Graylog (formerly known as Graylog2) is an open source syslog management platform, helps you to collect, index and analyze syslog on a centralized location.
Packages and their versions used in this tutorial
- CentOS 7.1 minimal with 1GB of RAM
- Java 1.8.0 openjdk
- ElasticSearch 1.7.5
- MongoDB 3.0
- Graylog server 1.2.0
- Graylog web 1.2.2
1. Install EPEL Repository
CentOS Extras repository includes a package to install EPEL
Add EPEL repository by using wget command for download rpm file and then install it. If you have not installed wget then install it by using #yum install wget
# cd ~ # wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm # rpm -ivh epel-release-7-7.noarch.rpm
2. Install Java
Install OpenJDK java using following command.
#yum install java-1.8.0-openjdk
Now check Java version using following command
3. Install Elasticsearch
Elasticsearch is an open source search server capable of real time distributed search and analytics with RESTful web interface. Elasticsearch stores all the syslog received by the Graylog server and displays the messages in graylog web interface when it receives a requests from users.
To install elasticsearch, import GPG key
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Add Elasticsearch repository.
# nano /etc/yum.repos.d/elasticsearch.repo
name=Elasticsearch repository for 1.7.x packages
Now install elastic search using following command
#yum -y install elasticsearch
Configure Elasticseach to start during system startup.
# systemctl daemon-reload # systemctl enable elasticsearch.service
4. Configure/Test Elasticsearch
It is important to remember that we set the exactly same cluster name (“cluster.name: graylog2”) that is going to be used by Graylog in the Elasticsearch configuration.
# nano /etc/elasticsearch/elasticsearch.yml
Disable dynamic scripts to avoid remote execution, that can be done by adding the following line at the end of above file.
Configure firewall to allow traffic to port no 9200
# firewall-cmd --zone=public --add-port=9200/tcp --permanent # firewall-cmd --reload
If you have not installed firewall in your CentOS 7, then install it using following commands.
# yum install firewalld # systemctl start firewalld # systemctl enable firewalld
Now restart the Elasticsearch services to load the modified configuration.
# systemctl restart elasticsearch.service
Test the elastic search service
# curl -X GET http://localhost:9200
Execute the following command to find out Elasticsearch cluster health, you must get a cluster status as “green” for graylog to work.
# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
5. Install MongoDB
Create a mongodb-stable repository file.
# nano /etc/yum.repos.d/mongodb-org-3.0.repo
Install MongoDB using the following command.
# yum -y install mongodb-org
Once installed, you will get confirmation message like below.
If you use SELinux, you must install below package to configure certain elements of SELinux policy.
# yum -y install policycoreutils-python
Run the following command to configure SELinux to allow MongoDB to start.
# semanage port -a -t mongod_port_t -p tcp 27017
Or, if you do not wish to use SELinux on the system, disable SELINUX
Start the MongoDB service and enable it to start automatically during the system start-up.
# service mongod start # systemctl enable mongod
6. Install/Configure Graylog syslog server
Use the following command to install graylog2 repository.
Now install the graylog syslog server.
# yum -y install graylog-server
Edit the server.conf file.
# nano /etc/graylog/server/server.conf
Configure the following variables in the above file.
Set a secret to secure the user passwords, use the following command to generate a secret, use at least 64 character’s.
# pwgen -N 1 -s 96
Note: If you have not installed pwgen, then install it using following command.
# yum install pwgen
Now put the password_secret value in server.conf
password_secret = “The value of the above pwgen command”
Put a hash password for the root user. You will use this password for login into the web interface, admin’s password can not be changed using web interface, must edit this variable to set.
#echo -n somepass.123 | sha256sum
Place the hash password value in server.conf.
root_password_sha2 = “The value of the above echo command”
Setup email address root (admin) user.
root_email = “firstname.lastname@example.org”
Set timezone of root (admin) user.
root_timezone = UTC
Next configure Zen unicast discovery in Graylog
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
Make sure the is_master is set to true:
is_master = true
The other parameters that we are going to edit are as follows-
elasticsearch_max_docs_per_index = 20000000 (the number of log messages to keep per index)
elasticsearch_max_number_of_indices = 20 (defines total number of indices)
elasticsearch_shards = 1 (number of nodes in the Elasticsearch cluster)
elasticsearch_replicas = 0 (The number of replicas for your indices, For one node in Elasticsearch cluster; set it as 0.)
mongodb_useauth = false (MongoDB authentication information)
Start the graylog server using the following command.
# systemctl restart graylog-server
You can check out the server startup logs, it will be useful for you to troubleshoot graylog in case of any issue.
7. Install/Configure Graylog web interface
To configure graylog-web-interface, you must have at least one graylog-server node. Install web interface using below command.
# yum -y install graylog-web
Edit the configuration file and set the following parameters.
# nano /etc/graylog/web/web.conf
This is the list of graylog-server nodes, you can add multiple nodes, separate by commas.
application.secret=”Generate it using the command #pwgen -N 1 -s 96”
Restart the gralog-web-interface using following command,
# systemctl restart graylog-web
8. Configure firewall
Open port no 9000 to allow traffic to graylog server.
9. Configure Rsyslog/client
Now configure all the clients those want to send syslog to graylog server. Create a rsyslog configuration file by the name
90-graylog.conf inside /etc/rsyslog.d. in the client system.
and add the following
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n" *.* @graylog_private_IP:8514;GRAYLOGRFC5424
The only thing you need to configure is to replace
graylog_private_IP with Graylog server’s private IP address. In our case, the graylog server private IP is 172.31.45.21
Save the file and quit. Restart rsyslog in the client system to reload the new configuration.
# sudo service rsyslog restart
This way, you can configure rsyslog on all the client system whose log you want to send to graylog server and monitor the logs through graylog web interface.
10. Access Graylog web interface
Point your browser to http://demohost.com:9000.
Login with user ‘admin’ and password as the value that you have provided while creating “root_pass_sha2”. In our case it is somepass.123
Launch a new GELF http input
Graylog system information.
Thats all, you can now manage/monitor syslog of the server through graylog web interface.