How to Setup Graylog



  • First off this assumes you are using CentOS 7 (centos 8 may work, I just didn't have the time get that ISO downloaded and troubleshoot all of these steps.

    To start, update the OS so we're current and install some dependencies.

    yum update -y
    yum install java-1.8.0-openjdk-headless.x86_64
    yum install epel-release
    yum install pwgen
    
    vi /etc/yum.repos.d/mongodb-org-4.0.repo
    

    When you are modifying this repo add the below

    [mongodb-org-4.0]
    name=MongoDB Repository
    baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
    gpgcheck=1
    enabled=1
    gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
    
    :wq
    
    yum install mongodb-org
    

    Enter 'Y' to confirm installation

    systemctl daemon-reload
    systemctl enable mongod.service
    systemctl start mongod.service
    
    ps aux | grep mongo
    
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    
    vi /etc/yum.repos.d/elasticsearch.repo
    

    Insert the below into this repo file so we can install Elasticsearch-OSS (because the licensing is better for us in this case).

    [elasticsearch-6.x]
    name=Elasticsearch repository for 6.x packages
    baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch    
    enabled=1
    autorefresh=1
    type=rpm-md
    

    Save and quit this file :wq

    yum install elasticsearch-oss
    
    vi /etc/elasticsearch/elasticsearch.yml
    

    Change: #cluster.name: my-application to
    cluster.name: graylog

    At the EoF add

    action.auto_create_index: false
    

    Save and quit this file :wq

    chkconfig --add elasticsearch
    systemctl daemon-reload
    systemctl enable elasticsearch.service
    systemctl start elasticsearch.service
    
    ps aux | grep elastic
    
    rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm
    
    yum install graylog-server
    

    Now to setup the configuration file

    vi /etc/graylog/server/server.conf    
    >> :shell
    >> pwgen -N 1 -s 96
    

    Copy whatever is generated and insert it in "password_secret = "

    >> exit
    

    Need to enter the root_password_sha2 to login to graylog web console (make it user friendly)

    >> :shell 
    
    echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
    

    Copy the Hash

    >> exit
    

    Lastly edit the timezone

    root_timezone = America/New_York
    

    Save and quit this file :wq

    Ensuring everything starts at boot

    chkconfig --add graylog-server
    systemctl daemon-reload
    systemctl enable graylog-server.service
    systemctl start graylog-server.service
    

    Configuring rsyslog

    vi /etc/rsyslog.conf
    >> EoF
    Insert *.* @ip-addr-of-server:1514;RSYSLOG_SyslogProtocol23Format
    systemctl restart rsyslog
    iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
    iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
    

    Saving these rules so they load at next boot
    iptables-save > /etc/sysconfig/iptables

    Checking to make sure we're listening port on 9000

    ss -nl | 9000
        tcp    LISTEN     0      128      [::ffff:127.0.0.1]:9000               [::]:*
    
    vi /etc/graylog/server/server.conf
    

    Edit the HTTP settings so you can actually access the web interface from anything on your LAN (or cloud)

    http_bind_address = ip-addr-of-server:9000
    

    Save and quit this file :wq

    systemctl restart graylog-server
    

    Wait a minute for everything to start up.

    Then check the port for your public IP to make sure port 9000 is listening, it should be show like in the example below

    ss -nl | grep 9000
    tcp    LISTEN     0      128     [::ffff:ip-addr-of-server]:9000               [::]:*
    

    Adding some Firewall exceptions

    firewall-cmd --zone=public --add-port=9000/tcp
    

    At this point open a web browser and go to http://ip-addr-of-server:9000 and login with 'admin' and whatever pass you created in above

    Time to update so we're current - I know @JaredBusch 🖕

    sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
    yum clean all
    yum install graylog-server
    systemctl restart graylog-server
    

    Re-login to your updated graylog server and you can clear the alarm about being out of date.

    From here all you need to do is setup your inputs.



  • The last time I set up Graylog I had to configured SELinux.

    • Allow the web server to access the network:
      sudo setsebool -P httpd_can_network_connect 1

    • Graylog REST API and web interface:
      sudo semanage port -a -t http_port_t -p tcp 9000

    • Elasticsearch (only if the HTTP API is being used):
      sudo semanage port -a -t http_port_t -p tcp 9200

    • Allow using MongoDB default port (27017/tcp):
      sudo semanage port -a -t mongod_port_t -p tcp 27017