ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to Setup Graylog

    IT Discussion
    graylog centos how to
    2
    2
    613
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DustinB3403D
      DustinB3403
      last edited by

      First off this assumes you are using CentOS 7 (centos 8 may work, I just didn't have the time get that ISO downloaded and troubleshoot all of these steps.

      To start, update the OS so we're current and install some dependencies.

      yum update -y
yum install java-1.8.0-openjdk-headless.x86_64
yum install epel-release
yum install pwgen

vi /etc/yum.repos.d/mongodb-org-4.0.repo

      When you are modifying this repo add the below

      [mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

:wq

yum install mongodb-org

      Enter 'Y' to confirm installation

      systemctl daemon-reload
systemctl enable mongod.service
systemctl start mongod.service

ps aux | grep mongo

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vi /etc/yum.repos.d/elasticsearch.repo

      Insert the below into this repo file so we can install Elasticsearch-OSS (because the licensing is better for us in this case).

      [elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch    
enabled=1
autorefresh=1
type=rpm-md

      Save and quit this file :wq

      yum install elasticsearch-oss

vi /etc/elasticsearch/elasticsearch.yml

      Change: #cluster.name: my-application to
      cluster.name: graylog

      At the EoF add

      action.auto_create_index: false

      Save and quit this file :wq

      chkconfig --add elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service

ps aux | grep elastic

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm

yum install graylog-server

      Now to setup the configuration file

      vi /etc/graylog/server/server.conf    
>> :shell
>> pwgen -N 1 -s 96

      Copy whatever is generated and insert it in "password_secret = "

      >> exit

      Need to enter the root_password_sha2 to login to graylog web console (make it user friendly)

      >> :shell 

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

      Copy the Hash

      >> exit

      Lastly edit the timezone

      root_timezone = America/New_York

      Save and quit this file :wq

      Ensuring everything starts at boot

      chkconfig --add graylog-server
systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service

      Configuring rsyslog

      vi /etc/rsyslog.conf
>> EoF
Insert *.* @ip-addr-of-server:1514;RSYSLOG_SyslogProtocol23Format
systemctl restart rsyslog
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

      Saving these rules so they load at next boot
      iptables-save > /etc/sysconfig/iptables

      Checking to make sure we're listening port on 9000

      ss -nl | 9000
    tcp    LISTEN     0      128      [::ffff:127.0.0.1]:9000               [::]:*

vi /etc/graylog/server/server.conf

      Edit the HTTP settings so you can actually access the web interface from anything on your LAN (or cloud)

      http_bind_address = ip-addr-of-server:9000

      Save and quit this file :wq

      systemctl restart graylog-server

      Wait a minute for everything to start up.

      Then check the port for your public IP to make sure port 9000 is listening, it should be show like in the example below

      ss -nl | grep 9000
tcp    LISTEN     0      128     [::ffff:ip-addr-of-server]:9000               [::]:*

      Adding some Firewall exceptions

      firewall-cmd --zone=public --add-port=9000/tcp

      At this point open a web browser and go to http://ip-addr-of-server:9000 and login with 'admin' and whatever pass you created in above

      Time to update so we're current - I know @JaredBusch 🖕

      sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
yum clean all
yum install graylog-server
systemctl restart graylog-server

      Re-login to your updated graylog server and you can clear the alarm about being out of date.

      From here all you need to do is setup your inputs.

      1 Reply Last reply Reply Quote 3
      • black3dynamiteB
        black3dynamite
        last edited by black3dynamite

        The last time I set up Graylog I had to configured SELinux.

        • Allow the web server to access the network:
          sudo setsebool -P httpd_can_network_connect 1

        • Graylog REST API and web interface:
          sudo semanage port -a -t http_port_t -p tcp 9000

        • Elasticsearch (only if the HTTP API is being used):
          sudo semanage port -a -t http_port_t -p tcp 9200

        • Allow using MongoDB default port (27017/tcp):
          sudo semanage port -a -t mongod_port_t -p tcp 27017

        1 Reply Last reply Reply Quote 0
        • 1 / 1
        • First post
          Last post