Install and Configure Graylog Server on CentOS 7

Table of Contents

Introduction

Graylog is a powerful log management software tool that can be used to monitor for unusual activity on your system and for debugging applications. You can easily collect, index, and analyze remote system logs centrally using Graylog. Graylog is built with three components:

  • Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.
  • MongoDB : Database to store configuration and meta information.
  • Graylog Server : Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.

In this tutorial, we will learn how to install and configure the Graylog server on CentoOS 7.

Requirements

  • A server running CentOS 7.
  • A non-root user with sudo privileges setup on your server.
  • A static IP address (tutorial example: 192.168.15.110) configured on your server. You may configure with a dynamic IP address as a test, but the IP will be used in a number of configuration files. When your dynamic IP address changes, Graylog will no longer work properly.

Getting Started

Before beginning the Graylog installation, update your system with the latest packages by running the following command:

sudo yum update -y

Once your system completes the update, you can proceed to the next step.

Install MongoDB

MongoDB is not available in the default CentOS repository. You will need to add the MongoDB repo first. To do so, create the file mongodb.repo inside /etc/yum.repos.d/ directory:

sudo nano /etc/yum.repos.d/mongodb.repo

Add the following contents:

[mongodb]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc

Save and close the file when you are finished. Then install MongoDB by running the following command:

sudo yum install mongodb-org -y

Once installation is complete, start the MongoDB service and enable it to start on boot with the following command:

sudo systemctl start mongodb
sudo systemctl enable mongodb

Install Elasticsearch

You will need to install Java as a prerequisite of Elasticsearch. You can download the latest version of Java from the Oracle Java download page. You will want to get the "Linux x64 RPM". There are additional instructions on installation available there as well.

Note: Elasticsearch should also work with other Java distributions such as OpenJDK.

Once the Java RPM download is complete, run sudo rpm -Uvh with the appropriate downloaded RPM filename to install it. The full command will be similar to this:

sudo rpm -Uvh jdk-8u25-linux-x64.rpm

Verify the installed Java version with the following command:

sudo java -version

You should see output similar to the the following:

java version "1.8.0_25"
Java(TM) SE Runtime Environment (build 1.8.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

Elasticsearch is not available in the default CentOS repositories. You will need to create a repo for it.

Import the GPG signing key:

sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Create an Elasticsearch repo with the following command:

sudo nano /etc/yum.repos.d/elasticsearch.repo

Add the following lines:

[elasticsearch]
name=Elasticsearch repository
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

Once you are done, install the Elasticsearch with the following command:

sudo yum install elasticsearch

Restart the systemctl daemon and enable elasticsearch service to start at boot:

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch

You will also need to modify the cluster name in elasticsearch.yml file:

sudo nano /etc/elasticsearch/elasticsearch.yml

Change the file as shown below:

cluster.name: graylog

Save the file and restart the elasticsearch service:

sudo systemctl restart elasticsearch

Check the health of the Elasticsearch with the following command:

sudo curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

If everything is good, you should see the following output:

{
  "cluster_name" : "graylog",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Install and Configure Graylog

You will need to download and install the Graylog repository on your system:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm

Install the Graylog server with the following command:

sudo yum install graylog-server -y

You will need to install pwgen to create a secret key for Graylog. Since pwgen is not available in the default CentOS repository, you will need to install the EPEL repo.

sudo yum install epel-release -y

Run the following command to install pwgen:

sudo yum install pwgen -y

Create a secret for Graylog using the following command:

sudo pwgen -N 1 -s 96

You should see the following output:

jVbA2EZ515vlWeinnTndNPnc6bYJ7reyr3sxRRbbsiftMNvqsyz474oxMe3qPxtTRKe5vNH2cvspmMyuguySTo5ctAFAVPKN

Set the hash password for the root user that can be used to log in to the Graylog web server.

echo -n Your_Desired_Password | sha256sum

You should see the following output:

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Edit the server.conf file:

sudo nano /etc/graylog/server/server.conf

Make changes to the file as shown below:

password_secret=jVbA2EZ515vlWeinnTndNPnc6bYJ7reyr3sxRRbbsiftMNvqsyz474oxMe3qPxtTRKe5vNH2cvspmMyuguySTo5ctAFAVPKN
root_password_sha2=5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
root_email=jdoe@example.com
root_timezone=UTC
elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.15.110:9300
elasticsearch_shards=1
script.inline: false
script.indexed: false
script.file: false

Enable Graylog Web Interface

To enable the Graylog web interface, edit the server.conf file:

sudo nano /etc/graylog/server/server.conf

Change the following lines:

rest_listen_uri = http://192.168.15.110:12900/
web_listen_uri = http://192.168.15.110:9000/

Note: Remember to substitute your server's IP address!

Save the file when you are done. Then restart the graylog-server service and enable it to start on boot:

sudo systemctl daemon-reload
sudo systemctl restart graylog-server
sudo systemctl enable graylog-server

You will need to set firewall rules for Graylog to work properly.

You can do this by running the following commands:

sudo firewall-cmd --permanent --zone=public --add-port=9000/tcp
sudo firewall-cmd --permanent --zone=public --add-port=12900/tcp
sudo firewall-cmd --permanent --zone=public --add-port=1514/tcp

Next, reload firewalld with the following command:

sudo firewall-cmd --reload

Access the Graylog web interface

By default Graylog web interface listens on port 9000.

Open your web browser and type the URL http://192.168.15.110:9000. You should see the following Page:

Graylog Login Page

Log in with username admin and the password you defined in server.conf. You should see the following page:

Graylog Dashboard

Conclusion

We have successfully installed Graylog on a CentOS 7 server. Your feedback and questions are welcome below!

  • I have successfully installed Graylog and I receiving syslogs of my firewall but the logs are gibberish and hard to understand, Could I please ask for your help.

    My firewall looks like this full_message

    <189>Jun 16 11:06:46 10.10.10.1 date=2017-06-16 time=11:06:45 devname=FGT3HD3916803220 devid=FGT3HD3916803220 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.20.46 srcname="CNMEHTA" srcport=137 srcintf="port1" dstip=192.168.20.255 dstport=137 dstintf="port3" sessionid=134273516 proto=17 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="137_NameService" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high devtype="Windows PC" osname="Windows" mastersrcmac=08:ed:b9:68:b4:c1 srcmac=08:ed:b9:68:b4:c1

  • hello, I have successfully installed but showing Graylog could not successfully connect to the Elasticsearch cluster How to fixed this? Thank you for your help.

Log In, Add a Comment