Red Hat

How to Install Graylog 3 on RHEL 7 or CentOS 7

Posted on

System log is very crucial part in debugging a system. System log will write down any details from system activity in OS level or on each applications. Thats why log management is needed and also important. Graylog is an open source log management and analysis tool for anything such as SSH login monitoring and also powerful for IT operation monitoring. This time we will talk about graylog tutorial, concerning graylog server installation, graylog dashboard, graylog alerting system. The latest release of Graylog when i wrote this tutorial is Graylog 3. Please refer the latest release on its official site.

There are some requirements for Graylog to run smoothly. Following are its requirements.

System Requirements

Refer to official Graylog Installation docs, graylog needs following component to run smoothly.

  1. Some modern Linux distribution (Debian, Ubuntu, or CentOS is recommended).
  2. Oracle Java SE 8 (OpenJDK 8 also works; latest stable update is recommended).
  3. MongoDB 3.6 or later – A database to store the configurations and meta information.
  4. Elasticsearch 5 or later – It stores the log messages received from the Graylog server and provides a features to search them whenever required. Elasticsearch is a resource eater as it does indexing of data, so allocate more memory and use SAS or SAN disks.
  5. Graylog server, latest release is Graylog version 3 – An open source log management that parsing of logs that are coming from various inputs and provides built-in Web Interface to handle those logs.

Pre-Installation

You need to install following packages before hand.

Install pwgen

sudo yum install -y pwgen

Install Java

Elasticsearch needs Java to run, so install either OpenJDK or OracleJDK.

sudo yum install -y java-1.8.0-openjdk-headless

Check Java version.

# java -versionopenjdk version "1.8.0_191"OpenJDK Runtime Environment (build 1.8.0_191-b12)OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

Install shashum

You need to install shashum package for password generation later in the tutorial.

sudo yum install -y perl-Digest-SHA

Now, we have all the packages dependencies installed. We are going to the main part of our tutorial.

Install Elasticsearch

Elasticsearch is one of the important components in the Graylog installation. It stores the data coming from Graylog input and displays the  messages whenever Graylog built-in web interface give any information by requested user.

Elasticsearch is heavily used here to index the data/logs and provide  the searching functionality when the Graylog web interface request for  any data.

Following covers the basic configuration required for Graylog.

Import the GPG signing key before hand.

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Create a new repository file to get the latest version of Elasticsearch package from the official repository.

sudo nano /etc/yum.repos.d/elasticsearch.repo

Append following content to above file.

[elasticsearch-6.x]name=Elasticsearch repository for 6.x packagesbaseurl=https://artifacts.elastic.co/packages/6.x/yumgpgcheck=1gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearchenabled=1autorefresh=1type=rpm-md

Refresh the new repository.

sudo yum repolist

Install the Elasticsearch package using yum command.

sudo yum install -y elasticsearch

Reload the systemctl daemon and enable Elasticsearch to make it start automatically on the system startup.

sudo systemctl daemon-reloadsudo systemctl enable elasticsearch

To make Elasticsearch work with Graylog setup, we need to set the cluster name to graylog. Edit the elasticsearch.yml file. Find cluster.name and change as following.

cluster.name: graylog

Restart Elasticsearch.

sudo systemctl restart elasticsearch

Give a minute to let the Elasticsearch get fully restarted. Elastisearch  should be now listening to port 9200 for processing HTTP requests. Use the  CURL command to check the response.

curl -XGET http://localhost:9200

The cluster_name should be graylog.

{  "name" : "DF8QK3-",  "cluster_name" : "graylog",  "cluster_uuid" : "_wAgUfN9RJeQ0npCKBswVA",  "version" : {    "number" : "6.7.0",    "build_flavor" : "default",    "build_type" : "rpm",    "build_hash" : "b9262f8",    "build_date" : "2019-02-24T09:45:09.486440Z",    "build_snapshot" : false,    "lucene_version" : "7.7.0",    "minimum_wire_compatibility_version" : "5.6.0",    "minimum_index_compatibility_version" : "5.0.0"  },  "tagline" : "You Know, for Search"}

Perform a health check with following command.

curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Make sure the status value is green.

