will be running FreeBSD 12.2 release. The jail configuration isolates the software and configuration from other applications running on TrueNAS and it provides a stable environment with a large storage pool for log retention. In the Jails menu on TrueNAS Core 12.0, select the add button and the wizard will prompt you for input to create the Jail. Name your jail graylog and select the FreeBSD software release, then hit Next. I chose DHCP for my Networking configuration which will allow me easy SSH access to the “host”. Select Next and then select Submit to create the Jail. This tutorial will assume you have an understanding of basic Unix and SSH commands. After the wizard completes, you will want to click on the greater-than symbol in the graylog jail row in TrueNAS to show the jail details including the IP address. In this instance my graylog jail is (take note!). In my network router I configured DHCP to give the same IP4 address to the MAC address for the graylog jail and to resolve the DNS hostname of graylog (so I don’t need to remember the IP4 address)

Test that the jail is up by pinging the “host”

rich@eragon:~$ ping graylog
PING ( 56(84) bytes of data.
64 bytes from ( icmp_seq=1 ttl=64 time=0.691 ms
64 bytes from ( icmp_seq=2 ttl=64 time=0.619 ms
64 bytes from ( icmp_seq=3 ttl=64 time=0.684 ms
64 bytes from ( icmp_seq=4 ttl=64 time=0.752 ms
64 bytes from ( icmp_seq=5 ttl=64 time=0.537 ms
--- ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.537/0.656/0.752/0.073 ms

Step 2: Setup SSH access and a local user

You will need to ssh into your TrueNAS box and use the iocage or the jexec command to remote into the jail on your first access. This is because you won’t have a local user account yet and the SSH daemon isn’t running. SSH into your TrueNAS (mine is named kidney) and type the JLS command to see the JID number of your jail. This will change with every restart so don’t write it down or memorize it. Use the jexec command to remote in.

kidney% jls
   JID  IP Address      Hostname                      Path
    12                  graylog                       /mnt/PavPool/iocage/jails/graylog/root
kidney% sudo jexec 12 /bin/tcsh 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

root@graylog:/ # 

You will notice that you are now in a shell (a tcsh shell if you followed my above instructions) in the jail. Please note bash is not installed yet. You will be logged in as root. Update the packages and install bash first; you will need bash when you create your local user. You will also install the sudo package and configure it. sudo allows non-root users to run privileged commands.

root@graylog:/ # pkg update
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
root@graylog:/ # pkg install bash sudo

Now you need to configure sudo by executing the visudo command. This command will edit the sudoers file to tell the system that your local account is allowed to run priveliged commands. Scroll down in the vi window until you see User Privilege

## User privilege specification
root ALL=(ALL) ALL

You should add a new row by putting cursor under the row with root like above and hitting the i key to insert. Type your user row as follows:

rich ALL=(ALL) ALL

Substitute username rich for whatever your username is. You may wonder that you haven’t created the user yet and that is ok! We will create the user next. Type SHIFT ZZ (that is hold the shift key and then type Z twice) to save the file.

Then, add your local user to enable easy logins as something other than root (not good to remote into things as root). In this example my local login name is rich with unix id of 1000 on all my boxes including TrueNAS <<< this is important. Type adduser to create the rich user with uid of 1000.

root@graylog:/ # adduser
Username: rich_
Full name: Rich P
Uid (Leave empty for default): 1000
Login group [rich_]: 
Login group is rich_. Invite rich_ into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh bash rbash git-shell nologin) [sh]: bash
Home directory [/home/rich_]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: 
Enter password: 

Next, edit the /etc/rc.conf file and add this line to the end of the file


Next, start the sshd service to test that it works

root@graylog:/ # service sshd start

Now, try to ssh into your TrueNAS jail from your localhost

rich@eragon:~$ ssh graylog
Password for rich@graylog:
Last login: Fri Dec  4 18:11:47 2020 from
FreeBSD 12.2-RC3 7c4ec6ff02c(HEAD) TRUENAS 

Welcome to FreeBSD!

To make it more secure you can add an SSO component or add ssh keys to each of your jails (i.e. no more typing your password). You should have convenient SSH access to your jail. Remember, with great power comes great responsibility. Also remember that you are no longer logging in as root so you’ll need to run sudo on privileged commands. Sudo should be all setup and we’ll test it in the next step.

Step 3: Install Graylog Packages

Type the following to install the graylog, elasticsearch and mongodb packages.

[rich@graylog ~]$ sudo pkg update
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.

[rich@graylog ~]$ sudo pkg install graylog elasticsearch6 mongodb44

Update 14-Dec: Updated post based on comments/feedback. I had made a mistake on the packages I used, which was corrected by a reader.

