In this guide, I’ll take you through  the steps to Install Graylog 3 on CentOS 7. Graylog is an open source log management platform which enables you to aggregate up to terabytes of log data, from multiple log sources, DCs, and geographies with the capability to scale horizontally in your data center, cloud, or both.

The Graylog search function is really fast and powerful, so you can group your servers into streams for easy log searching. Graylog UI is simple and intuitive with a complete user management and support for LDAP. It also has support for alerting and reporting.

Graylog 3.x has full support for Elasticsearch 6.x and any latest version of MongoDB – 4.x. If you are an Ubuntu user, check Manage Logs with Graylog server on Ubuntu 18.04

Install Graylog 3.0 CentOS 7

Graylog depends on Java, Elasticsearch, and MongoDB for its functions. Elasticsearch is responsible for logs storage and MongoDB is for storing Graylog related configurations.

Step 1: Configure SELinux

If you’re using SELinux on your system, set following settings:

sudo yum -y install curl vim policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Step 2: Add required repositories:

Enable EPEL repository.

sudo yum -y install epel-release

Add MongoDB Repository:

sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo <<EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

Add Elasticsearch Repository:

sudo tee /etc/yum.repos.d/elasticsearch.repo <<EOF
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Step 3: Install Java, Elasticsearch, and MongoDB

Run this command to install all required packages.

sudo yum -y install java-1.8.0-openjdk-headless.x86_64
sudo yum -y install pwgen elasticsearch-oss mongodb-org

Start and enable MongoDB service.

Start mongod service and set it to start on boot.

sudo systemctl enable --now mongod
sudo systemctl status mongod

MongoDB paths:

File system path
Configuration/etc/mongod.conf
Data files/var/lib/mongodb/
Log files/var/log/mongodb/

Step 4: Configure Elasticsearch for Graylog

You need to modify the Elasticsearch configuration file and set the cluster name to graylog, Additionally you need to uncomment (remove the # as first character) the line, and add action.auto_create_index: false to the configuration file:

The file to edit is /etc/elasticsearch/elasticsearch.yml.

$ sudo vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false

Start and enable elasticsearch service:

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch

Confirm service status:

$ systemctl status elasticsearch
 ● elasticsearch.service - Elasticsearch
    Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
    Active: active (running) since Mon 2019-09-16 08:37:55 UTC; 1min 49s ago
      Docs: http://www.elastic.co
  Main PID: 18442 (java)
    CGroup: /system.slice/elasticsearch.service
            └─18442 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Des…
 Sep 16 08:37:55 cent701.novalocal systemd[1]: Started Elasticsearch.

The default Elasticsearch file locations are:

File system path
Configuration/etc/elasticsearch
JVM settings/etc/sysconfig/elasticsearch
Data files/var/lib/elasticsearch/data
Log files/var/log/elasticsearch/

Step 5: Install Graylog 3 on CentOS 7

Now install the Graylog repository and Graylog itself with the following commands:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
sudo yum -y install graylog-server

You also need to set add password_secret and root_password_sha2 variables under /etc/graylog/server/server.conf. These settings are mandatory and without them, Graylog will not start!

$ cat /etc/graylog/server/server.conf | grep password | grep -v '^ *#'
password_secret =
root_password_sha2 =

Generate password_secret using pwgen tool installed earlier.

pwgen -N 1 -s 96

You need to use the following command to create your root_password_sha2:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

To be able to connect to Graylog you should set:

  • rest_listen_uri
  • web_listen_uri

to the public host name or a public IP address of the machine running graylog service.

Graylog directory structure:

File system path
Configuration/etc/graylog/server/server.conf
Logging configuration/etc/graylog/server/log4j2.xml
Plugins/usr/share/graylog-server/plugin
JVM settings/etc/sysconfig/graylog-server
Message journal files/var/lib/graylog-server/journal
Log Files/var/log/graylog-server/

Step 6: Start Graylog service on CentOS 7

Now start graylog service and enable it to start on system boot up

sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server.service

Confirm service status:

$ systemctl status  graylog-server.service
● graylog-server.service - Graylog server
   Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-09-16 09:08:11 UTC; 18s ago
     Docs: http://docs.graylog.org/
 Main PID: 19249 (graylog-server)
   CGroup: /system.slice/graylog-server.service
           ├─19249 /bin/sh /usr/share/graylog-server/bin/graylog-server
           └─19250 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+C...

Sep 16 09:08:11 cent701.novalocal systemd[1]: Stopped Graylog server.
Sep 16 09:08:11 cent701.novalocal systemd[1]: Started Graylog server.

Configure Graylog Firewalld

For a single node installation, you only need to open port 9000 for UI access and API. To do this on CentOS 7, use firewalld.

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --reload

You can now access Graylog web interface using http://public_ip:9000. You should get an interface like below.

 Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7

We have come to the end of Install Graylog 3.x with Elasticsearch 6.x on CentOS 7. Read next article on Configure Graylog Nginx reverse proxy with Letsencrypt SSL.

Progress to learn how to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.

Tags:

  • Install Graylog 3.0 on CentOS 7
  • Install Graylog on CentOS
  • Installing Graylog 3 on CentOS 7
  • Graylog 3 installation on CentOS 7

Other Logs related articles:

VMware vSphere and vCenter Central Logs Management with Rsyslog

Manage Logs with Graylog server on Ubuntu 18.04

How to get Postfix Mail Statistics from Logs