How to Setup Graylog

  • First off this assumes you are using CentOS 7 (centos 8 may work, I just didn't have the time get that ISO downloaded and troubleshoot all of these steps.

    To start, update the OS so we're current and install some dependencies.

    yum update -y
    yum install java-1.8.0-openjdk-headless.x86_64
    yum install epel-release
    yum install pwgen
    vi /etc/yum.repos.d/mongodb-org-4.0.repo

    When you are modifying this repo add the below

    name=MongoDB Repository
    yum install mongodb-org

    Enter 'Y' to confirm installation

    systemctl daemon-reload
    systemctl enable mongod.service
    systemctl start mongod.service
    ps aux | grep mongo
    rpm --import
    vi /etc/yum.repos.d/elasticsearch.repo

    Insert the below into this repo file so we can install Elasticsearch-OSS (because the licensing is better for us in this case).

    name=Elasticsearch repository for 6.x packages

    Save and quit this file :wq

    yum install elasticsearch-oss
    vi /etc/elasticsearch/elasticsearch.yml

    Change: my-application to graylog

    At the EoF add

    action.auto_create_index: false

    Save and quit this file :wq

    chkconfig --add elasticsearch
    systemctl daemon-reload
    systemctl enable elasticsearch.service
    systemctl start elasticsearch.service
    ps aux | grep elastic
    rpm -Uvh
    yum install graylog-server

    Now to setup the configuration file

    vi /etc/graylog/server/server.conf    
    >> :shell
    >> pwgen -N 1 -s 96

    Copy whatever is generated and insert it in "password_secret = "

    >> exit

    Need to enter the root_password_sha2 to login to graylog web console (make it user friendly)

    >> :shell 
    echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

    Copy the Hash

    >> exit

    Lastly edit the timezone

    root_timezone = America/New_York

    Save and quit this file :wq

    Ensuring everything starts at boot

    chkconfig --add graylog-server
    systemctl daemon-reload
    systemctl enable graylog-server.service
    systemctl start graylog-server.service

    Configuring rsyslog

    vi /etc/rsyslog.conf
    >> EoF
    Insert *.* @ip-addr-of-server:1514;RSYSLOG_SyslogProtocol23Format
    systemctl restart rsyslog
    iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
    iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

    Saving these rules so they load at next boot
    iptables-save > /etc/sysconfig/iptables

    Checking to make sure we're listening port on 9000

    ss -nl | 9000
        tcp    LISTEN     0      128      [::ffff:]:9000               [::]:*
    vi /etc/graylog/server/server.conf

    Edit the HTTP settings so you can actually access the web interface from anything on your LAN (or cloud)

    http_bind_address = ip-addr-of-server:9000

    Save and quit this file :wq

    systemctl restart graylog-server

    Wait a minute for everything to start up.

    Then check the port for your public IP to make sure port 9000 is listening, it should be show like in the example below

    ss -nl | grep 9000
    tcp    LISTEN     0      128     [::ffff:ip-addr-of-server]:9000               [::]:*

    Adding some Firewall exceptions

    firewall-cmd --zone=public --add-port=9000/tcp

    At this point open a web browser and go to http://ip-addr-of-server:9000 and login with 'admin' and whatever pass you created in above

    Time to update so we're current - I know @JaredBusch 🖕

    sudo rpm -Uvh
    yum clean all
    yum install graylog-server
    systemctl restart graylog-server

    Re-login to your updated graylog server and you can clear the alarm about being out of date.

    From here all you need to do is setup your inputs.

  • The last time I set up Graylog I had to configured SELinux.

    • Allow the web server to access the network:
      sudo setsebool -P httpd_can_network_connect 1

    • Graylog REST API and web interface:
      sudo semanage port -a -t http_port_t -p tcp 9000

    • Elasticsearch (only if the HTTP API is being used):
      sudo semanage port -a -t http_port_t -p tcp 9200

    • Allow using MongoDB default port (27017/tcp):
      sudo semanage port -a -t mongod_port_t -p tcp 27017