It may take a few mins to download and install those packages. MongoDB will be used for the graylog configuration only. All log data will be stored in the elasticsearch cluster. These packages are downloaded from FreeBSD fresh ports which is a very extensive software pkg repository. Please note as of this writing in Dec 2020, version 3.3.1 is the latest FreeBSD graylog package available but graylog itself is shipping version 4.0.2 on the website.

Step 4: Configure Software

None of the above software will be running after it’s installation. Don’t start the services yet. First, edit /etc/rc.conf to tell TrueNAS to autostart the software when the jail starts. Add these lines to the end of the file.


Next, edit the /usr/local/etc/elasticsearch/elasticsearch.yml file to change a few parameters. Add the following to the bottom of the file and save it. graylog

Start the mongoDB and the elasticsearch components by typing:

[rich@graylog ~]$ sudo service elasticsearch start

[rich@graylog ~]$ sudo service mongod start

Notice the output of the above service commands, if there are any errors starting the commands it should prompt you. You can check if both services are running by typing a netstat command.

[rich@graylog ~]$ netstat -an | grep -i listen

tcp4       0      0         *.*                    LISTEN     
tcp6       0      0 ::1.9200               *.*                    LISTEN     
tcp4       0      0         *.*                    LISTEN     
tcp6       0      0 ::1.9300               *.*                    LISTEN     
tcp4       0      0 *.22                   *.*                    LISTEN     
tcp6       0      0 *.22                   *.*                    LISTEN     
tcp4       0      0        *.*                    LISTEN  

This command shows which TCP ports are being listened to by server processes like mongo and elasticsearch. You will notice that 9200 and 9300 are elasticsearch. 22 is SSHD and 27017 is mongo. If your output from a netstat is similar then you are doing good so far. Now, we need to configure graylog and then start the service for the first time. The graylog config will be in the /usr/local/etc/graylog directory.

[rich@graylog ]$ cd /usr/local/etc/graylog

[rich@graylog ]$ sudo cp graylog.conf.example graylog.conf

[rich@graylog ]$ sudo cp log4j2.xml.example log4j2.xml   

[rich@graylog ]$ sudo mkdir server 

[rich@graylog ]$ sudo touch server/node-id 

[rich@graylog ]$ cd ..

[rich@graylog ]$ sudo chown -R graylog:graylog graylog

This will setup the initial config directory and change the owner of the files to graylog user and graylog group. That user and group should have been created when you pkg installed graylog. If you don’t have that user or group then go back to the package install step and check you did that correctly. Change directory back to /usr/local/etc/graylog and edit the graylog.conf file and ensure the variables are set as such.

is_master = true
node_id_file = /usr/local/etc/graylog/server/node-id
root_username = admin
root_timezone = UTC
bin_dir = /usr/local/share/graylog
data_dir = /usr/local/var/lib/graylog
plugin_dir = /usr/local/share/graylog/plugin

http_bind_address =

message_journal_dir = /usr/local/var/lib/graylog/journal

The above config parameters are scattered throughout the config file. Your http_bind_address will be the jail ip4 address. Ensure that all those directories like the journal directory exist and are owned by graylog:graylog. Next, set the hashed admin password and seed by running these two commands on the command line.

pwgen -N 1 -s 96

echo -n yourpassword | shasum -a 256

Edit the graylog.conf file and follow the instructions to paste the password_seed and root_password_sha2 to set those values and then save the file. There are instructions inline in the conf file on the password seed and root password if you are confused. Make sure the file is only readable to the graylog user and group. Now you can finally start the Graylog service

[rich@graylog ]$ sudo service graylog start

[rich@graylog ]$ sudo tail -f /var/log/graylog/server.log

Tail the /var/log/graylog/server.log file to ensure it starts correctly and no fatal errors. It takes a minute or two to startup.

Step 5: Test Jail Restart to Ensure Auto-Launch

If graylog started up correctly, go ahead and stop the jail in the TrueNAS Jails menu. Click the Edit Jail menu item under the graylog jail properties and in the Basic Properties sheet you will check the Auto-start checkbox and click save. Next you can click the start button on the graylog jail and wait a few min for everything to start up. You then should be able to access the graylog UI at http://<your ip address>:9000 (please note that you need to fill in your ip address and it will be different than mine.)

Further tutorials will include hardening + adding SSL and configuring syslog inputs.

Hardware Software

Create a WiFi-Repeater using DD-WRT and an old Asus Router

Asus WiFi routers are great! … says the guy who owns two and just bought a third on Amazon yesterday. I’m not one to waste old hardware and I was thinking that I’d like to flash my old Asus routers with the DD-WRT firmware so I can transform them into WiFi-Repeaters!

