3

Install Graylog 4 with Elasticsearch 7.x on CentOS 8 / RHEL 8

 2 years ago
source link: https://computingforgeeks.com/how-to-install-graylog-on-centos-rhel/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Install Graylog 4 with Elasticsearch 7.x on CentOS 8
Search

In this guide, we will take you through the steps to Install Graylog on CentOS 8 / RHEL 8 with Elasticsearch 7.x and MongoDB 4.x. Graylog is an open-source log management system that allows System Administrators/Developers to aggregate up to terabytes of log data, from multiple log sources. It is highly scalable to fit any Infrastructure.

Graylog comes with an intuitive UI, fast and powerful search feature, alerting and reporting. It lets you group systems into streams for ease of log searching and proper management. Graylog UI is simple and intuitive with complete user management and support for LDAP.

Similar articles: How To Forward Logs to Grafana Loki using Promtail

Install Graylog 4.x on CentOS 8 / RHEL 8 Linux

Graylog requires Java, Elasticsearch, and MongoDB. Elasticsearch is responsible for logs storage. We will begin with the installation of the dependencies then Graylog.

Note: This is a single server installation of Graylog on CentOS 8 / RHEL 8. For multi-cluster setup, consult official Graylog documentation.

Step 1: Configure SELinux

If you’re using SELinux on your system, set the following settings:

sudo yum -y install curl vim policycoreutils python3-policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Step 2: Install Java on RHEL / CentOS 8

As Elasticsearch depends on Java 8, you need it installed on your system prior to installing Elasticsearch RHEL 8 / CentOS 8.

sudo yum install java-11-openjdk java-11-openjdk-devel

Confirm Java installation:

$ java -version
java version "11.0.12" 2021-07-20 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.12+8-LTS-237)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.12+8-LTS-237, mixed mode)

Step 3: Install Elasticsearch 6 on RHEL 8 / CentOS 8

Add Elasticsearch repository:

cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Then install Elasticsearch:

sudo yum -y install elasticsearch-oss

Configure Elasticsearch for Graylog

You need to modify the Elasticsearch configuration file and set the cluster name to graylog, Additionally, you need to uncomment (remove the # as first character) the line, and add action.auto_create_index: false to the configuration file:

The file to edit is /etc/elasticsearch/elasticsearch.yml.

$ sudo vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false

Start and enable elasticsearch service:

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch

Confirm service status:

$ systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-09-13 03:53:34 EDT; 9s ago
     Docs: http://www.elastic.co
 Main PID: 16862 (java)
    Tasks: 40 (limit: 24024)
   Memory: 1.1G
   CGroup: /system.slice/elasticsearch.service
           └─16862 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Des.n>

Sep 13 03:53:34 rhel8.novalocal systemd[1]: Stopped Elasticsearch.
Sep 13 03:53:34 rhel8.novalocal systemd[1]: Started Elasticsearch.

The default Elasticsearch file locations are:

File system pathConfiguration/etc/elasticsearchJVM settings/etc/default/elasticsearchData files/var/lib/elasticsearch/dataLog files/var/log/elasticsearch/

Step 4: Install MongoDB on RHEL 8 / CentOS 8

MongoDB is used for storing Graylog related configurations. Install it on CentOS 8 / RHEL 8 using the steps shared in the article below.

How to Install MongoDB 4 on RHEL 8 / CentOS 8

Enable and start mongod service after the installation.

sudo systemctl enable --now mongod

MongoDB paths:

File system pathConfiguration/etc/mongod.confData files/var/lib/mongodb/Log files/var/log/mongodb/

Status of the service should be running.

$ systemctl status mongod
● mongod.service - MongoDB Database Server
   Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-09-13 03:57:04 EDT; 6s ago
     Docs: https://docs.mongodb.org/manual
  Process: 17397 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 17395 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 17393 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
  Process: 17391 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
 Main PID: 17399 (mongod)
   Memory: 44.7M
   CGroup: /system.slice/mongod.service
           └─17399 /usr/bin/mongod -f /etc/mongod.conf

Sep 13 03:57:03 rhel8.novalocal systemd[1]: Starting MongoDB Database Server...
Sep 13 03:57:03 rhel8.novalocal mongod[17397]: 2019-09-13T03:57:03.538-0400 I STORAGE  [main] Max cache overflow file size custom option: 0
Sep 13 03:57:03 rhel8.novalocal mongod[17397]: about to fork child process, waiting until server is ready for connections.
Sep 13 03:57:03 rhel8.novalocal mongod[17397]: forked process: 17399
Sep 13 03:57:04 rhel8.novalocal mongod[17397]: child process started successfully, parent exiting
Sep 13 03:57:04 rhel8.novalocal systemd[1]: Started MongoDB Database Server.

Step 5: Install Graylog 4 on RHEL 8 / CentOS 8

Now install the Graylog repository configuration:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.rpm

Graylog rpm packages are available on added repository.

sudo yum install graylog-server

I got version 3.1.2 from the installation.

$ rpm -qi graylog-server
Name        : graylog-server
Version     : 4.1.3
Release     : 1
Architecture: noarch
Install Date: Fri 20 Aug 2021 06:49:41 PM UTC
Group       : optional
Size        : 217679607
License     : SSPL
Signature   : RSA/SHA1, Wed 04 Aug 2021 04:02:37 PM UTC, Key ID d44c1d8db1606f22
Source RPM  : graylog-server-4.1.3-1.src.rpm
Build Date  : Wed 04 Aug 2021 04:02:26 PM UTC
Build Host  : b8f36c02852a
Relocations : /
Packager    : Graylog, Inc. <[email protected]>
Vendor      : graylog
URL         : https://www.graylog.org/
Summary     : Graylog server
Description :
Graylog server

You need to set add password_secret and root_password_sha2 variables under /etc/graylog/server/server.conf. These settings are mandatory and without them, Graylog will not start!

Use the following command to create your root_password_sha2:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Set generated value in root_password_sha2

$ sudo vi /etc/graylog/server/server.conf
root_username = admin
root_password_sha2 = <Sha2Passowrd>

Generate password_secret.

$ sudo yum -y install pwgen
$ pwgen -N 1 -s 96
ny5eSSuHe03DWW7hGOGMPaVOlbBeZX48OqvTIO7J56rBwh0r99wB1bQwecjyID9S5XrCkzVcPBG0jLPcWiit1Vz1nPse6yBq

$ sudo vi /etc/graylog/server/server.conf
password_secret = ny5eSSuHe03DWW7hGOGMPaVOlbBeZX48OqvTIO7J56rBwh0r99wB1bQwecjyID9S5XrCkzVcPBG0jLPcWiit1Vz1nPse6yBq

To be able to connect to Graylog you should set http_bind_address to the public host name or a public IP address of the machine you can connect to.

http_bind_address = 0.0.0.0:9000

The last step is to enable Graylog during the operating system’s startup:

sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server.service

Access Graylog dashboard on http://serverip_or_hostname:9000/

Login with username admin and root password set inside server.conf.

Step 6: Configure Nginx Proxy

We installed Graylog 4.x with Elasticsearch 7.x on CentOS 8 / RHEL 8. Read next article on:

Then learn how to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.

Other interesting guides:


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK