Graylog is an open-source log management tool that helps you to collect, store and analyze machine logs in a central location.
Graylog Setup
Contents
To set up a Graylog on your environment, you need the below softwares.
- MongoDB – Stores the configurations and meta information.
- Elasticsearch – Stores the log messages received from the Graylog server and provides a facility to search them whenever required. Elasticsearch is a resource monger as it does indexing of data, so allocate more memory and use SAS or SAN disks.
- Graylog server – Parsing the logs that are coming from various inputs and provides built-in Web Interface to handle those logs.
This guide will help you to install Graylog on CentOS 8 / RHEL 8.
Prerequisites
EPEL Repository
We need to enable the EPEL repository to download and install the required utilities.
Install Packages
You would need to install the below packages for Graylog installation.
dnf install -y wget pwgen perl-Digest-SHA
Install Java
Elasticsearch requires Java to be installed on the machine. So, install either OpenJDK or Oracle JDK.
dnf install -y java-1.8.0-openjdk-headless
Verify the Java version.
java -version
Output:
openjdk version "1.8.0_242" OpenJDK Runtime Environment (build 1.8.0_242-b08) OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
Install Elasticsearch
Elasticsearch is one of the important software in the Graylog setup. The purpose of Elasticsearh is to store the data coming from Graylog input and displays them over the Graylog built-in web interface on request.
Graylog supports Eleasticsearch v6.x.
Import the GPG signing key before the installation.
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Configure a repository to get Elasticsearch v6.x package from the official repository.
cat << EOF > /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
Now, install the Elasticsearch package using
dnf command.
dnf install -y elasticsearch-oss
To make Elasticsearch work with Graylog setup, we need to set the cluster name to graylog.
Edit the elasticsearch.yml file.
vi /etc/elasticsearch/elasticsearch.yml
Update it, as shown below.
cluster.name: graylog action.auto_create_index: false
Reload the systemctl daemon and enable Elasticsearch to start automatically on the system startup.
systemctl daemon-reload systemctl enable elasticsearch
Restart the Elasticsearch.
systemctl restart elasticsearch
Give a minute or two to let the Elasticsearch get fully started.
Elastisearch should now be listening to 9200 for processing HTTP requests. Use the CURL command to check the response.
curl -X GET http://localhost:9200
Cluster name should be graylog.
{ "name" : "eaTfFg6", "cluster_name" : "graylog", "cluster_uuid" : "u-ageNH-RHGIzpfxDtNsgQ", "version" : { "number" : "6.8.6", "build_flavor" : "oss", "build_type" : "rpm", "build_hash" : "3d9f765", "build_date" : "2019-12-13T17:11:52.013738Z", "build_snapshot" : false, "lucene_version" : "7.7.2", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search"
}
Install MongoDB
MongoDB acts as a database to store the configurations and meta information.
Graylog supports MongoDB v4.0 only.
We will use MongoDB’s official repository to get the required version.
cat << EOF > /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8Server/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF
Install the community edition of MongoDB using the following command.
dnf install -y mongodb-org
Start the MongoDB service and enable it to the system start-up.
systemctl start mongod systemctl enable mongod
Install Graylog
Graylog server accepts and processes the log messages coming from various inputs and displays data to requests that come from the graylog web interface with the help of Elasticsearch.
Install the Graylog repository rpm to auto-setup the repository configuration.
dnf install -y https://packages.graylog2.org/repo/packages/graylog-3.2-repository_latest.rpm
Install the Graylog server using the following command.
dnf install -y graylog-server
Edit the server.conf file to begin the graylog configuration.
vi /etc/graylog/server/server.conf
Use the following command to create a secret
pwgen -N 1 -s 96
Output:
1dcw10Snsvk1bKgkARGNaalO3QeZqkPG8pUcbJO3oF5ktYvDUeqRTaErFixOR95Nrv40FCFRClXIdnxwknGtl4HDrTspWmom
Place the secret on the server.conf file.
password_secret = 1dcw10Snsvk1bKgkARGNaalO3QeZqkPG8pUcbJO3oF5ktYvDUeqRTaErFixOR95Nrv40FCFRClXIdnxwknGtl4HDrTspWmom
Set the hash password for the root user, i.e., admin of graylog. You would need this password to login to the Graylog web interface.
If you ever want to change/reset the forgotten password of Gralog admin, you can edit/update the server.conf with a hashed password.
Generate a hashed password using the below command. Replace yourpassword with the choice of yours.
echo -n yourpassword | shasum -a 256
Output:
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Place the hash password.
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
You can set up an email address for the admin user.
root_email = "itzgeek.web@gmail.com"
Set timezone of root (admin) user.
root_timezone = UTC
Configure Graylog web interface
From the Graylog version 2.x, the web interface is served directly by the Graylog server. Enable the Graylog web interface by editing the server.conf file.
vi /etc/graylog/server/server.conf
Modify the entries to let Graylog Web Interface to connect to the Graylog server. Replace 192.168.0.10 with your system IP address.
http_bind_address = 192.168.0.10:9000
If you happen to access the Graylog using public IP address due to NATing, update the below values. Otherwise, skip it.
http_external_uri = http://public_ip:9000/
Restart Graylog service.
systemctl daemon-reload systemctl restart graylog-server
Make Graylog server to start automatically on system startup.
systemctl enable graylog-server
You can check out the server startup logs to troubleshoot Graylog for any issues.
tail -f /var/log/graylog-server/server.log
If everything goes well, you should see the server up and running message in the server.log file.
2020-02-08T10:26:54.484-05:00 INFO [ServerBootstrap] Graylog server up and running.
Firewall
In CentOS 8 / RHEL 8, firewall rules are set to block most of the traffic coming from the external machines by default.
Add a allow rule for the Graylog web interface so that we can access it from external machines.
firewall-cmd --permanent --add-port=9000/tcp firewall-cmd --reload
Access Graylog web interface
Access the web interface by going to the below URL.
http://ip.add.re.ss:9000
Log in with username admin and the password you configured at root_password_sha2 on server.conf.
Once you logged in, you would see the getting started page.
Click on System » Overview to know the status of the Graylog server.
Conclusion
That’s All. You have successfully installed Graylog on CentOS 8 / RHEL 8. In the next article, we will configure Graylog to receive Rsyslog logs from external sources. As a further read, you can try configuring Nginx or Apache as a reverse proxy and set up HTTPS for the Graylog web interface.