Hamsa K
Editor
9 min read | 4 years ago

How to Install and Configure Graylog 3 Server on Centos 7

Install Graylog on centos 7

graylog is an open-source log management tool which helps you to collect, index and analyze any machine logs centrally. graylog bulit with elasticsearch,mongodb and graylog server.Graylog collects logs from various sources and provides a web-based dashboard to manage and search through the logs.

Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.

MongoDB : MongoDB is a document database, which means it stores data in JSON-like documents. Its used to store configuration and meta information.

Graylog Server : graylog Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.

Prerequisites:

1) centos 7 server with root user or nonroot user with sudo privileges

2) Assign static ip address and good Ram for server would be better.

1) Install Java

Before installing elasticsearch we need to install oracle jdk or open jdk.Here i am installing openjdk.

[root@lampblogs ~]# yum install java-1.8.0-openjdk-headless

once java is installed verify java version

[root@lampblogs ~]# java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)

2) Install Elasticsearch

To install elastcicsearch first we nned to import GPG signing key.

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

create repo file from official repository to install elasticsearch

[root@lampblogs ~]# vi /etc/yum.repos.d/elasticsearch.repo

paste below content to above file and save it.

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Now install elasticsearch with the following command.

[root@lampblogs ~]# yum install elasticsearch

once it is installed open below config file 

[root@lampblogs ~]# vi /etc/elasticsearch/elasticsearch.yml

set cluster name as graylog and save config file.

cluster.name: graylog

Now we need to start Elasticsearch and enable it to automatically start at boot time with the following commands.

[root@lampblogs ~]# systemctl daemon-reload
[root@lampblogs ~]# systemctl enable elasticsearch
[root@lampblogs ~]# systemctl restart elasticsearch
[root@lampblogs ~]# systemctl status elasticsearch

Elasticsearch is running on default port 9200. verify it its working properly or not with curl command. 

[root@lampblogs ~]# curl -X GET http://localhost:9200

sample output:

{
  "name" : "lampblogs.com",
  "cluster_name" : "graylog",
  "cluster_uuid" : "4V7vruxsS6qDGALez0pAqw",
  "version" : {
    "number" : "6.8.6",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "3d9f765",
    "build_date" : "2019-12-13T17:11:52.013738Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.2",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

Now elasticsearch is installed and running perfectly.

Step 3: Install Mongodb

Graylog uses MongoDB to store its configuration and meta information.

we will install through mongodb official repository like below.

[root@lampblogs ~]# vi /etc/yum.repos.d/mongodb-org-4.0.repo

copy and paste below content to above file and save it.

[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

Now install mongodb with following command

[root@lampblogs ~]# yum install mongodb-org

once it is installed start Mongodb and enable it to start automatically.

[root@lampblogs ~]# systemctl daemon-reload
[root@lampblogs ~]# systemctl start mongod
[root@lampblogs ~]# systemctl enable mongod

Step 4: Install and configure Graylog

download graylog 3.x repository from graylog server.

[root@lampblogs ~]# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm

install graylog with below command

[root@lampblogs ~]# yum install graylog-server

Graylog server is now installed on your server. Before you can start it, you will need to configure a few things.

First we will Install pwgen utility to generate strong passwords.

[root@lampblogs ~]# yum install pwgen

once it is installed generate secret key for Graylog

[root@lampblogs ~]# pwgen -N 1 -s 96
f5jtpt6lBRVNbIsmf0VCIgskufdcLdsZ8SnrWkplmV7ZDR9QaMcHAMrmdH5Bs3f6vTz2wCHT1WKoARjDbk64ZRhAZnoP3XxR

Now create a hash password for the root user that can be used to log in to the Graylog web server.

[root@lampblogs ~]# echo -n Password | sha256sum
a893334edd6f4bee328d44ac7144daa7c40c35c38ef7d1fbe34b76afe59df0a2

you can replace password field with strong password.

Now edit server.conf file 

[root@lampblogs ~]# vi /etc/graylog/server/server.conf

change below settings in above file and save it

password_secret = f5jtpt6lBRVNbIsmf0VCIgskufdcLdsZ8SnrWkplmV7ZDR9QaMcHAMrmdH5Bs3f6vTz2wCHT1WKoARjDbk64ZRhAZnoP3XxR
root_password_sha2 = a893334edd6f4bee328d44ac7144daa7c40c35c38ef7d1fbe34b76afe59df0a2
elasticsearch_shards = 1
root_email = mail@lampblogs.com
root_timezone = Asia/Kolkata

and also modify below entry in server.conf to let Graylog Web Interface to connect to the Graylog server.

http_bind_address = 192.168.0.10:9000

Replace your system ip address in above entry and save it

Now we start and enable graylog server by runnig following commands.

[root@lampblogs ~]# systemctl daemon-reload
[root@lampblogs ~]# systemctl restart graylog-server
[root@lampblogs ~]# systemctl status graylog-server

Step 5: configure firewall and disable selinux

[root@lampblogs ~]# firewall-cmd --permanent --zone=public --add-port=9200/tcp
[root@lampblogs ~]# firewall-cmd --permanent --zone=public --add-port=27017/tcp
[root@lampblogs ~]# firewall-cmd --permanent --zone=public --add-port=9000/tcp
[root@lampblogs ~]# firewall-cmd --reload

If selinux is enabled in your system then you can disable it.

Step 6: Access graylog 

Now you can Access graylog server web interface by opening your browser and type http://ip_address:9000. Graylog server defaults listens on 9000 port.

Login with username as admin and the and plain text version of the password you entered at root_password_sha2 in server.conf file.

 

 

 

 

 



Warning! This site uses cookies
By continuing to browse the site, you are agreeing to our use of cookies. Read our terms and privacy policy