ContactSupportBlogPartner Portal

Graylog 3.0 Installation on CentOS 7

February 21, 2019

In this video we will learn how to install Graylog 3.0 on CentOS 7. The first thing we’re going to do is check the version to make sure we’re on a current version, and then install the OpenJDK package using yum. After that, we’re going to install two other packages, one of which is the EPL release package that will give us access to install the pwgen command we will use later on during installation.

Installing MongoDB

Now we should go ahead and edit the yum repositories to create one for MongoDB 4.0 by pasting in the code and all the commands you can find in our Documentation section. Once finished, we’re going to check the config to make sure that MongoDB is built in as a system service. Do a daemon reload first, and then enable the MongoDB service so make sure that it starts up upon next boot.

Installing Elasticsearch

Now we should install the Elasticsearch. Let’s start importing the repository by creating the file inside our .d directory (once again, just copy-paste it from our Documentation section). After saving that file, we should move on to yum install Elasticsearch. We’re using the OSS version for the licensing. After the installation is over we should edit the etc/elasticsearch/elasticsearch.yml file to change two parameters.

The first one is the cluster name which must be changed from “my-application” to “Graylog”. Then go to the very bottom and add in “action.auto_create_index: false”. Just like you did with MongoDB, you should now check config to add the Elasticsearch service so it starts upon the first boot.

Installing Graylog

Now it’s the turn to install Graylog, our third component. First, let’s download the rpm to get the latest repositories and packages. Then, go ahead and do the yum install of Graylog server. After the installation is over, you should edit the Graylog server config file you can find under /etc/graylog/server/server.conf. Inside here there are a couple of parameters you need to change.

The first one is the “password_secret”, so let’s generate a password by hopping out to shell command. Once here, run a pwgen command to generate a random string of characters, then copy-paste the newly created password in the “password_secret” string of the Graylog config file.

Then, we need to modify the “root_password_sha2” field to add the password that we’re going to use to log on the web interface (default is admin). Once again, you can create a random hash value or type in whatever password you want. If you want, you can change your time zone – for example in our video we switched from UTC to Mountain Time Zone by adding “root_timezone = America/Denver”. This is important for the web interface so you have a better understanding of your logs if they’re time zone-based.

After that, we’re going to add the Graylog service by checking config and making sure that it is there. Go through the normal system control process as we already did before to enable the Graylog service.

Configuring Graylog

Now it’s time to tail the log file for Graylog to check when the server is fully up and running (check the string highlighted in the video). Once that Graylog has been started up successfully, you want to start putting in some logs into the system. Let’s go into the etc/rsyslog.conf file to point the local syslogs of the box into Graylog itself. Add in the configuration file saying *.* so any log message can come in, and then add the host (in this case the local IP of the box itself). After you’re finished, go ahead and restart the rsyslog process. In the video, we also added a few nat statement redirection rules inside the IP tables so that the Graylog process doesn’t need to run as root. Then, we saved those IP table rules into a file so it is loaded automatically upon next boot.

Now let’s check listening ports with netstat to make sure that port 9000 is running. However, it is running only on 127.0.0.1, so it’s time to modify the server config file once again. You should change the listening port since, right now, it can only be accessed from the local box itself. Go down to the HTPP settings category and change the bind_address to the public IP address (192.168.211.166). Save, and restart Graylog.

Now, you should add a command inside the firewall process to allow port 9000 inbound. CentOS firewall is blocking inbound 900 by default, so you need to add a rule if you want to keep the firewall running.

Setting up the web interface

Then, to check your connection, go to your web browser and type in the external address:9000. You will see the Graylog front page where you can log on by typing in your credentials.

Once inside the web interface, you will notice there is a red dot that notifies you that there are no running inputs (the ways through which Graylog receives its logs). So let’s go to System, select Inputs, and create one so everything works as expected. We’re going to create a syslog listener by selecting Syslog UDP from the drop-down menu and then launching it. Let’s make this global so it works across every instance that we have, and then switch the port to 1514 so it can start running as Graylog.

Now the system is actually listening on port 1514 and it’s ready to accept any log coming through it. You can check what comes in by clicking on the Search button. That’s all you need to know to install Graylog on CentOS 7. Happy logging!

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!