Savvy readers will say, “But Rich, Asus already has AiMesh technology to do that. Why do you need DD-WRT?

My response. “AiMesh only works on recent Asus models, it doesn’t work on my N66R for instance. DD-WRT works perfectly fine and breaths new life into that obsolete model”.

So now that we have established why we’d want to do this, let’s roll up our sleeves and get to flashing….

dd-wrt router database

Step 1: Do Your Research

Flashing the firmware of a WiFi router is not trivial; first and foremost you need to visit and see if your router is supported. Search the router database for your manufacturer model (e.g. asus). Some WiFi routers have multiple (confusing) retail names for the same hardware and some retail names have multiple different hardware revisions! Check the serial number and the hardware revision indication on the label of your WiFi routers, my RT-N66U is hardware revision B1. Checking the router database, my hardware revision from 2011 is supported and a fresh firmware file as of 2019!

Save the .trx firmware file to your Computer

Step 2: Download the firmware file to your desktop or laptop

You need to prepare by saving a copy of the .trx firmware file to your local computer (desktop or laptop) that you will use to flash the WiFi router. The file is not very large; about 22 Mb in this example. Please note there are various build numbers in the pulldown combo box. I chose the latest file. You can download multiple .trx files from different builds, but make sure to take notes of which file is which so you aren’t confused later.

Step 3: Read the flashing instructions at least twice

Remember the old Carpenters saying, “Measure twice, cut once”. Flashing the firmware of a router is a bit like baking a cake; you need to follow a list of instructions precisely or the end product will not be good (edible?). In my instance, the first line of the instructions says “Note that the two existing hardware revisions, “A1” and “B1”, of this router are significantly different. This page is about revision “A1”, typically referred to as RT-AC66U, without the revision. For information about the “B1” revision, see Asus_RT-AC66U_B1.” Now, I follow the new link to updated instructions and I see hardware revision A1 and B1 instructions are radically different. I notice the next block of bolded text, “it is recommended that you flash an RT-AC68U build. RT-AC66U builds are optimized for revision A1 and will not work with this router.” Wow, I was really lucky there. I could have ruined this router by flashing the wrong firmware that I downloaded in the previous step. I follow the updated instructions to download the AC68U firmware file.

Step 4: Connect your computer to the Wifi router to flash the firmware

You will most likely do this step several times before you get it right. Follow the linked instructions, steps 1-14. Make sure you are not rushed and I always like to have a bit of music playing to help keep stress levels down. Steps 1-4 are simple, please remember to disconnect from any other WiFi routers and connect a cat6 cable from your computer to the router you want to flash. Make sure you connect to the LAN port, not the WAN port. Steps 5-9 explain how to put your Asus router in “rescue mode” to enable the flashing of firmware. While there is a firmware flash mode in the typical Asus menu, it will not allow you to flash a 3rd party firmware like dd-wrt. If you followed the steps correctly, your power LED will be flashing slowly and will show a simple webpage entitled ASUSTek – CFE miniWeb Server. Step 10 tells you to “Restoredefault NVRAM values” and step 11 prompts you to browse for the .trx firmware file on your computer and click upload. It will take maybe a minute or two to transfer the file at which point the webpage will say flashing the firmware, please wait a few moments. I asked how long are a few moments? It says the router will reboot when complete. Be patient, wait at least 15-20 min to let the firmware file flash and you’ll know when it’s done when the router reboots and the power light goes solid (no blink). Now, I used the AC68U firmware file like the instructions warned me to do but that didn’t work (I tried 3 times). On a lark I used the n66u firmware .trx file I originally downloaded and it worked like a champ! go figure….

Configure your new router

Step 5: Configure your newly flashed DD-WRT router

After the router reboots from the flash, connect via your PC which is still connected via the CAT6 cable to which is the default IP address for your WiFi router. You might also see a WiFi SSID of dd-wrt on your network. When you first connect you will be prompted to choose a login name and password for your router. Make sure you don’t forget these as they are the admin credentials. For me, this router is a second router on the network (i.e. it’s not my primary router). If I was try and connect it to my main network, I would get an IP address conflict for which is the actual IP address of my primary router. In the setup tab in the Network Setup section I changed the routers IP address to and set the subnet mask to I set the gateway to and I set my DNS to (which is my pihole server << more on that in another blog post). I disabled the WAN connection type and gave my router the name lung (you see my primary router is always named heart). I hit save and apply settings and I believe the router restarted. I can now plug this router via CAT6 cable into my primary router to check that they happily co-exist.

