Graylog is an open source log management software that can be used to easily collect, index, and analyze remote system logs centrally .
Graylog is built with three components:
Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.
MongoDB : Database to store configuration and meta information.
Graylog Server : Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.
In this tutorial, we will learn how to install and configure the Graylog server on CentOS 7/RHEL 7
0./ Prerequisites
– To install graylog, we will need to install those additional packages:
[[email protected] ~]# sudo yum install java-1.8.0-openjdk-headless.x86_64 -y [[email protected] ~]# sudo yum install epel-release -y [[email protected] ~]# sudo yum install pwgen -y
1./ Install MongoDB
– MongoDB is not available in the default CentOS repository. You will need to add the MongoDB repo first. To do so,you have to create the file mongodb-org-3.2.repo under /etc/yum.repos.d/ directory using the following commands:
[[email protected] ~]# vi /etc/yum.repos.d/mongodb-org-3.2.repo
– Add the following contents:
[mongodb-org-3.2] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc
– Install MongoDB by running the following command:
[[email protected] ~]# sudo yum install mongodb-org -y
– Start the MongoDB service and enable it to start on boot with the following command:
[[email protected] ~]# sudo chkconfig --add mongod [[email protected] ~]# sudo systemctl daemon-reload [[email protected] ~]# sudo systemctl enable mongod.service [[email protected] ~]# sudo systemctl start mongod.service
2./ Install and Configure Elasticsearch
– To install Elasticsearch, we have to Import the GPG key using the following command:
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
– Elasticsearch is not available in the default CentOS repositories. You will need to create a repo for it using the following command:
[[email protected] ~]# vi /etc/yum.repos.d/elasticsearch.repo
– Add the following contents:
[elasticsearch-2.x] name=Elasticsearch repository for 2.x packages baseurl=https://packages.elastic.co/elasticsearch/2.x/centos gpgcheck=1 gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch enabled=1
– Now, install Elasticsearch using the follwing command:
[[email protected] ~]# sudo yum install elasticsearch -y
– Open Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog:
[[email protected] ~]# vi /etc/elasticsearch/elasticsearch.yml cluster.name: graylog
– After you have modified the configuration, you can start Elasticsearch:
[[email protected] ~]# sudo chkconfig --add elasticsearch [[email protected] ~]# sudo systemctl daemon-reload [[email protected] ~]# sudo systemctl enable elasticsearch.service [[email protected] ~]# sudo systemctl restart elasticsearch.service
– Check the health of the Elasticsearch with the following command:
[[email protected] ~]# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true' { "cluster_name" : "graylog", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "active_primary_shards" : 1, "active_shards" : 1, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 }
3./ Install and Configure Graylog
– We need to download and install the Graylog repository using the following command:
[[email protected] ~]# sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm
– Install the Graylog server with the following command:
[[email protected] ~]# sudo yum install graylog-server -y
– After you have installed the Graylog Server, you have to generate secret key for Graylog using the following command:
[[email protected] ~]# pwgen -N 1 -s 96 MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2
– Now create a hash password for the root user that can be used to log in to the Graylog web serverusing the following command:
[[email protected] ~]# echo -n Password | sha256sum e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
– Edit the server.conf file:
[[email protected] ~]# sudo vi /etc/graylog/server/server.conf
– Make changes to the file as shown below:
password_secret= MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2 root_password_sha2= e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a [email protected] root_timezone=UTC elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.1.200:9300 elasticsearch_shards=1 script.inline: false script.indexed: false script.file: false
– To enable the Graylog web interface, make changes to the file as shown below:
rest_listen_uri = http://192.168.1.200:12900/ web_listen_uri = http://192.168.1.200:9000/
-After you have modified the configuration file, you can start Graylog Service using the following commands:
[[email protected] ~]# sudo chkconfig --add graylog-server [[email protected] ~]# sudo systemctl daemon-reload [[email protected] ~]# sudo systemctl enable graylog-server.service [[email protected] ~]# sudo systemctl start graylog-server.service
4./ Adjusting Firewall and Selinux
You will need to set firewall rules for Graylog to work properly.
You can do this by running the following commands:
[[email protected] ~]# sudo firewall-cmd --permanent --zone=public --add-port=9000/tcp [[email protected] ~]# sudo firewall-cmd --permanent --zone=public --add-port=12900/tcp [[email protected] ~]# sudo firewall-cmd --permanent --zone=public --add-port=1514/tcp
– Next, reload firewalld with the following command:
[[email protected] ~]# sudo firewall-cmd --reload
– To manage SELinux, you have to install policycoreutils-python package using the following command:
[[email protected] ~]# sudo yum install policycoreutils-python -y
– Allow the web server to access the network:
[[email protected] ~]# sudo setsebool -P httpd_can_network_connect 1
– Allow the Graylog REST API and web interface:
[ro[email protected] ~]# sudo semanage port -a -t http_port_t -p tcp 9000
– Allow the Elasticsearch HTTP API:
[ro[email protected] ~]# sudo semanage port -a -t http_port_t -p tcp 9200
– Allow MongoDB default port:
[[email protected] ~]# sudo semanage port -a -t mongod_port_t -p tcp 27017
5./ Access the Graylog web interface
Open your web browser and type the URL http://your_ip_address:9000. You should see the following Page:
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
6 comments
Great Article…
I want to do the same setup in RHEL 7. And if i dont have access to the particular repos for elasticsearch and mongodb, what is the alternative for that. Do we have any option to install graylog server from source? It would be great if you explain the procedure through source installation than yum.
Hi Lakshmi Dhandapani,
Thanks for the comment, yes of course you can install Graylog server from source, we will explain the procedure soon. Keep in touch subscribing in our youtube channel https://www.youtube.com/channel/UC2-O3cFV_KGHydYUnxpia7A
Hello , your sharing is very usefull , Thank you . my login page came , but I can’t login . At server.conf , there is user and password (made by pwgen ) , is there a default user/password ? How can login in it ?
Hi Nihal,
The username login by default is “admin” and if u followed all the steps the password should “Password” that has been configured with the following command
# echo -n Your_Password | sha256sum
If you have any issues, we will be glad to assist you.
Hi i tried same keys but it is not working
Hi,
Could you please explain what doesn’t work exactly.