Step-by-Step: How to Install and Configure Graylog on CentOS 7
Managing logs from various servers, applications, and network devices can quickly become overwhelming. A centralized log management solution is essential for effective troubleshooting, security monitoring, and performance analysis. Graylog is a powerful, open-source platform designed to aggregate, index, and analyze log data from any source, providing you with actionable insights from a user-friendly interface.
This comprehensive guide will walk you through the entire process of installing and configuring a fully functional Graylog server on CentOS 7. We will cover all the necessary dependencies, including Elasticsearch and MongoDB, to get your log management system up and running securely.
Prerequisites: Preparing Your CentOS 7 System
Before we begin installing the core components, we need to prepare the server environment. A clean, updated system is the best foundation for a stable installation.
First, let’s ensure all system packages are up to date. Open your terminal and run the following command:
sudo yum update -y
Next, we’ll install the EPEL repository, which provides helpful utility packages, and wget for downloading files.
sudo yum install epel-release wget -y
Graylog and its primary dependency, Elasticsearch, are built on Java. Therefore, installing the Java Development Kit (JDK) is our first critical step. We will install OpenJDK 8.
sudo yum install java-1.8.0-openjdk-headless -y
You can verify the installation by checking the Java version:
java -version
Step 1: Install and Configure Elasticsearch
Elasticsearch is the engine that powers Graylog’s search capabilities. It is responsible for storing, indexing, and enabling fast retrieval of all your log data.
First, import the Elasticsearch GPG key to ensure the authenticity of the package:
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Next, create a repository file for Elasticsearch so yum knows where to find the package:
sudo nano /etc/yum.repos.d/elasticsearch.repo
Add the following content to the file and save it:
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
Now, install Elasticsearch using yum:
sudo yum install elasticsearch -y
Once installed, we must perform a crucial configuration tweak. Graylog requires a specific cluster name to connect to Elasticsearch. Edit the main configuration file:
sudo nano /etc/elasticsearch/elasticsearch.yml
Find the line #cluster.name: my-application, uncomment it (remove the #), and change the value to graylog. It should look like this:
cluster.name: graylog
Additionally, it is recommended to enable the action.autocreateindex setting within the same file to allow Graylog to create indices automatically. Add the following line at the end of the file:
action.auto_create_index: .watches,.triggered_watches,.watcher-history-*
Save the file and exit the editor. Finally, enable Elasticsearch to start on boot and start the service now:
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
Step 2: Install and Configure MongoDB
While Elasticsearch handles the log data, MongoDB is used to store Graylog’s configuration, metadata, and user information.
We’ll start by creating a repository file for MongoDB:
sudo nano /etc/yum.repos.d/mongodb-org-4.0.repo
Paste the following configuration into the file:
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
Now, install the MongoDB package:
sudo yum install -y mongodb-org
Once the installation is complete, enable MongoDB to start on boot and start the service:
sudo systemctl enable mongod.service
sudo systemctl start mongod.service
Step 3: Install and Configure Graylog Server
With both dependencies running, we can now install the Graylog server itself.
First, add the official Graylog repository to your system:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
Next, install the graylog-server package:
sudo yum install graylog-server -y
The most critical part of the setup is configuring the Graylog server. All settings are located in the server.conf file. Let’s edit it now:
sudo nano /etc/graylog/server/server.conf
You must configure two essential security settings:
password_secret: This is used for encrypting and securing sensitive data. You must generate a new, unique secret. A simple way to do this is using thepwgenutility. If you don’t have it, install it withsudo yum install pwgen -y. Then, run this command to generate a 96-character secret and copy the output:pwgen -N 1 -s 96Paste this value into the
password_secret =line in your configuration file.root_password_sha2: This sets the password for the defaultadminuser. You cannot enter a plaintext password here; it must be a SHA256 hash. To generate one, run the following command, replacing"YourStrongPassword"with your desired password:
bash
echo -n "YourStrongPassword" | sha256sum | awk '{print $1}'
Copy the resulting hash and paste it as the value for theroot_password_sha2 =setting.
Finally, you need to tell Graylog which network interface to listen on for its web interface. Find the web_listen_uri setting and change it to your server’s public or private IP address, followed by port 9000.
web_listen_uri = http://your_server_ip:9000/
Save the configuration file. Now, enable and start the Graylog service:
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
Step 4: Configure Firewall and Access the Web Interface
To access the Graylog web interface from your browser, you need to open the necessary port in the CentOS 7 firewall.
Use the following commands to permanently allow traffic on port 9000:
sudo firewall-cmd --permanent --zone=public --add-port=9000/tcp
sudo firewall-cmd --reload
You can now access your Graylog instance by navigating to http://your_server_ip:9000 in your web browser. Log in with the username admin and the password you set in the root_password_sha2 step.
Congratulations! You now have a fully operational Graylog server. The next step is to configure inputs to start collecting logs from your devices and applications, build dashboards, and set up alerting rules to create a robust, centralized logging environment.
Source: https://kifarunix.com/install-graylog-3-0-on-centos-7/
