Wondering how to install Graylog on CentOS 7? We can help you.

Rsyslog is installed in CentOS by default. However, it requires more work to get the configuration right and it is a difficult task. While figuring out the log management technique we found out that Graylog is easy to use as it has a web interface.

Here, at Bobcares, we assist our customers with several installations as part of our Server Management Services.

Today, let us see how to install Graylog 3.0 on CentOS 7.

 

Graylog on CentOS 7

Rsyslog is the most popular Syslog implementation used for log management. Since it requires more work to get the configuration right, some of our customers suggest us to install Graylog, which is a complete logging solution.

Graylog is an open-source powerful log management tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, and MongoDB.

Components of Graylog

Graylog has four main components:

• Graylog Server

A worker that receives and processes messages, and communicates with all other non-server components is a Graylog server. Its performance is CPU dependent.

• Elasticsearch

Since it stores the log messages from the Graylog server, we have a facility to search them according to our needs. We need to allocate more memory and use SAS or SAN disks as it does indexing of data. Its performance is RAM and disk I/O dependent.

• MongoDB

MongoDB stores metadata and does not experience much load.

• Web Interface

It is the user interface.

Moving ahead, let us see an effective method our Support Techs employ on how to install Graylog 3.0 on CentOS 7.

 

How to Install Graylog on CentOS 7

In order to begin, our Support Engineers suggest having the following requisites.

1. CentOS 7 server with at least 2GB of RAM.
2. A user with root or superuser access.
3. EPEL repository.

   # yum install epel-releaseCopy Code

4. Java on the machine.

   # yum install -y java-1.8.0-openjdk-headlessCopy Code

   Verify the Java version.

   # java -versionCopy Code

   Our output will be similar to:

   openjdk version “1.8.0_191”
   OpenJDK Runtime Environment (build 1.8.0_191-b12)
   OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)Copy Code

5. An updated system.

   # yum update -yCopy Code

 

• Install MongoDB

As we mentioned earlier, MongoDB acts as a database that stores the configurations and meta information. Its installation is easy and quick.

Here, we will use MongoDB’s official repository to get the latest version of MongoDB.

# vi /etc/yum.repos.d/mongodb-org-4.0.repoCopy Code

Add repository information to the above file.

[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.ascCopy Code

We install the community edition of MongoDB using the following command.

# yum install -y mongodb-orgCopy Code

Then we start the MongoDB service and enable it to the system start-up.

# systemctl start mongod
# systemctl enable mongodCopy Code

Eventually, the service will be up and running.

 

• Install Elasticsearch

An important component in the Graylog setup, it stores the data from Graylog input and displays the messages whenever a user request over the Graylog built-in web interface.

Its primary use is to index the data/logs and provide the search functionality when the Graylog web interface request any information.

Before the installation we need to import the GPG signing key:

# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearchCopy Code

Then we create a repository file to get the latest version of the Elasticsearch package from the official repository.

# vi /etc/yum.repos.d/elasticsearch.repoCopy Code

Subsequently, we need to add the below content to the above file.

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-mdCopy Code

Now, we can install the Elasticsearch package with the yum command.

# yum install -y elasticsearchCopy Code

Reload the

systemctlCopy Code

daemon and enable Elasticsearch to start automatically on the system startup.

# systemctl daemon-reload
# systemctl enable elasticsearchCopy Code

We need to edit the elasticsearch.yml file and set the cluster name to Graylog for Elasticsearch to work with Graylog setup.

# vi /etc/elasticsearch/elasticsearch.ymlCopy Code

The update should be like this:

cluster.name: graylogCopy Code

Later, restart the Elasticsearch service.

# systemctl restart elasticsearchCopy Code

It will take about one minute for the Elasticsearch to restart. Elastisearch will now listen to 9200 for processing HTTP requests.

In case we want to check the response, we can use the CURL command:

# curl -X GET http://localhost:9200Copy Code

The cluster name should be Graylog.

Then, we need to perform a health check of the Elasticsearch cluster.

# curl -XGET ‘http://localhost:9200/_cluster/health?pretty=true’Copy Code

Make sure the cluster status comes as green.

 

• Install Graylog Server

Graylog server accepts and processes the log messages coming from the various inputs. It will also display data to requests that come from the Graylog web interface.

In order to download and install Graylog 3.x repository we run:

# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpmCopy Code

We install the Graylog server using the following command.

# yum -y install graylog-serverCopy Code

Then edit the server.conf file to begin the Graylog configuration.

# vi /etc/graylog/server/server.confCopy Code

We use the following command to create a secret

pwgen -N 1 -s 96Copy Code

Our output will be similar to:

OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gPCopy Code

Place the secret below in server.conf

password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gPCopy Code

Set the hash password for the root user, i.e., admin of Graylog. We need this password to login into the Graylog web.

We can edit/update the server.conf with a hashed password if we want to change/reset the forgotten password of the admin.

To generate a hash password use the below command. Replace yourpassword with our choice.

# echo -n yourpassword | sha256sumCopy Code

Our output will be similar to:

e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951Copy Code

Here, place the hash password.

