In this guide, I’ll take you through the steps to install Graylog on CentOS 7|RHEL 7 Linux system. Graylog is an open source log management platform which enables you to aggregate up to terabytes of log data, from multiple log sources, DCs, and geographies with the capability to scale horizontally in your data center, cloud, or both.
The Graylog search function is really fast and powerful, so you can group your servers into streams for easy log searching. Graylog UI is simple and intuitive with a complete user management and support for LDAP. It also has support for alerting and reporting.
Graylog 4.x has full support for OpenSearch 7.x and any latest version of MongoDB – 4.x. If you are an Ubuntu and CentOS 8 user, check:
- Install GrayLog on Ubuntu 22.04|18.04 / Ubuntu 18.04
- Install GrayLog on CentOS 8
Graylog depends on Java, OpenSearch, and MongoDB for its functions. OpenSearch is responsible for logs storage and MongoDB is for storing Graylog related configurations.
Configure SELinux if enabled
If you’re using SELinux on your system, set following settings:
sudo yum -y install curl vim policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017Add required repositories
Enable EPEL repository on your CentOS 7 system.
CentOS 7:
sudo yum -y install epel-releaseRHEL 7:
sudo subscription-manager repos --enable rhel-*-optional-rpms \
--enable rhel-*-extras-rpms \
--enable rhel-ha-for-rhel-*-server-rpms
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmAdd MongoDB Repository:
sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo <<EOF
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOFInstall OpenSearch RPM repository key.
sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgpAdd OpenSearch Repository:
sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repoUpdate YUM package index cache:
sudo yum clean all
sudo yum -y makecacheInstall OpenSearch, and MongoDB
Run this command to install all required packages.
sudo yum -y install vim pwgen opensearch mongodb-orgStart mongod service and set it to start on boot.
sudo systemctl enable --now mongod
sudo systemctl status mongodMongoDB paths:
| File system path | |
|---|---|
| Configuration | /etc/mongod.conf |
| Data files | /var/lib/mongo/ |
| Log files | /var/log/mongodb/ |
Configure OpenSearch for Graylog
You need to modify the OpenSearch configuration file and set the cluster name to graylog, Additionally you need to uncomment (remove the # as first character) the line, and add action.auto_create_index: false to the configuration file:
The file to edit is /etc/opensearch/opensearch.yml. Modify the settings accordingly.
$ sudo vi /etc/opensearch/opensearch.yml
cluster.name: graylog
action.auto_create_index: false
node.name: ${HOSTNAME}
discovery.type: single-node
network.host: 0.0.0.0
plugins.security.disabled: trueEdit JVM options and update the Xms & Xmx settings with half of the installed system memory.
$ sudo vim /etc/opensearch/jvm.options
-Xms1g
-Xmx1gIf your system doesn’t have adequate memory you can adjust max and min ram values to 512MB.
-Xms512m
-Xmx512mUpdate kernel parameters at runtime.
sudo sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> sudo /etc/sysctl.confStart and enable opensearch service:
sudo systemctl daemon-reload
sudo systemctl enable --now opensearchConfirm service status:
$ systemctl status opensearch
● opensearch.service - OpenSearch
Loaded: loaded (/usr/lib/systemd/system/opensearch.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2023-11-26 19:31:28 UTC; 5s ago
Docs: https://opensearch.org/
Main PID: 13555 (java)
CGroup: /system.slice/opensearch.service
└─13555 /usr/share/opensearch/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt...
Nov 26 19:31:11 cent7.mylab.io systemd[1]: Starting OpenSearch...
Nov 26 19:31:28 cent7.mylab.io systemd[1]: Started OpenSearch.
Hint: Some lines were ellipsized, use -l to show in full.The default OpenSearch file locations are:
| File system path | |
|---|---|
| Configuration | /etc/opensearch |
| JVM settings | /etc/sysconfig/opensearch |
| Data files | /var/lib/opensearch/ |
| Log files | /var/log/opensearch/ |
The curl command can be used to check for the functionality of OpenSearch.
