Graylog is a most powerful log management tool. It is used to monitor unusual activity on the server like monitoring SSH logins. You can easily collect and analyze remote system logs centrally using Graylog. It is based on Elastic search, Java, MongoDB, and Scala.
First, you need to login to server via SSH as root user and do the below steps.
1) Update the server.
# yum update
2) To install Graylog, we will need to install the below additional packages.
# yum install java-1.8.0-openjdk-headless.x86_64 -y
# yum install epel-release -y
# yum install pwgen -y
3) Install MongoDB.
By default, MongoDB is not available in CentOS repository. So you need to create a MongoDB repository First. Open a file and add the below code to it.
# vi /etc/yum.repos.d/mongodb-org-3.2.repo
[mongodb-org-3.2]name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
Then you need to install MongoDB using the below command.
# yum install mongodb-org -y
Last you need to start and enable the MongoDB service.
# chkconfig –add mongod
# systemctl daemon-reload
# systemctl enable mongod.service
# systemctl start mongod.service
4) Then you need to install and configure Elasticsearch.
First, you need to import GPG key using the below command.
rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
Then you need to add the repository. Open a file and add the below code.
vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-2.x]name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
Then install Elasticsearch using the command.
# yum install elasticsearch -y
Change the cluster name in Elasticsearch configuration file
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
Then you need to start and enable it using the below commands.
# chkconfig –add elasticsearch
# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl restart elasticsearch.service
5) Install and configure Graylog.
Download and install Graylog repository using the following command:
# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm
Install the Graylog server using the below command
# yum install graylog-server -y
When you install the Graylog server then you need to generate a secret key using the below command.
# pwgen -N 1 -s 96
MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2
Finally create a hash password for the root user.
echo -n Password | sha256sum
e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
Edit the Graylog configuration file and make the changes as follow.
# vi /etc/graylog/server/server.conf
password_secret = Enter the output of secret key
root_password_sha2 = Enter the output of root password
root_timezone = UTC
elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = graylog2-server-ip:9300
elasticsearch_shards = 1
elasticsearch_replicas = 0
mongodb_useauth = false
Finally, restart the Graylog server to enable all changes.
# systemctl restart graylog-server
6) Finally, you need to install Graylog web interface to access it via web.
# yum -y install graylog-web
Edit the configuration file and add the following to enable web interface.
graylog2-server.uris=”http://127.0.0.1:12900/”
application.secret=”Enter the output of secret key “
Last restart and enable graylog-web on boot.
# systemctl enable graylog-web
# systemctl restart graylog-web
7) Adding ports to firewall using the below command.
# firewall-cmd –permanent –zone=public –add-port=9000/tcp
# firewall-cmd –permanent –zone=public –add-port=12900/tcp
# firewall-cmd –permanent –zone=public –add-port=1514/tcp
# firewall-cmd –reload
8) Install policycoreutils-python package to manage SELinux using the below command.
# yum install policycoreutils-python -y
Use the below command to allow the web server to access the network.
# sudo setsebool -P httpd_can_network_connect 1
Use the command to allow the Graylog REST API and web interface.
# semanage port -a -t http_port_t -p tcp 9000
To allow the Elasticsearch HTTP API:
# semanage port -a -t http_port_t -p tcp 9200
To allow MongoDB default port.
# semanage port -a -t mongod_port_t -p tcp 27017
Now you have successfully install Graylog and you can access it in web interface using the link http://your_ip_address:9000
If you need any further help please do reach our support department.