Install latest Graylog on CentOS 7

Follow through this guide to learn how to install latest Graylog on CentOS 7. Graylog is a leading open-source log management tool that provides real time collection, storage, analysis and enrichment of machine data. It makes it easy to search, explore and visualize on the analysed data.

Install latest Graylog on CentOS 7

As of this writing, the Graylog 3.2.4 is the latest stable release.

To install Graylog 3.2.4 on CentOS 7, there are a number of other components that needs to be installed along with it in order to get it up and running. These include;

• MongoDB – Graylog uses MongoDB to store configuration metadata such as such as user information or stream configurations.
• Elasticsearch – Is a search analytics engine that provides Graylog with a central log data storage. You can search any kind of document from Elasticsearch.

These components should be installed before installing Graylog on CentOS 7.

Run system update

yum update -y

Disabling SELinux

While I do not recommend disabling SELinux, since this guide is for demonstration purposes, SELinux is disabled. Note that a reboot is required to effect the changes.

sed -i 's/=enforcing/=disabled/g' /etc/selinux/config
systemctl reboot

According to Graylog, if you are using SELinux, consider doing the following;

• Allow the web server to access the network:
  sudo setsebool -P httpd_can_network_connect 1
• To allow access to each port individually:
  • Graylog REST API and web interface:
    sudo semanage port -a -t http_port_t -p tcp 9000
  • Elasticsearch (only if the HTTP API is being used):
    sudo semanage port -a -t http_port_t -p tcp 9200
• Allow using MongoDB’s default port (27017/tcp):
  sudo semanage port -a -t mongod_port_t -p tcp 27017

You can install policycoreutils-python package installed to manage SELinux.

yum install policycoreutils-python

Install MongoDB on CentOS 7

Create MongoDB YUM repository.

cat > /etc/yum.repos.d/mongodb-org.repo << 'EOL'
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOL

Once the repos are in place, install MongoDB.

yum install mongodb-org

You can also check our other guide on installing MongoDB on CentOS 8;

Install MongoDB Community Edition on CentOS 8

 Start MongoDB and enable it to run on boot.

systemctl daemon-reload

systemctl enable --now mongod.service

Checking the status;

systemctl status mongod

● mongod.service - MongoDB Database Server
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-04-01 22:08:56 EAT; 13min ago
     Docs: https://docs.mongodb.org/manual
 Main PID: 1449 (mongod)
   CGroup: /system.slice/mongod.service
           └─1449 /usr/bin/mongod -f /etc/mongod.conf

Apr 01 22:08:55 cent7.kifarunix-demo.com systemd[1]: Starting MongoDB Database Server...
Apr 01 22:08:55 cent7.kifarunix-demo.com mongod[1446]: about to fork child process, waiting until server is ready for connections.
Apr 01 22:08:55 cent7.kifarunix-demo.com mongod[1446]: forked process: 1449
Apr 01 22:08:56 cent7.kifarunix-demo.com mongod[1446]: child process started successfully, parent exiting
Apr 01 22:08:56 cent7.kifarunix-demo.com systemd[1]: Started MongoDB Database Server.

Install Elasticsearch 6.x on CentOS 7

Graylog doesn’t work with Elasticsearch 7.x yet. Hence install Elasticsearch 6.x.

Install Java 8 on CentOS 7

Elasticsearch is built using Java, and requires at least Java 8 in order to run. Hence, before you can install Elasticsearch, you need to install Java 8.

yum install java-1.8.0-openjdk-headless

You can verify Java Version using the java -version command.

java -version

openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)

You can also check our other guides on installing Java.

Install Oracle Java 12 on CentOS 7/Fedora 29

Install Oracle Java 11 on Fedora 29/CentOS 7

Install Elasticsearch 6.x

Create Elasticsearch 6.x YUM repository.

cat > /etc/yum.repos.d/elasticsearc-6.repo << EOL
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOL

Import Elasticsearch PGP repo signing key.

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Install Elasticsearch 6.x

yum install elasticsearch

Configure Elasticsearch

In its basic configuration,edit Elasticsearch configuration file, /etc/elasticsearch/elasticsearch.yml and set cluster name to graylog.

vim /etc/elasticsearch/elasticsearch.yml

...
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: graylog
#
...

Save and quit the configuration file.

Also, set Elasticsearch heap size by editing the file, /etc/elasticsearch/jvm.options, and setting the values for Xms (minimum heap size) and Xmx (maximum heap size) based on the amount of RAM available on your server. In this demo, we set it to 512MB.

vim /etc/elasticsearch/jvm.options

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms512m
-Xmx512m

Save and exit the file.

