How To Install and Configure Graylog Server on CentOS 7

How To Install and Configure Graylog Server on CentOS 7

Graylog is an open source log management software that can be used to easily collect, index, and analyze remote system logs centrally .

Graylog is built with three components:
Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.
MongoDB : Database to store configuration and meta information.
Graylog Server : Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.

In this tutorial, we will learn how to install and configure the Graylog server on CentOS 7/RHEL 7

0./ Prerequisites

– To install graylog, we will need to install those additional packages:

[root@server ~]# sudo yum install java-1.8.0-openjdk-headless.x86_64 -y
[root@server ~]# sudo yum install epel-release -y
[root@server ~]# sudo yum install pwgen -y

1./ Install MongoDB

– MongoDB is not available in the default CentOS repository. You will need to add the MongoDB repo first. To do so,you have to create the file mongodb-org-3.2.repo under /etc/yum.repos.d/ directory using the following commands:

[root@server ~]# vi /etc/yum.repos.d/mongodb-org-3.2.repo

– Add the following contents:

[mongodb-org-3.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc

– Install MongoDB by running the following command:

[root@server ~]# sudo yum install mongodb-org -y

– Start the MongoDB service and enable it to start on boot with the following command:

[root@server ~]# sudo chkconfig --add mongod
[root@server ~]# sudo systemctl daemon-reload
[root@server ~]# sudo systemctl enable mongod.service
[root@server ~]# sudo systemctl start mongod.service

2./ Install and Configure Elasticsearch

– To install Elasticsearch, we have to Import the GPG key using the following command:

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

– Elasticsearch is not available in the default CentOS repositories. You will need to create a repo for it using the following command:

[root@server ~]# vi /etc/yum.repos.d/elasticsearch.repo

– Add the following contents:

[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

– Now, install Elasticsearch using the follwing command:

[root@server ~]# sudo yum install elasticsearch -y 

– Open Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog:

[root@server ~]# vi /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog

– After you have modified the configuration, you can start Elasticsearch:

[root@server ~]# sudo chkconfig --add elasticsearch
[root@server ~]# sudo systemctl daemon-reload
[root@server ~]# sudo systemctl enable elasticsearch.service
[root@server ~]# sudo systemctl restart elasticsearch.service

– Check the health of the Elasticsearch with the following command:

[root@server ~]# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
{
"cluster_name" : "graylog",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 1,
"active_shards" : 1,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}

3./ Install and Configure Graylog

– We need to download and install the Graylog repository using the following command:

[root@server ~]# sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm

– Install the Graylog server with the following command:

[root@server ~]# sudo yum install graylog-server -y

– After you have installed the Graylog Server, you have to generate secret key for Graylog using the following command:

[root@server ~]# pwgen -N 1 -s 96 
MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2

– Now create a hash password for the root user that can be used to log in to the Graylog web serverusing the following command:

[root@server ~]# echo -n Password | sha256sum
e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a

– Edit the server.conf file:

[root@server ~]# sudo vi /etc/graylog/server/server.conf

– Make changes to the file as shown below:

password_secret= MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2
root_password_sha2= e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
root_email=admin@linuxmasterswiki.com
root_timezone=UTC
elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.1.200:9300
elasticsearch_shards=1
script.inline: false
script.indexed: false
script.file: false

– To enable the Graylog web interface, make changes to the file as shown below:

rest_listen_uri = http://192.168.1.200:12900/
web_listen_uri = http://192.168.1.200:9000/

-After you have modified the configuration file, you can start Graylog Service using the following commands:

[root@server ~]# sudo chkconfig --add graylog-server
[root@server ~]# sudo systemctl daemon-reload
[root@server ~]# sudo systemctl enable graylog-server.service
[root@server ~]# sudo systemctl start graylog-server.service

4./ Adjusting Firewall and Selinux

You will need to set firewall rules for Graylog to work properly.

You can do this by running the following commands:

[root@server ~]# sudo firewall-cmd --permanent --zone=public --add-port=9000/tcp
[root@server ~]# sudo firewall-cmd --permanent --zone=public --add-port=12900/tcp
[root@server ~]# sudo firewall-cmd --permanent --zone=public --add-port=1514/tcp

– Next, reload firewalld with the following command:

[root@server ~]# sudo firewall-cmd --reload

– To manage SELinux, you have to install policycoreutils-python package using the following command:

[root@server ~]# sudo yum install policycoreutils-python -y

– Allow the web server to access the network:

[root@server ~]# sudo setsebool -P httpd_can_network_connect 1

– Allow the Graylog REST API and web interface:

[root@server ~]# sudo semanage port -a -t http_port_t -p tcp 9000

– Allow the Elasticsearch HTTP API:

[root@server ~]# sudo semanage port -a -t http_port_t -p tcp 9200

– Allow MongoDB default port:

[root@server ~]# sudo semanage port -a -t mongod_port_t -p tcp 27017

5./ Access the Graylog web interface

Open your web browser and type the URL http://your_ip_address:9000. You should see the following Page:

PS. If you like this post please share it with your friends on the social networks.Thanks.

 
Enjoyed this video?
How To Install and Configure Graylog Server on CentOS 7
"No Thanks. Please Close This Box!"