How To Install Graylog on CentOS 8 / RHEL 8

Graylog is an open-source log management tool that helps you to collect, store and analyze machine logs in a central location.

Graylog Setup

To set up a Graylog on your environment, you need the below softwares.

1. MongoDB – Stores the configurations and meta information.
2. Elasticsearch – Stores the log messages received from the Graylog server and provides a facility to search them whenever required. Elasticsearch is a resource monger as it does indexing of data, so allocate more memory and use SAS or SAN disks.
3. Graylog server – Parsing the logs that are coming from various inputs and provides built-in Web Interface to handle those logs.

This guide will help you to install Graylog on CentOS 8 / RHEL 8.

Prerequisites

EPEL Repository

We need to enable the EPEL repository to download and install the required utilities.

Install Packages

You would need to install the below packages for Graylog installation.

dnf install -y wget pwgen perl-Digest-SHA

Install Java

Elasticsearch requires Java to be installed on the machine. So, install either OpenJDK or Oracle JDK.

dnf install -y java-1.8.0-openjdk-headless

Verify the Java version.

java -version

Output:

openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)

Install Elasticsearch

Elasticsearch is one of the important software in the Graylog setup. The purpose of Elasticsearh is to store the data coming from Graylog input and displays them over the Graylog built-in web interface on request.

Graylog supports Eleasticsearch v6.x.

Import the GPG signing key before the installation.

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Configure a repository to get Elasticsearch v6.x package from the official repository.

cat << EOF > /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Now, install the Elasticsearch package using
dnf command.

dnf install -y elasticsearch-oss

To make Elasticsearch work with Graylog setup, we need to set the cluster name to graylog.

Edit the elasticsearch.yml file.

vi /etc/elasticsearch/elasticsearch.yml

Update it, as shown below.

cluster.name: graylog action.auto_create_index: false

Reload the systemctl daemon and enable Elasticsearch to start automatically on the system startup.

systemctl daemon-reload systemctl enable elasticsearch

Restart the Elasticsearch.

systemctl restart elasticsearch

Give a minute or two to let the Elasticsearch get fully started.

Elastisearch should now be listening to 9200 for processing HTTP requests. Use the CURL command to check the response.

curl -X GET http://localhost:9200

Cluster name should be graylog.

{ "name" : "eaTfFg6", "cluster_name" : "graylog", "cluster_uuid" : "u-ageNH-RHGIzpfxDtNsgQ", "version" : { "number" : "6.8.6", "build_flavor" : "oss", "build_type" : "rpm", "build_hash" : "3d9f765", "build_date" : "2019-12-13T17:11:52.013738Z", "build_snapshot" : false, "lucene_version" : "7.7.2", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search"
}

Install MongoDB

MongoDB acts as a database to store the configurations and meta information.

Graylog supports MongoDB v4.0 only.

We will use MongoDB’s official repository to get the required version.

cat << EOF > /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8Server/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

Install the community edition of MongoDB using the following command.

dnf install -y mongodb-org

Start the MongoDB service and enable it to the system start-up.

systemctl start mongod systemctl enable mongod

Install Graylog

Graylog server accepts and processes the log messages coming from various inputs and displays data to requests that come from the graylog web interface with the help of Elasticsearch.

Install the Graylog repository rpm to auto-setup the repository configuration.

dnf install -y https://packages.graylog2.org/repo/packages/graylog-3.2-repository_latest.rpm

Install the Graylog server using the following command.

dnf install -y graylog-server

Edit the server.conf file to begin the graylog configuration.

vi /etc/graylog/server/server.conf

Use the following command to create a secret

pwgen -N 1 -s 96

Output:

1dcw10Snsvk1bKgkARGNaalO3QeZqkPG8pUcbJO3oF5ktYvDUeqRTaErFixOR95Nrv40FCFRClXIdnxwknGtl4HDrTspWmom

Place the secret on the server.conf file.

password_secret = 1dcw10Snsvk1bKgkARGNaalO3QeZqkPG8pUcbJO3oF5ktYvDUeqRTaErFixOR95Nrv40FCFRClXIdnxwknGtl4HDrTspWmom

Set the hash password for the root user, i.e., admin of graylog. You would need this password to login to the Graylog web interface.

If you ever want to change/reset the forgotten password of Gralog admin, you can edit/update the server.conf with a hashed password.

Generate a hashed password using the below command. Replace yourpassword with the choice of yours.

echo -n yourpassword | shasum -a 256

Output:

e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Place the hash password.

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

You can set up an email address for the admin user.

root_email = "itzgeek.web@gmail.com"

Set timezone of root (admin) user.

root_timezone = UTC

Configure Graylog web interface

From the Graylog version 2.x, the web interface is served directly by the Graylog server. Enable the Graylog web interface by editing the server.conf file.

vi /etc/graylog/server/server.conf

Modify the entries to let Graylog Web Interface to connect to the Graylog server. Replace 192.168.0.10 with your system IP address.

http_bind_address = 192.168.0.10:9000

If you happen to access the Graylog using public IP address due to NATing, update the below values. Otherwise, skip it.

http_external_uri = http://public_ip:9000/

Restart Graylog service.

systemctl daemon-reload systemctl restart graylog-server

Make Graylog server to start automatically on system startup.

systemctl enable graylog-server

You can check out the server startup logs to troubleshoot Graylog for any issues.

tail -f /var/log/graylog-server/server.log

If everything goes well, you should see the server up and running message in the server.log file.

2020-02-08T10:26:54.484-05:00 INFO [ServerBootstrap] Graylog server up and running.

Firewall

In CentOS 8 / RHEL 8, firewall rules are set to block most of the traffic coming from the external machines by default.

Add a allow rule for the Graylog web interface so that we can access it from external machines.

firewall-cmd --permanent --add-port=9000/tcp firewall-cmd --reload

Access Graylog web interface

Access the web interface by going to the below URL.

http://ip.add.re.ss:9000

Log in with username admin and the password you configured at root_password_sha2 on server.conf.

Once you logged in, you would see the getting started page.

Click on System » Overview to know the status of the Graylog server.

Conclusion

That’s All. You have successfully installed Graylog on CentOS 8 / RHEL 8. In the next article, we will configure Graylog to receive Rsyslog logs from external sources. As a further read, you can try configuring Nginx or Apache as a reverse proxy and set up HTTPS for the Graylog web interface.