How to install Graylog Server easily and quickly

Igor Teleychuk

3 min read
How to install Graylog Server easily and quickly

Graylog is an open-source log management tool that enables the collection, analysis, and visualization of log data from various sources. As organizations generate vast amounts of logs, Graylog helps to centralize this information, allowing for real-time searching and analysis. It is essential for troubleshooting issues, optimizing performance, and enhancing security in scenarios such as system monitoring and compliance auditing. In this article, we will provide a step-by-step guide on installing and configuring a Graylog server, empowering you to maximize your log data's potential. Today we will install Graylog on CentOS.

The system consists of three parts: OpenSearch (or Elasticsearch), MongoDB, and Graylog Server.

Configuring Selinux

sudo yum -y install curl vim policycoreutils python3-policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

You can skip this point if Graylog is running inside a closed network infrastructure. In this case, the easiest way is to switch selinux to permissive mode. The changes need to be made in this file:

sudo nano /etc/selinux/config

Setting the value SELINUX=permissive.

WARNING!!! Do not change the value of the SELINUXTYPE parameter, this can lead to problems.

Installing OpenSearch

Be sure to add the appropriate repository.

sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repo
sudo yum -y install vim opensearch

Configuring OpenSearch

You need to set the cluster name in the config, uncomment the line, and add action.auto_create_index: false to the configuration file. By default, the file is here /etc/opensearch/opensearch.yml

The following values are changed:

$ sudo vi /etc/opensearch/opensearch.yml
cluster.name: graylog
action.auto_create_index: false
node.name: ${HOSTNAME}
discovery.type: single-node
network.host: 0.0.0.0
plugins.security.disabled: true

You should also pay attention to the JVM's memory usage settings, it should be at least 1g, it looks like this:


$ sudo vim /etc/opensearch/jvm.options
-Xms1g
-Xmx1g

Launching and enabling the service:

sudo systemctl daemon-reload
sudo systemctl enable --now opensearch

Default file location:

  • configuration - /etc/opensearch/
  • jvm settings - /etc/opensearch/jvm.options
  • data files - /var/lib/opensearch
  • log files - /var/log/opensearch/

Installing MongoDB

There are serious nuances here, above version 4.4.0, the availability of AVX in the processor became critical for the database, which a number of virtual processors on virtual machines do not have. Either you need a VM with a specific percentage, or you can use a special container for this story (by the way, using version 4.4.0 won't work, Graylog swears).

Therefore, it is best to use docker image mongodb_no_avx for Graylog Server. Here is the link to DockerHub. But it's easier to download and run the commands:

sudo docker pull nertworkweb/mongodb-no-avx
sudo docker run -itd --name mongo -p 27017:27017 nertworkweb/mongodb-no-avx --bind_ip_all

Installing Graylog Server

Add the repository and install:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.rpm
sudo yum install graylog-server

The version can be viewed with the rpm -qi graylog-server command. Next, you need to configure the server, the file is located here /etc/graylog/server/server.conf
The most important variables are password_secret and root_password_sha2. To create root_password_sha2, you can use the following command:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

We enter the password, get the encoding, and save everything:

$ sudo vi /etc/graylog/server/server.conf
root_username = admin
root_password_sha2 = <Sha2Passowrd>

to generate a password_secret, do the following:

$ sudo yum -y install epel-release
$ sudo yum -y install pwgen
$ pwgen -N 1 -s 96
ny5eSSuHe03DWW7hGOGMPaVOlbBeZX48OqvTIO7J56rBwh0r99wB1bQwecjyID9S5XrCkzVcPBG0jLPcWiit1Vz1nPse6yBq
 
$ sudo vi /etc/graylog/server/server.conf
password_secret = ny5eSSuHe03DWW7hGOGMPaVOlbBeZX48OqvTIO7J56rBwh0r99wB1bQwecjyID9S5XrCkzVcPBG0jLPcWiit1Vz1nPse6yBq

To connect to the Graylog server, set the IP and Port:

http_bind_address = 0.0.0.0:9000

We also set the IP of the previously installed OpenSearch server:

elasticsearch_hosts = http://127.0.0.1:9200

Turn enable and you are ready to start Graylog Server:

sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server.service

Next, go to the previously specified address and get into the Graylog web interface.

Graylog web interface