Are you trying to install Graylog on CentOS 7?

This guide is for you.

Rsyslog is installed in CentOS by default. However, it requires more work to get the configuration right and it is a difficult task. While figuring out the log management technique we found out that Graylog is easy to use as it has a web interface.

Here at Ibmi Media, as part of our Server management Services, we regularly help our Customers to perform Software Installation tasks.

In this context, we shall look into the steps to install Graylog 3.0 on CentOS 7.

More about Graylog on CentOS 7 ?

Rsyslog is the most popular Syslog implementation used for log management. Since it requires more work to get the configuration right, some of our customers suggest us to install Graylog, which is a complete logging solution.

is an open-source powerful log management tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, and MongoDB.

Components of Graylog

Graylog has four main components:

i. Graylog Server

A worker that receives and processes messages, and communicates with all other non-server components is a Graylog server. Its performance is CPU dependent.

ii. Elasticsearch

Since it stores the log messages from the Graylog server, we have a facility to search them according to our needs. We need to allocate more memory and use SAS or SAN disks as it does indexing of data. Its performance is RAM and disk I/O dependent.

iii. MongoDB

MongoDB stores metadata and does not experience much load.

iv. Web Interface

This is the user interface.

Below, you will learn an effective method to install Graylog 3.0 on CentOS 7.

How to Install Graylog on CentOS 7

In order to begin, our Support Engineers suggest having the following requisites.

i. CentOS 7 server with at least 2GB of RAM.

ii. A user with root or superuser access.

EPEL repository.

# yum install epel-release

Java on the machine.

# yum install -y java-1.8.0-openjdk-headless

Verify the Java version.

# java -version

Our output will be similar to:

openjdk version “1.8.0_191”
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
An updated system.
# yum update -y

How to Install MongoDB ?

As we mentioned earlier, MongoDB acts as a database that stores the configurations and meta information. Its installation is easy and quick.

Here, we will use MongoDB’s official repository to get the latest version of MongoDB.

# vi /etc/yum.repos.d/mongodb-org-4.0.repo

Add repository information to the above file.

[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

We install the community edition of MongoDB using the following command.

# yum install -y mongodb-org

Then we start the MongoDB service and enable it to the system start-up.

# systemctl start mongod
# systemctl enable mongod

Eventually, the service will be up and running.

How to Install Elasticsearch ?

An important component in the Graylog setup, it stores the data from Graylog input and displays the messages whenever a user request over the Graylog built-in web interface.

Its primary use is to index the data/logs and provide the search functionality when the Graylog web interface request any information.

Before the installation we need to import the GPG signing key:

# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Then we create a repository file to get the latest version of the Elasticsearch package from the official repository.

# vi /etc/yum.repos.d/elasticsearch.repo

Subsequently, we need to add the below content to the above file.

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Now, we can install the Elasticsearch package with the yum command.

# yum install -y elasticsearch

Reload the systemctl daemon and enable Elasticsearch to start automatically on the system startup.

# systemctl daemon-reload
# systemctl enable elasticsearch

We need to edit the elasticsearch.yml file and set the cluster name to Graylog for Elasticsearch to work with Graylog setup.

# vi /etc/elasticsearch/elasticsearch.yml

The update should be like this:

cluster.name: graylog

Later, restart the Elasticsearch service.

# systemctl restart elasticsearch

It will take about one minute for the Elasticsearch to restart. Elasticsearch will now listen to 9200 for processing HTTP requests.

In case we want to check the response, we can use the CURL command:

# curl -X GET http://localhost:9200

The cluster name should be Graylog.

Then, we need to perform a health check of the Elasticsearch cluster.

# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true’

Make sure the cluster status comes as green.

How to Install Graylog Server ?

Graylog server accepts and processes the log messages coming from the various inputs. It will also display data to requests that come from the Graylog web interface.

In order to download and install Graylog 3.x repository we run:

# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm

We install the Graylog server using the following command.

# yum -y install graylog-server

Then edit the server.conf file to begin the Graylog configuration.

# vi /etc/graylog/server/server.conf

We use the following command to create a secret:

pwgen -N 1 -s 96

Our output will be similar to:

OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP

Place the secret below in server.conf

password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP

Set the hash password for the root user, i.e., admin of Graylog. We need this password to login into the Graylog web.

We can edit/update the server.conf with a hashed password if we want to change/reset the forgotten password of the admin.

To generate a hash password use the below command. Replace yourpassword with our choice.

# echo -n yourpassword | sha256sum

Our output will be similar to:

e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Here, place the hash password.

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Subsequently, we can set up an email address for the admin user.

root_email = "ibmimedia@ibmimedia.com"
Set timezone of root (admin) user.
root_timezone = UTC

Set only one master node by defining the below variable, the default setting is true.