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951Copy Code

Subsequently, we can set up an email address for the admin user.

root_email = “bob@bobcares.com”Copy Code

Set timezone of root (admin) user.

root_timezone = UTCCopy Code

Set only one master node by defining the below variable, the default setting is true.

If this server is our second Graylog node in our environment, set it to false to make this node a slave.

is_master = trueCopy Code

Set the number of log messages to keep per index. It is recommended to have several smaller indices instead of larger ones.

elasticsearch_max_docs_per_index = 20000000Copy Code

The following parameter defines to have a total number of indices. When it reaches this number the old index will be deleted..

elasticsearch_max_number_of_indices = 20Copy Code

Shards setting relies on the number of nodes in the particular Elasticsearch cluster. If we have only one node, set it as 1.

elasticsearch_shards = 1Copy Code

This defines the number of replicas for our indices. If we have only one node in the Elasticsearch cluster, set it as 0.

elasticsearch_replicas = 0Copy Code

 

• Install Graylog Web Interface

We need to edit the server.conf file to enable the Graylog web interface.

# vi /etc/graylog/server/server.confCopy Code

To let Graylog Web Interface connect to the Graylog server, we modify the entries. Replace xxx.xxx.xxx.xxx with proper IP address.

http_bind_address = xxx.xxx.xxx.xxx:9000Copy Code

Then we restart Graylog service.

# systemctl daemon-reload
# systemctl restart graylog-serverCopy Code

Make Graylog server start automatically on system startup.

# systemctl enable graylog-serverCopy Code

We can check out the server startup logs, which will be useful to troubleshoot Graylog for any issues.

# tailf /var/log/graylog-server/server.logCopy Code

If everything goes well, we will see the below message in the server.log file.

2021-01-20T21:00:23.157+05:30 INFO [ServerBootstrap] Graylog server up and running.Copy Code

 

• Firewall & SELinux

In CentOS 7/RHEL 7, firewall rules are set to block most of the traffic coming from the external machines by default. We need to add allow rules for Graylog to work correctly.

$ firewall-cmd –permanent –add-port=9000/tcpCopy Code

Reload firewalld to take effect of the new rules.

$ firewall-cmd –reloadCopy Code

If we have SELinux enabled on the system, then we will need to add a few exceptions in SELinux policies.

$ setsebool -P httpd_can_network_connect 1
$ semanage port -a -t http_port_t -p tcp 9000
$ semanage port -a -t http_port_t -p tcp 9200
$ semanage port -a -t mongod_port_t -p tcp 27017Copy Code

 

• Configure Graylog to Receive Syslog messages

Log into Graylog Web Interface

In the web browser, go to port 9000 of the server’s public IP address:

http://graylog_public_IP:9000/Copy Code

We should see a login screen. Enter admin as username and the admin password set earlier.

The red number at the top will show a message that says we have a node without any running inputs.

 

• Create Syslog UDP Input

To add an input to receive Syslog messages, click on the System drop-down in the top menu.

Now, from the drop-down menu, select Inputs.

Then select Syslog UDP from the drop-down menu and click the Launch new input button.

A “Launch a new input: Syslog UDP” modal window will pop up. Enter the following information:

1. Title: syslog
2. Port: 8514
3. Bind address: graylog_private_IP

Then click Launch.

We should now see an input named “syslog” in the Local inputs section (with a green box that says “running” next to it).

Now the Graylog server is ready to receive syslog messages on port 8514 from the servers.

 

• Configure Rsyslog to Send Syslogs to Graylog Server

Once we have created the inputs, configure Rsyslog or forward any system logs to our Graylog server.

Perform the following steps on all the client servers that we want to send syslog messages to Graylog.

Initially, edit the Rsyslog configuration file.

# vi /etc/rsyslog.confCopy Code

Typical Rsyslog configuration will look like below to send logs on UDP 8514.

*.info;mail.none;authpriv.none;cron.none @graylog_private_IP:8514Copy Code

Then we restart the Rsyslog service to send logs.

# systemctl restart rsyslogCopy Code

After configuring rsyslog on all the servers to monitor, go back to the Graylog web interface.

 

• View Graylog Sources

In the web browser, go to port 9000 of the server’s public IP address:

In a web browser: http://graylog_public_IP:9000/Copy Code

Then click on Sources in the top bar. It will have a list of all of the servers that we configured rsyslog on.

The hostname of the sources is on the left, with the number of messages received by Graylog on the right.

 

• Search Graylog Data

After letting Graylog collect messages for some time, we will be able to search through the messages.

For example, if we search for “sshd” to see what kind of SSH activity is happening on our servers, we will get results that reveal sshd logs for various servers, and failed root login attempts.

The results may vary. However, it can help to identify many issues, including how unauthorized users are attempting to access the servers.

Searching through data in Graylog is useful, for example, if we want to review the logs of a server or several servers after an incident.

Centralized logging makes it easier to correlate related incidents because we do not need to log into multiple servers to see all the occurrences.

[Find it hard to process Graylog? We are here for you]

 

Conclusion

To conclude, we saw how to install Graylog on CentOS 7. Our Support Engineers suggest this as an effective and easy method to make the logs more structured and searchable.