Install Graylog on centos 7
graylog is an open-source log management tool which helps you to collect, index and analyze any machine logs centrally. graylog bulit with elasticsearch,mongodb and graylog server.Graylog collects logs from various sources and provides a web-based dashboard to manage and search through the logs.
Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.
MongoDB : MongoDB is a document database, which means it stores data in JSON-like documents. Its used to store configuration and meta information.
Graylog Server : graylog Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.
Prerequisites:
1) centos 7 server with root user or nonroot user with sudo privileges
2) Assign static ip address and good Ram for server would be better.
1) Install Java
Before installing elasticsearch we need to install oracle jdk or open jdk.Here i am installing openjdk.
[root@lampblogs ~]# yum install java-1.8.0-openjdk-headless
once java is installed verify java version
[root@lampblogs ~]# java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
2) Install Elasticsearch
To install elastcicsearch first we nned to import GPG signing key.
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
create repo file from official repository to install elasticsearch
[root@lampblogs ~]# vi /etc/yum.repos.d/elasticsearch.repo
paste below content to above file and save it.
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Now install elasticsearch with the following command.
[root@lampblogs ~]# yum install elasticsearch
once it is installed open below config file
[root@lampblogs ~]# vi /etc/elasticsearch/elasticsearch.yml
set cluster name as graylog and save config file.
cluster.name: graylog
Now we need to start Elasticsearch and enable it to automatically start at boot time with the following commands.
[root@lampblogs ~]# systemctl daemon-reload
[root@lampblogs ~]# systemctl enable elasticsearch
[root@lampblogs ~]# systemctl restart elasticsearch
[root@lampblogs ~]# systemctl status elasticsearch
Elasticsearch is running on default port 9200. verify it its working properly or not with curl command.
[root@lampblogs ~]# curl -X GET http://localhost:9200
sample output:
{
"name" : "lampblogs.com",
"cluster_name" : "graylog",
"cluster_uuid" : "4V7vruxsS6qDGALez0pAqw",
"version" : {
"number" : "6.8.6",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "3d9f765",
"build_date" : "2019-12-13T17:11:52.013738Z",
"build_snapshot" : false,
"lucene_version" : "7.7.2",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
Now elasticsearch is installed and running perfectly.
Step 3: Install Mongodb
Graylog uses MongoDB to store its configuration and meta information.
we will install through mongodb official repository like below.
[root@lampblogs ~]# vi /etc/yum.repos.d/mongodb-org-4.0.repo
copy and paste below content to above file and save it.
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
Now install mongodb with following command
[root@lampblogs ~]# yum install mongodb-org
once it is installed start Mongodb and enable it to start automatically.
[root@lampblogs ~]# systemctl daemon-reload
[root@lampblogs ~]# systemctl start mongod
[root@lampblogs ~]# systemctl enable mongod
Step 4: Install and configure Graylog
download graylog 3.x repository from graylog server.
[root@lampblogs ~]# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm
install graylog with below command
[root@lampblogs ~]# yum install graylog-server
Graylog server is now installed on your server. Before you can start it, you will need to configure a few things.
First we will Install pwgen utility to generate strong passwords.
[root@lampblogs ~]# yum install pwgen
once it is installed generate secret key for Graylog
[root@lampblogs ~]# pwgen -N 1 -s 96
f5jtpt6lBRVNbIsmf0VCIgskufdcLdsZ8SnrWkplmV7ZDR9QaMcHAMrmdH5Bs3f6vTz2wCHT1WKoARjDbk64ZRhAZnoP3XxR
Now create a hash password for the root user that can be used to log in to the Graylog web server.
[root@lampblogs ~]# echo -n Password | sha256sum
a893334edd6f4bee328d44ac7144daa7c40c35c38ef7d1fbe34b76afe59df0a2
you can replace password field with strong password.
Now edit server.conf file
[root@lampblogs ~]# vi /etc/graylog/server/server.conf
change below settings in above file and save it
password_secret = f5jtpt6lBRVNbIsmf0VCIgskufdcLdsZ8SnrWkplmV7ZDR9QaMcHAMrmdH5Bs3f6vTz2wCHT1WKoARjDbk64ZRhAZnoP3XxR
root_password_sha2 = a893334edd6f4bee328d44ac7144daa7c40c35c38ef7d1fbe34b76afe59df0a2
elasticsearch_shards = 1
root_email = mail@lampblogs.com
root_timezone = Asia/Kolkata
and also modify below entry in server.conf to let Graylog Web Interface to connect to the Graylog server.
http_bind_address = 192.168.0.10:9000
Replace your system ip address in above entry and save it
Now we start and enable graylog server by runnig following commands.
[root@lampblogs ~]# systemctl daemon-reload
[root@lampblogs ~]# systemctl restart graylog-server
[root@lampblogs ~]# systemctl status graylog-server
Step 5: configure firewall and disable selinux
[root@lampblogs ~]# firewall-cmd --permanent --zone=public --add-port=9200/tcp
[root@lampblogs ~]# firewall-cmd --permanent --zone=public --add-port=27017/tcp
[root@lampblogs ~]# firewall-cmd --permanent --zone=public --add-port=9000/tcp
[root@lampblogs ~]# firewall-cmd --reload
If selinux is enabled in your system then you can disable it.
Step 6: Access graylog
Now you can Access graylog server web interface by opening your browser and type http://ip_address:9000. Graylog server defaults listens on 9000 port.
Login with username as admin and the and plain text version of the password you entered at root_password_sha2 in server.conf file.