Are you trying to install Graylog on CentOS 7?
This guide is for you.
Rsyslog is installed in CentOS by default. However, it requires more work to get the configuration right and it is a difficult task. While figuring out the log management technique we found out that Graylog is easy to use as it has a web interface.
Here at Ibmi Media, as part of our Server management Services, we regularly help our Customers to perform Software Installation tasks.
In this context, we shall look into the steps to install Graylog 3.0 on CentOS 7.
Rsyslog is the most popular Syslog implementation used for log management. Since it requires more work to get the configuration right, some of our customers suggest us to install Graylog, which is a complete logging solution.
is an open-source powerful log management tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, and MongoDB.
Graylog has four main components:
i. Graylog Server
A worker that receives and processes messages, and communicates with all other non-server components is a Graylog server. Its performance is CPU dependent.
ii. Elasticsearch
Since it stores the log messages from the Graylog server, we have a facility to search them according to our needs. We need to allocate more memory and use SAS or SAN disks as it does indexing of data. Its performance is RAM and disk I/O dependent.
iii. MongoDB
MongoDB stores metadata and does not experience much load.
iv. Web Interface
This is the user interface.
Below, you will learn an effective method to install Graylog 3.0 on CentOS 7.
In order to begin, our Support Engineers suggest having the following requisites.
i. CentOS 7 server with at least 2GB of RAM.
ii. A user with root or superuser access.
EPEL repository.
# yum install epel-release
Java on the machine.
# yum install -y java-1.8.0-openjdk-headless
Verify the Java version.
# java -version
Our output will be similar to:
openjdk version “1.8.0_191”
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
An updated system.
# yum update -y
As we mentioned earlier, MongoDB acts as a database that stores the configurations and meta information. Its installation is easy and quick.
Here, we will use MongoDB’s official repository to get the latest version of MongoDB.
# vi /etc/yum.repos.d/mongodb-org-4.0.repo
Add repository information to the above file.
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
We install the community edition of MongoDB using the following command.
# yum install -y mongodb-org
Then we start the MongoDB service and enable it to the system start-up.
# systemctl start mongod
# systemctl enable mongod
Eventually, the service will be up and running.
An important component in the Graylog setup, it stores the data from Graylog input and displays the messages whenever a user request over the Graylog built-in web interface.
Its primary use is to index the data/logs and provide the search functionality when the Graylog web interface request any information.
Before the installation we need to import the GPG signing key:
# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Then we create a repository file to get the latest version of the Elasticsearch package from the official repository.
# vi /etc/yum.repos.d/elasticsearch.repo
Subsequently, we need to add the below content to the above file.
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Now, we can install the Elasticsearch package with the yum command.
# yum install -y elasticsearch
Reload the systemctl daemon and enable Elasticsearch to start automatically on the system startup.
# systemctl daemon-reload
# systemctl enable elasticsearch
We need to edit the elasticsearch.yml file and set the cluster name to Graylog for Elasticsearch to work with Graylog setup.
# vi /etc/elasticsearch/elasticsearch.yml
The update should be like this:
cluster.name: graylog
Later, restart the Elasticsearch service.
# systemctl restart elasticsearch
It will take about one minute for the Elasticsearch to restart. Elasticsearch will now listen to 9200 for processing HTTP requests.
In case we want to check the response, we can use the CURL command:
# curl -X GET http://localhost:9200
The cluster name should be Graylog.
Then, we need to perform a health check of the Elasticsearch cluster.
# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true’
Make sure the cluster status comes as green.
Graylog server accepts and processes the log messages coming from the various inputs. It will also display data to requests that come from the Graylog web interface.
In order to download and install Graylog 3.x repository we run:
# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm
We install the Graylog server using the following command.
# yum -y install graylog-server
Then edit the server.conf file to begin the Graylog configuration.
# vi /etc/graylog/server/server.conf
We use the following command to create a secret:
pwgen -N 1 -s 96
Our output will be similar to:
OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
Place the secret below in server.conf
password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
Set the hash password for the root user, i.e., admin of Graylog. We need this password to login into the Graylog web.
We can edit/update the server.conf with a hashed password if we want to change/reset the forgotten password of the admin.
To generate a hash password use the below command. Replace yourpassword with our choice.
# echo -n yourpassword | sha256sum
Our output will be similar to:
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Here, place the hash password.
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Subsequently, we can set up an email address for the admin user.
root_email = "ibmimedia@ibmimedia.com"
Set timezone of root (admin) user.
root_timezone = UTC
Set only one master node by defining the below variable, the default setting is true.