$ curl -X GET http://localhost:9200
{
"name" : "cent7.mylab.io",
"cluster_name" : "graylog",
"cluster_uuid" : "wH3SIboPTKeK8Oi_GgKFgg",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.0",
"build_type" : "rpm",
"build_hash" : "4dcad6dd1fd45b6bd91f041a041829c8687278fa",
"build_date" : "2023-10-13T02:56:26.505314582Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}Install Graylog Server
Now install the Graylog repository and Graylog itself with the following commands:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.rpm
sudo yum -y install graylog-serverYou also need to set add password_secret and root_password_sha2 variables under /etc/graylog/server/server.conf.
### Generate root_password_sha2
$ echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: password <INPUT-PASSWORD>Sha2 password is printed to the screen. We’ll use it in the configuration file to update it.
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8Generate password_secret using pwgen tool installed earlier.
$ pwgen -N 1 -s 96
pYJuHjPD0166gUEzhL3XUpTkacYAu26FFxVIRjvczINydWF7WwBbUEUaD5KukCUBIKpklbYn85ebWTOQg4UMMS0twWqB7RepThese settings are mandatory and without them, Graylog will not start!
$ sudo vi /etc/graylog/server/server.conf
password_secret = Replace-me-with-generated-password-secret
root_password_sha2 = Replace-me-with-generated-hashed-root-secretExample:
password_secret = pYJuHjPD0166gUEzhL3XUpTkacYAu26FFxVIRjvczINydWF7WwBbUEUaD5KukCUBIKpklbYn85ebWTOQg4UMMS0twWqB7Rep
root_password_sha2 = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8Let’s also bind address to the network interface used by the Graylog HTTP interface
$ sudo vi /etc/graylog/server/server.conf
#line 105
http_bind_address = 0.0.0.0:9000Next set the IP address of your OpenSearch server.
elasticsearch_hosts = http://127.0.0.1:9200Restart graylog service for it to bind to all addresses on the system
sudo systemctl restart graylog-serverGraylog directory structure:
| File system path | |
|---|---|
| Configuration | /etc/graylog/server/server.conf |
| Logging configuration | /etc/graylog/server/log4j2.xml |
| Plugins | /usr/share/graylog-server/plugin |
| JVM settings | /etc/sysconfig/graylog-server |
| Message journal files | /var/lib/graylog-server/journal |
| Log Files | /var/log/graylog-server/ |
Start and Use Graylog Server
Now start graylog service and enable it to start on system boot up
sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server.serviceConfirm service status:
$ systemctl status graylog-server.service
● graylog-server.service - Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2023-11-26 19:45:41 UTC; 12s ago
Docs: http://docs.graylog.org/
Main PID: 14729 (graylog-server)
CGroup: /system.slice/graylog-server.service
├─14729 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─14730 /usr/share/graylog-server/jvm/bin/java -Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true ...
Nov 26 19:45:41 cent7.mylab.io systemd[1]: Started Graylog server.For a single node installation, you only need to open port 9000 for UI access and API. To do this on CentOS 7|RHEL 7, use firewalld.
sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --reloadYou can now access Graylog web interface using http://public_ip:9000. You should get an interface like below.
We have come to the end of Install Graylog with OpenSearch 7.x on CentOS 7|RHEL 7. Read next article on configure Graylog Nginx reverse proxy with Let’s Encrypt SSL.
Progress to learn how to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.
Tags:
- Install Graylog on CentOS 7 / RHEL 7
- Install Graylog on RHEL 7 / RHEL 7
- Graylog installation on CentOS 7 / RHEL 7
Other Logs related articles:
- VMware vSphere and vCenter Central Logs Management with Rsyslog
- Manage Logs with Graylog server on Ubuntu 18.04
- How to get Postfix Mail Statistics from Logs
please consider adding a comment that graylog (and/or elasticsearch) requires /tmp to be executable (i.e. you can’t have noexec set in /etc/fstab
or set your temp/tmp variables to a location that you have rwx permissions.
Thanks for the comment this will help a number of people.