{  "cluster_name" : "graylog",  "status" : "green",  "timed_out" : false,  "number_of_nodes" : 1,  "number_of_data_nodes" : 1,  "active_primary_shards" : 0,  "active_shards" : 0,  "relocating_shards" : 0,  "initializing_shards" : 0,  "unassigned_shards" : 0,  "delayed_unassigned_shards" : 0,  "number_of_pending_tasks" : 0,  "number_of_in_flight_fetch" : 0,  "task_max_waiting_in_queue_millis" : 0,  "active_shards_percent_as_number" : 100.0}

Install MongoDB

MongoDB will serve as a database to store our data configurationa and meta information. We will install MongoDB latest release from official repository.

sudo nano /etc/yum.repos.d/mongodb-org-4.0.repo

Append below snippet to above file.

[mongodb-org-4.0]name=MongoDB Repositorybaseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/gpgcheck=1enabled=1gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

Refresh the repo list.

sudo yum repolist

Install the community edition of MongoDB using below command.

sudo yum install -y mongodb-org

Restart MongoDB and enable it for system startup.

sudo systemctl start mongodsudo systemctl enable mongod

Check and verify MongoDB is active.

sudo systemctl status mongod

Install Graylog Server

Graylog server  accepts and processes the log messages coming from the various inputs,  displays data to requests that come from the graylog dashboard.

Download and Install graylog 3.x from official repository.

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm

Install the Graylog server using the below command.

sudo yum -y install graylog-server

Edit the server.conf file to modify the graylog configuration. You need to add password_secret and root_password_sha2.

sudo nano /etc/graylog/server/server.conf

Or you can use the following command to create a secret using pwgen and fill the secret value to password_secret entry in server.conf.

sudo sed -i -e "s/password_secret =.*/password_secret = $(pwgen -s 128 1)/" /etc/graylog/server/server.conf

Next, you need to set the hash password for the root user, i.e., admin of graylog. You would need this password to login into the graylog web dashboard.

If you ever want to change/reset the forgotten password, you can edit/update the server.conf with a hashed password.

Generate a hashed password using the below command using shasum to hash your password and append the value to root_password_sha2 in server.conf. Replace rootpasswordchangethis with the choice of yours.

sudo sed -i -e "s/root_password_sha2 =.*/root_password_sha2 = $(echo -n 'rootpasswordchangethis' | shasum -a 256 | cut -d' ' -f1)/" /etc/graylog/server/server.conf

Below some recommendation of server.conf file settings.

Set only one master node by defining the below variable, the default setting is true.

If this server is your second Graylog node in your environment, set  it to false to make this node as a slave. Master node does some periodic  tasks that slave nodes won’t perform.

is_master = true

Set the number of log messages to keep per index. It is recommended to have several smaller indices instead of larger ones.

elasticsearch_max_docs_per_index = 20000000

The following parameter defines to have a total number of indices. If this number is reached, the old index will be deleted.

elasticsearch_max_number_of_indices = 20

Shards setting rely on the number of nodes in the particular Elasticsearch cluster. If you have only one node, set it as 1.

elasticsearch_shards = 1

This defines the number of replicas for your indices. If you have only one node in the Elasticsearch cluster, set it as 0.

elasticsearch_replicas = 0

Accessing Graylog Dashboard

The graylog dashboard can be accessed through port 9000. Navigate your browser to: http://localhost:9000

Login with username admin and the password using root_password_sha2 defined previously on server.conf.

Conclusion

You have successfully installed Graylog 3 in your CentOS or Red Hat Enterprise Linux system. Now you can make and configure input from external sources to start logs.

Leave a Reply

Your email address will not be published. Required fields are marked *