How to Install Graylog on CentOS

Last modified: July 30, 2020
You are here:
Estimated reading time: 2 min

Graylog is a most powerful log management tool. It is used to monitor unusual activity on the server like monitoring SSH logins. You can easily collect and analyze remote system logs centrally using Graylog. It is based on Elastic search, Java, MongoDB, and Scala.

First, you need to login to server via SSH as root user and do the below steps.

 

1) Update the server.

# yum update

 

2) To install Graylog, we will need to install the below additional packages.

# yum install java-1.8.0-openjdk-headless.x86_64 -y

# yum install epel-release -y

# yum install pwgen -y

 

3) Install MongoDB.

By default, MongoDB is not available in CentOS repository. So you need to create a MongoDB repository First. Open a file and add the below code to it.

# vi /etc/yum.repos.d/mongodb-org-3.2.repo

[mongodb-org-3.2]

name=MongoDB Repository

baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/

gpgcheck=1

enabled=1

gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc

Then you need to install MongoDB using the below command.

# yum install mongodb-org -y

Last you need to start and enable the MongoDB service.

# chkconfig –add mongod

# systemctl daemon-reload

# systemctl enable mongod.service

# systemctl start mongod.service

 

4) Then you need to install and configure Elasticsearch.

First, you need to import GPG key using the below command.

rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch

Then you need to add the repository. Open a file and add the below code.

vi /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-2.x]

name=Elasticsearch repository for 2.x packages

baseurl=https://packages.elastic.co/elasticsearch/2.x/centos

gpgcheck=1

gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch

enabled=1

Then install Elasticsearch using the command.

# yum install elasticsearch -y

Change the cluster name in Elasticsearch configuration file

# vi /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog

Then you need to start and enable it using the below commands.

# chkconfig –add elasticsearch

# systemctl daemon-reload

# systemctl enable elasticsearch.service

# systemctl restart elasticsearch.service

 

5) Install and configure Graylog.

Download and install Graylog repository using the following command:

# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm

Install the Graylog server using the below command

# yum install graylog-server -y

When you install the Graylog server then you need to generate a secret key using the below command.

# pwgen -N 1 -s 96

MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2

Finally create a hash password for the root user.

echo -n Password | sha256sum

e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a

Edit the Graylog configuration file and make the changes as follow.

#  vi /etc/graylog/server/server.conf

password_secret = Enter the output of secret key

root_password_sha2 = Enter the output of root password

root_timezone = UTC

elasticsearch_http_enabled = false

elasticsearch_discovery_zen_ping_unicast_hosts = graylog2-server-ip:9300

elasticsearch_shards = 1

elasticsearch_replicas = 0

mongodb_useauth = false

Finally, restart the Graylog server to enable all changes.

# systemctl restart graylog-server

 

6) Finally, you need to install Graylog web interface to access it via web.

# yum -y install graylog-web

Edit the configuration file and add the following to enable web interface.

graylog2-server.uris=”http://127.0.0.1:12900/

application.secret=”Enter the output of secret key “

Last restart and enable graylog-web on boot.

# systemctl enable graylog-web

# systemctl restart graylog-web

 

7) Adding ports to firewall using the below command.

# firewall-cmd –permanent –zone=public –add-port=9000/tcp

# firewall-cmd –permanent –zone=public –add-port=12900/tcp

# firewall-cmd –permanent –zone=public –add-port=1514/tcp

# firewall-cmd –reload

 

8) Install policycoreutils-python package to manage SELinux using the below command.

# yum install policycoreutils-python -y

Use the below command to allow the web server to access the network.

# sudo setsebool -P httpd_can_network_connect 1

Use the command to allow the Graylog REST API and web interface.

# semanage port -a -t http_port_t -p tcp 9000

To allow the Elasticsearch HTTP API:

# semanage port -a -t http_port_t -p tcp 9200

To allow MongoDB default port.

# semanage port -a -t mongod_port_t -p tcp 27017

Now you have successfully install Graylog and you can access it in web interface using the link  http://your_ip_address:9000

 

If you need any further help please do reach our support department.

Was this article helpful?
Dislike 0
Views: 23