Install Graylog

 

Introduction

Graylog2 is a powerful log management and analysis tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, MongoDB, and Scala.

System Requirement

The Graylog server application has the following prerequisites:

·         Some modern Linux distribution (Debian Linux, Ubuntu Linux, or CentOS recommended)

·         Elasticsearch 2.3.5 or later

·         MongoDB 2.4 or later (latest stable version is recommended)

·         Oracle Java SE 8 (OpenJDK 8 also works; latest stable update is recommended)

Note: Graylog prior to 2.3 does not work with Elasticsearch 5.x!

Graylog 2.4 does not work with Elasticsearch 6.x yet!

Installation

In this setup guide I choose Centos for a host.

1.       sudo yum install java-1.8.0-openjdk-headless.x86_64

2.       install MongoDB

a.       create a repo file vim /etc/yum.repos.d/mongodb-org-3.6.repo with following:
[mongodb-org-3.6]

name=MongoDB Repository

baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/x86_64/

gpgcheck=1

enabled=1

gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc

b.       sudo yum install -y mongoorg

c.       sudo chkconfig --add mongod

d.       sudo systemctl daemon-reload

e.       sudo systemctl enable mongod.service

f.        sudo systemctl start mongod.service

3.       install ElasticSearch

a.       First install the Elastic GPG key with rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

b.       add the repository file /etc/yum.repos.d/elasticsearch.repo with following:

[elasticsearch-5.x]

name=Elasticsearch repository for 5.x packages

baseurl=https://artifacts.elastic.co/packages/5.x/yum

gpgcheck=1

gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch

enabled=1

autorefresh=1

type=rpm-md

c.       sudo yum install elasticsearch

d.       Configure /etc/elasticsearch/elasticsearch.yml (sample:  https://www.elastic.co/guide/en/elasticsearch/reference/5.6/settings.html#settings)

Change cluster.name: graylog                                       

e.       sudo chkconfig --add elasticsearch

f.        sudo systemctl daemon-reload

g.       sudo systemctl enable elasticsearch.service

h.       sudo systemctl restart elasticsearch.service

4.       Install Graylog2

a.       sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm

b.       sudo yum install graylog-server

c.       Follow the instructions in your /etc/graylog/server/server.conf and add password_secret and root_password_sha2. These settings are mandatory and without them, Graylog will not start!
to get password shar: echo -n yourpassword | sha256sum

d.       To be able to connect to Graylog you should set rest_listen_uri and web_listen_uri to the public host name or a public IP address of the machine you can connect to

e.       sudo chkconfig --add graylog-server

f.        sudo systemctl daemon-reload

g.       sudo systemctl enable graylog-server.service

h.       sudo systemctl start graylog-server.service

Note:

If you’re using SELinux on your system, you need to take care of the following settings:

Allow the web server to access the network: sudo setsebool -P httpd_can_network_connect 1

If the policy above does not comply with your security policy, you can also allow access to each port individually:

Graylog REST API and web interface: sudo semanage port -a -t http_port_t -p tcp 9000

Elasticsearch (only if the HTTP API is being used): sudo semanage port -a -t http_port_t -p tcp 9200

Allow using MongoDB’s default port (27017/tcp): sudo semanage port -a -t mongod_port_t -p tcp 27017

If you run a single server environment with NGINX or Apache proxy, enabling the Graylog REST API is enough. All other rules are only required in a multi-node setup. Having SELinux disabled during installation and enabling it later, requires you to manually check the policies for MongoDB, Elasticsearch and Graylog.