Restart Elasticsearch and enable it to run on system boot.

sudo systemctl daemon-reload

systemctl enable --now elasticsearch

To verify that all is well with Elasticsearch, run the command below after it has fully started.

curl -X GET http://localhost:9200

{
  "name" : "UgS10LT",
  "cluster_name" : "graylog",
  "cluster_uuid" : "L4zXgLruSJOx7QaDHbcDPQ",
  "version" : {
    "number" : "6.8.8",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "2f4c224",
    "build_date" : "2020-03-18T23:22:18.622755Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.2",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

Installing latest Graylog (3.2.4) on CentOS 7

Once both MongoDB and Elasticsearch are installed, proceed to install Graylog 3.2.4 on CentOS 7.

Add Graylog 3.2.x RPM repository

Run the command below to install Graylog 3.2.x RPM repository.

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.2-repository_latest.rpm

Install Graylog 3.2.4

You can verify the available version.

yum info graylog-server

Available Packages
Name : graylog-server
Arch : noarch
Version : 3.2.4
Release : 1
Size : 117 M
Repo : graylog/x86_64
Summary : Graylog server
URL : https://www.graylog.org/
License : GPLv3
Description : Graylog server

Next, install Graylog 3.2.4 server.

yum install graylog-server

Dependencies Resolved

=======================================================================================================================================================
 Package                                  Arch                             Version                             Repository                         Size
=======================================================================================================================================================
Installing:
 graylog-server                           noarch                           3.2.4-1                             graylog                           117 M

Transaction Summary
=======================================================================================================================================================
Install  1 Package

Total download size: 117 M
Installed size: 117 M
Is this ok [y/d/N]: y

Configuring Graylog on CentOS 7

There are a few basic configurations that needs to be done. These include setting the password secret and the root user (admin) password hash.

To generate password secret, you can use the pwgen random password generator. To install pwgen, run the command below;

yum install epel-release

yum install pwgen

Next, generate the password secret by running the pwgen as shown below.

pwgen -N 1 -s 96

nfkjDdTJCjfQOoRIJMHz0VCeKshJV2dncP9dJVW8m593BCsOjw58fHosjbmfX6KIvr1kNuecA53YgJ8u8HHDpTTvLnTOj36F

To generate admin user password hash run the command below replacing the string, YouStrongPAsswordhere, accordingly.

echo -n "YouStrongPAsswordhere" | sha256sum | cut -d" " -f1

e7d3685715939842749cc27b38d0ccb9706d4d14a5304ef9eee093780eab5df9

Next, open the Graylog server configuration file for editing.

vim /etc/graylog/server/server.conf

...
password_secret = nfkjDdTJCjfQOoRIJMHz0VCeKshJV2dncP9dJVW8m593BCsOjw58fHosjbmfX6KIvr1kNuecA53YgJ8u8HHDpTTvLnTOj36F
...
root_password_sha2 = f7d3685715939842749dd27b38d0ddb9706d4e4445304ef9eee093780eab5df8
...

If you need to publicly access Graylog, set the correct IP address for Graylog server for the http_bind_address parameter.

# Default: 127.0.0.1:9000
#http_bind_address = 127.0.0.1:9000
#http_bind_address = [2001:db8::1]:9000
http_bind_address = 192.168.56.201:9000

If you are running a single node Elasticsearch, be sure to set the value for elasticsearch_shards to 1.

#elasticsearch_shards = 4
elasticsearch_shards = 1

If firewalld is running, be sure to open TCP port 9000 to allow external access.

firewall-cmd --add-port=9000/tcp --permanent

firewall-cmd --reload

In its basic settings, that is just is about Graylog configuration.

Running Graylog

Run the commands below to start and enable Graylog server to run on system reboot.

systemctl enable --now graylog-server

Access Graylog Web Interface

Now that Graylog server is running, you can access it via the browser using the address: http://<server-IP_server_hostname>:9000.

The default username is admin and the password is the one generated above.

Upon successful login, you get to Graylog Server dashboard with steps on how to ingest data into Graylog outlined. Click Dismiss guide to close the guide.

Fantastic!! Latest Graylog is up and running on your CentOS 7 server. That brings us to the end of our guide on how to install latest Graylog on CentOS 7.

Reference

Installing Graylog

Related Tutorials

Monitor Squid Access Logs with Graylog Server

Create Squid Logs Extractors on Graylog Server

Monitor Squid logs with Grafana and Graylog

Install Prometheus Node Exporter on CentOS 8