If this server is our second Graylog node in our environment, set it to false to make this node a slave.

is_master = true

Set the number of log messages to keep per index. It is recommended to have several smaller indices instead of larger ones.

elasticsearch_max_docs_per_index = 20000000

The following parameter defines to have a total number of indices. When it reaches this number the old index will be deleted.

elasticsearch_max_number_of_indices = 20

Shards setting relies on the number of nodes in the particular Elasticsearch cluster. If we have only one node, set it as 1.

elasticsearch_shards = 1

This defines the number of replicas for our indices. If we have only one node in the Elasticsearch cluster, set it as 0.

elasticsearch_replicas = 0 

How to Install Graylog Web Interface ?

We need to edit the server.conf file to enable the Graylog web interface.

# vi /etc/graylog/server/server.conf

To let Graylog Web Interface connect to the Graylog server, we modify the entries. Replace xxx.xxx.xxx.xxx with proper IP address.

http_bind_address = xxx.xxx.xxx.xxx:9000

Then we restart Graylog service.

# systemctl daemon-reload
# systemctl restart graylog-server

Make Graylog server start automatically on system startup.

# systemctl enable graylog-server

We can check out the server startup logs, which will be useful to troubleshoot Graylog for any issues.

# tailf /var/log/graylog-server/server.log

If everything goes well, we will see the below message in the server.log file.

2021-01-20T21:00:23.157+05:30 INFO [ServerBootstrap] Graylog server up and running.

Configuring Firewall & SELinux

In CentOS 7/RHEL 7, firewall rules are set to block most of the traffic coming from the external machines by default. We need to add allow rules for Graylog to work correctly.

$ firewall-cmd –permanent –add-port=9000/tcp

Reload firewalld to take effect of the new rules.

$ firewall-cmd –reload

If we have SELinux enabled on the system, then we will need to add a few exceptions in SELinux policies.

$ setsebool -P httpd_can_network_connect 1
$ semanage port -a -t http_port_t -p tcp 9000
$ semanage port -a -t http_port_t -p tcp 9200
$ semanage port -a -t mongod_port_t -p tcp 27017

How to Configure Graylog to Receive Syslog messages ?

Log into Graylog Web Interface

In the web browser, go to port 9000 of the server’s public IP address:

http://graylog_public_IP:9000/

We should see a login screen. Enter admin as username and the admin password set earlier.

The red number at the top will show a message that says we have a node without any running inputs.

How to Create Syslog UDP Input ?

To add an input to receive Syslog messages:

1. Click on the System drop-down in the top menu.

2. Now, from the drop-down menu, select Inputs.

3. Then select Syslog UDP from the drop-down menu and click the Launch new input button.

A "Launch a new input: Syslog UDP' modal window will pop up. Enter the following information:

Title: syslog
Port: 8514
Bind address: graylog_private_IP

4. Then click Launch.

We should now see an input named “syslog” in the Local inputs section (with a green box that says “running” next to it).

Now the Graylog server is ready to receive syslog messages on port 8514 from the servers.

How to Configure Rsyslog to Send Syslogs to Graylog Server ?

Once we have created the inputs, configure Rsyslog or forward any system logs to our Graylog server.

Perform the following steps on all the client servers that we want to send syslog messages to Graylog.

Initially, edit the Rsyslog configuration file.

# vi /etc/rsyslog.conf

Typical Rsyslog configuration will look like below to send logs on UDP 8514.

*.info;mail.none;authpriv.none;cron.none @graylog_private_IP:8514

Then we restart the Rsyslog service to send logs.

# systemctl restart rsyslog

After configuring rsyslog on all the servers to monitor, go back to the Graylog web interface.

How to View Graylog Sources ?

In the web browser, go to port 9000 of the server’s public IP address:

In a web browser: http://graylog_public_IP:9000/

Then click on Sources in the top bar. It will have a list of all of the servers that we configured rsyslog on.

The hostname of the sources is on the left, with the number of messages received by Graylog on the right.

How to Search Graylog Data ?

After letting Graylog collect messages for some time, we will be able to search through the messages.

For example, if we search for “sshd” to see what kind of SSH activity is happening on our servers, we will get results that reveal sshd logs for various servers, and failed root login attempts.

The results may vary. However, it can help to identify many issues, including how unauthorized users are attempting to access the servers.

Searching through data in Graylog is useful, for example, if we want to review the logs of a server or several servers after an incident.

Centralized logging makes it easier to correlate related incidents because we do not need to log into multiple servers to see all the occurrences.

[Are you having troubles with processing Graylog? We are here for you. ]