Content

Graylog (formerly known as Graylog2) is an open source syslog management platform, helps you to collect, index and analyze syslog on a centralized location.

Packages and their versions used in this tutorial

  1. CentOS 7.1 minimal with 1GB of RAM
  2. Java 1.8.0 openjdk
  3. ElasticSearch 1.7.5
  4. MongoDB 3.0
  5. Graylog server 1.2.0
  6. Graylog web 1.2.2

1. Install EPEL Repository

CentOS Extras repository includes a package to install EPEL

Add EPEL repository by using wget command for download rpm file and then install it. If you have not installed wget then install it by using #yum install wget

# cd ~
# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
# rpm -ivh epel-release-7-7.noarch.rpm

Install EPEL Repository

2. Install Java

Install OpenJDK java using following command.

#yum install java-1.8.0-openjdk

Now check Java version using following command

#java -version

Java version

3. Install Elasticsearch

Elasticsearch is an open source search server capable of real time distributed search and analytics with RESTful web interface. Elasticsearch stores all the syslog received by the Graylog server and displays the messages in graylog web interface when it receives a requests from users.

To install elasticsearch, import GPG key

# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Add Elasticsearch repository.

# nano /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-1.7]

name=Elasticsearch repository for 1.7.x packages

baseurl=http://packages.elastic.co/elasticsearch/1.7/centos

gpgcheck=1

gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch

enabled=1

Add elasticsearch repository

Now install elastic search using following command

#yum -y install elasticsearch

Install elastic search

Configure Elasticseach to start during system startup.

# systemctl daemon-reload
# systemctl enable  elasticsearch.service

Daemon reload

4. Configure/Test Elasticsearch

It is important to remember that we set the exactly same cluster name (“cluster.name: graylog2”) that is going to be used by Graylog in the Elasticsearch configuration.

# nano /etc/elasticsearch/elasticsearch.yml

……………..

cluster.name: graylog2

………………

Disable dynamic scripts to avoid remote execution, that can be done by adding the following line at the end of above file.

……………..

script.disable_dynamic: true

………………

Configure firewall to allow traffic to port no 9200

# firewall-cmd --zone=public --add-port=9200/tcp --permanent
# firewall-cmd --reload

If you have not installed firewall in your CentOS 7, then install it using following commands.

# yum install firewalld
# systemctl start firewalld
# systemctl enable firewalld

Now restart the Elasticsearch services to load the modified configuration.

# systemctl restart elasticsearch.service

Test the elastic search service

# curl -X GET http://localhost:9200

Curl output

Execute the following command to find out Elasticsearch cluster health, you must get a cluster status as “green” for graylog to work.

# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Curl output

5. Install MongoDB

Create a mongodb-stable repository file.

# nano /etc/yum.repos.d/mongodb-org-3.0.repo

[mongodb-org-3.0]

name=MongoDB Repository

baseurl=http://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.0/x86_64/

gpgcheck=0

enabled=1

Configure mongodb repo

Install MongoDB using the following command.

# yum -y install mongodb-org

Once installed, you will get confirmation message like below.

Confirmation mongoDB installation

If you use SELinux, you must install below package to configure certain elements of SELinux policy.

# yum -y install policycoreutils-python

Run the following command to configure SELinux to allow MongoDB to start.

# semanage port -a -t mongod_port_t -p tcp 27017 

Or, if you do not wish to use SELinux on the system, disable SELINUX

Start the MongoDB service and enable it to start automatically during the system start-up.

# service mongod start
# systemctl enable mongod

Enable mongoDB

6. Install/Configure Graylog syslog server

Use the following command to install graylog2 repository.

# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-1.2-repository-el7_latest.rpm

Install graylog repository

Now install the graylog syslog server.

# yum -y install graylog-server

Install graylog server

Edit the server.conf file.

# nano /etc/graylog/server/server.conf

Configure the following variables in the above file.

Set a secret to secure the user passwords, use the following command to generate a secret, use at least 64 character’s.

# pwgen -N 1 -s 96

Generate pwgen secret

Note: If you have not installed pwgen, then install it using following command.

# yum install pwgen

Install pwgen

Now put the password_secret value in server.conf

password_secret = “The value of the above pwgen command”

Password secret

Put a hash password for the root user. You will use this password for login into the web interface, admin’s password can not be changed using web interface, must edit this variable to set.

#echo -n somepass.123 | sha256sum

Generate sha

Place the hash password value in server.conf.

root_password_sha2 = “The value of the above echo command”

Setup email address root (admin) user.

root_email = “root@demohost.com”

Set timezone of root (admin) user.

root_timezone = UTC

Configure Server 

Next configure Zen unicast discovery in Graylog

elasticsearch_discovery_zen_ping_multicast_enabled = false

elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300

Configure Server

Make sure the is_master is set to true:

is_master = true

The other parameters that we are going to edit are as follows-

elasticsearch_max_docs_per_index = 20000000 (the number of log messages to keep per index)

elasticsearch_max_number_of_indices = 20 (defines total number of indices)

elasticsearch_shards = 1 (number of nodes in the Elasticsearch cluster)

elasticsearch_replicas = 0 (The number of replicas for your indices, For one node in Elasticsearch cluster; set it as 0.)

mongodb_useauth = false (MongoDB authentication information)

Start the graylog server using the following command.

# systemctl restart graylog-server

You can check out the server startup logs, it will be useful for you to troubleshoot graylog in case of any issue.

7. Install/Configure Graylog web interface

To configure graylog-web-interface, you must have at least one graylog-server node. Install web interface using below command.

# yum -y install graylog-web

Install graylog web

Edit the configuration file and set the following parameters.

# nano /etc/graylog/web/web.conf

This is the list of graylog-server nodes, you can add multiple nodes, separate by commas.

graylog2-server.uris=”http://127.0.0.1:12900/

application.secret=”Generate it using the command #pwgen -N 1 -s 96”

Restart the gralog-web-interface using following command,

# systemctl restart graylog-web

8. Configure firewall

Open port no 9000 to allow traffic to graylog server.

Configure firewall

9. Configure Rsyslog/client

Now configure all the clients those want to send syslog to graylog server. Create a rsyslog configuration file by the name 90-graylog.conf inside /etc/rsyslog.d. in the client system.

# nano /etc/rsyslog.d/90-graylog.conf

and add the following

$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @graylog_private_IP:8514;GRAYLOGRFC5424

The only thing you need to configure is to replace graylog_private_IP with Graylog server’s private IP address. In our case, the graylog server private IP is 172.31.45.21

Configure rsyslog

Save the file and quit. Restart rsyslog in the client system to reload the new configuration.

# sudo service rsyslog restart

This way, you can configure rsyslog on all the client system whose log you want to send to graylog server and monitor the logs through graylog web interface.

10. Access Graylog web interface

Point your browser to http://demohost.com:9000.

Graylog login

 

Login with user ‘admin’ and password as the value that you have provided while creating “root_pass_sha2”. In our case it is somepass.123

Graylog dashboard

Launch a new GELF http input

Prepare GELF HTTP INPUT

Graylog system information.

Graylog system info

 

Thats all, you can now manage/monitor syslog of the server through graylog web interface.

Was this article helpful to you?

DD2016

Comments are closed.