If this server is our second Graylog node in our environment, set it to false to make this node a slave.
is_master = true
Set the number of log messages to keep per index. It is recommended to have several smaller indices instead of larger ones.
elasticsearch_max_docs_per_index = 20000000
The following parameter defines to have a total number of indices. When it reaches this number the old index will be deleted.
elasticsearch_max_number_of_indices = 20
Shards setting relies on the number of nodes in the particular Elasticsearch cluster. If we have only one node, set it as 1.
elasticsearch_shards = 1
This defines the number of replicas for our indices. If we have only one node in the Elasticsearch cluster, set it as 0.
elasticsearch_replicas = 0
We need to edit the server.conf file to enable the Graylog web interface.
# vi /etc/graylog/server/server.conf
To let Graylog Web Interface connect to the Graylog server, we modify the entries. Replace xxx.xxx.xxx.xxx with proper IP address.
http_bind_address = xxx.xxx.xxx.xxx:9000
Then we restart Graylog service.
# systemctl daemon-reload
# systemctl restart graylog-server
Make Graylog server start automatically on system startup.
# systemctl enable graylog-server
We can check out the server startup logs, which will be useful to troubleshoot Graylog for any issues.
# tailf /var/log/graylog-server/server.log
If everything goes well, we will see the below message in the server.log file.
2021-01-20T21:00:23.157+05:30 INFO [ServerBootstrap] Graylog server up and running.
In CentOS 7/RHEL 7, firewall rules are set to block most of the traffic coming from the external machines by default. We need to add allow rules for Graylog to work correctly.
$ firewall-cmd –permanent –add-port=9000/tcp
Reload firewalld to take effect of the new rules.
$ firewall-cmd –reload
If we have SELinux enabled on the system, then we will need to add a few exceptions in SELinux policies.
$ setsebool -P httpd_can_network_connect 1
$ semanage port -a -t http_port_t -p tcp 9000
$ semanage port -a -t http_port_t -p tcp 9200
$ semanage port -a -t mongod_port_t -p tcp 27017
Log into Graylog Web Interface
In the web browser, go to port 9000 of the server’s public IP address:
http://graylog_public_IP:9000/
We should see a login screen. Enter admin as username and the admin password set earlier.
The red number at the top will show a message that says we have a node without any running inputs.
To add an input to receive Syslog messages:
1. Click on the System drop-down in the top menu.
2. Now, from the drop-down menu, select Inputs.
3. Then select Syslog UDP from the drop-down menu and click the Launch new input button.
A "Launch a new input: Syslog UDP' modal window will pop up. Enter the following information:
Title: syslog
Port: 8514
Bind address: graylog_private_IP
4. Then click Launch.
We should now see an input named “syslog” in the Local inputs section (with a green box that says “running” next to it).
Now the Graylog server is ready to receive syslog messages on port 8514 from the servers.
Once we have created the inputs, configure Rsyslog or forward any system logs to our Graylog server.
Perform the following steps on all the client servers that we want to send syslog messages to Graylog.
Initially, edit the Rsyslog configuration file.
# vi /etc/rsyslog.conf
Typical Rsyslog configuration will look like below to send logs on UDP 8514.
*.info;mail.none;authpriv.none;cron.none @graylog_private_IP:8514
Then we restart the Rsyslog service to send logs.
# systemctl restart rsyslog
After configuring rsyslog on all the servers to monitor, go back to the Graylog web interface.
In the web browser, go to port 9000 of the server’s public IP address:
In a web browser: http://graylog_public_IP:9000/
Then click on Sources in the top bar. It will have a list of all of the servers that we configured rsyslog on.
The hostname of the sources is on the left, with the number of messages received by Graylog on the right.
After letting Graylog collect messages for some time, we will be able to search through the messages.
For example, if we search for “sshd” to see what kind of SSH activity is happening on our servers, we will get results that reveal sshd logs for various servers, and failed root login attempts.
The results may vary. However, it can help to identify many issues, including how unauthorized users are attempting to access the servers.
Searching through data in Graylog is useful, for example, if we want to review the logs of a server or several servers after an incident.
Centralized logging makes it easier to correlate related incidents because we do not need to log into multiple servers to see all the occurrences.
This article will guide you on steps to #Graylog on #CentOS 7 and an effective method to make the logs more structured and searchable.
Graylog is a leading centralized log management solution built to open standards for capturing, storing, and enabling real-time analysis of terabytes of #machine data.
Graylog is an open source log management platform which enables you to aggregate up to terabytes of log data, from multiple log sources, DCs, and geographies with the capability to scale horizontally in your data center, #cloud, or both.
To #Install Graylog 3 with Elasticsearch on CentOS 7:
1. Configure #SELinux.
2. Add required #repositories
3. Install #Java, #Elasticsearch, and #MongoDB.
4. Configure Elasticsearch for Graylog.
5. Install Graylog 3 on CentOS 7.
6. Start Graylog service on CentOS 7.