Step 6: Setup the WiFi repeater

AiMesh and DD-WRT WiFi repeater mode essentially allow you to extend your WiFi coverage and you can leverage one band (2.4 GHz for example) to do the bridge and rebroadcast on another band. There are so many combinations here I’m not entirely sure which one is best. I stumbled upon a great Youtube channel called Behfor that walks you thru the what’s and the why’s of your WiFi router and setting up the repeater. Look for the video entitled Dual Band DD-WRT Repeater Bridge. I’m still playing around with this part 😉 Let me know if this was helpful or if you are using WiFi Repeater.


Minecraft MineOS running on FreeNAS 11.3

My kids love to play Minecraft; it’s a fun game that has remained extremely popular for a decade (a rare feat). Everyone in the family has an account and much of the fun of Minecraft is playing together in a shared world. I will teach you how to setup shared worlds (and back them up) using MineOS software on FreeNAS / TrueNAS.

Step 1: Install MineOS FreeNAS Plugin

The folks at IXSystems must be big fans of Minecraft because they packaged a Minecraft server solution along with backup utilities and Plex. MineOS is a free plugin to allow you to host Minecraft servers on your FreeNAS box. Within Plugins menu item on FreeNAS web GUI select MineOS and select INSTALL. Give it a name, I chose mineos and select plugin details >>> mostly select DHCP vs. NAT for networking. DHCP will create a fresh Jail, use DHCP to configure networking and install the MineOS software.

If your plugin installation is successful it will look similar to the above image. Note the IPv4 address and click the Manage link to be redirected to the MineOS login page. The default username is mcserver and the default password is mcserver.

When you login, you should see a web GUI similar to the above. In this example I have two (2) servers running. Your example will show no servers running (which is totally ok!). The Dashboard link (circled above) will return you to this menu for any point in MineOS.

Why MineOS?

MineOS is an open source project from William Dizon (looks like it’s been around since 2010). Essentially a Web GUI for administering your Minecraft servers along with utilities to backup and upgrade your world. It’s useful to move an server or daemon process off you local host or laptop to provide improved resiliency and uptime and allow for dedicated resources. You can also setup port forwarding on your wifi router along with a dynamic dns name to allow folks from outside your local area network (LAN) to connect to your Minecraft server. MineOS also allows you to upgrade your world from various versions of Minecraft releases and try out new exciting systems like direwolf and feed the beast (more on this later).

Step 2: Download Server Profile Jars

Minecraft Java Edition is packaged and released as Java Archive (JAR) files from Your Minecraft launcher application on Windows, Mac or Linux will automation this download when you select the game version. In MineOS you will need to click on the Profiles menu item (on the left), select Mojang from the ID column and then click the Green Download button. You know that you are successful if you see the check and Downloaded next to the Jars you requested. Be careful and do not try and get every Jar at once; the Web GUI doesn’t have a throttle.

If you have errors Downloading Server Jars, do the following:

  1. Stop and Start the Mineos Jail in FreeNAS. Sometimes, I’ve seen it where the networking (to the outside world) doesn’t work correctly the first time. I don’t think this is a problem anymore but worth trying.
  2. Make sure you know where Mineos is trying to save those Jars and that you have write access and enough space. We’ll get into customizing where these Jars are saved in a later article.

Step 3: Create Your First Server

Back on the MineOS menu, please select the “Create New Server” menu item. You will be presented with a dialog to name the server; I chose the name of server01 (boring, I know). All fields with light-gray text will default to those values, i.e. the port will be set to 25565 (which is the default for Minecraft). You might want to change the Level-Name to something interesting. Set the difficulty and gamemode and click create new server. Please note it doesn’t actually start the server yet (we’ll do that next) and most if not all these items can be changed with the exception of the server name.

Step 4: Start Your First Minecraft Server

In the MineOS web GUI go back to the Dashboard and select the server you created.

The Server At A Glance dashboard is very informational. If the server is down, as it will be initially, the server status will be RED. In the Server Actions box, you need to choose the Minecraft server profile you downloaded from Step 2 (in this case 1.16.3). You should ensure that broadcast to LAN and start server on boot checkboxes are checked. In the Java settings you need to select the JAR file from Step 2 (in this case minecraft_server.1.16.3.jar. I like to set the max Java heap (memory) size on the Java runtime to between 1024 and 2048 Mb (1 to 2 Gb). -Xms means minimum Heap size; it’s ok to leave that blank.

Then click Accept EULA and click start to run the server.

If all goes well your Server should show up on the status page and if you click on the latest log link on the left you should see something similar to the below

In your Minecraft Java client you should select Multiplayer and add the server IP that your MineOS is running on to connect to the server (in this case Once you connect, the latest log will show a connection log message for each player. Enjoy!