How to Install Graylog with Elasticsearch on CentOS 8

Graylog is an open-source log management system that provides alerts and logs history, and search systems using Elasticsearch as the main index database from multiple log sources. Graylog is a log management solution for collecting, storing, indexing, and analyzing real-time data from applications with an intuitive UI, fast and powerful search feature, alerting, and reporting.

Requirement

  • Java
  • Elastic Search
  • Mongo DB

Update System

sudo dnf update


Install EPEL Repository

sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm


Install Java

Java 8 is pre-requisite for Elasticsearch

sudo dnf install java-11-openjdk java-11-openjdk-devel

Check Java version

$ java -version
openjdk version "11.0.15" 2022-04-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.15+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+9-LTS, mixed mode, sharing)


SELinux Configuration

sudo dnf -y install curl vim policycoreutils policycoreutils-python-utils python3-policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017


Install Elasticsearch

For installing Elasticsearch, the Elasticsearch repository needs to install with the below commands.

sudo vim /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install the Elasticsearch and its dependencies.

sudo dnf -y install elasticsearch-oss


Configure Elasticsearch for Graylog

Modify the Elasticsearch configuration file and set the cluster name to graylog.
Uncomment the line (remove the # as first character) cluster.name: my-application and set it to cluster.name: graylog. Add action.auto_create_index: false to the configuration file

Elastic configuration file: /etc/elasticsearch/elasticsearch.yml

$ sudo vim /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog
action.auto_create_index:
false

Start and enable the Elasticsearch services at boot time.

sudo systemctl daemon-reload

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch


Install MongoDB

MongoDB is used to store Graylog-related configurations. For installing MongoDB, the respective repository needs to install with the below commands.

sudo vim /etc/yum.repos.d/mongodb-org-4.repo

[mongodb-org-4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc

Install MongoDB and its dependencies.

sudo dnf -y install mongodb-org

Start and enable the Elasticsearch services at boot time.

sudo systemctl start mongod
sudo systemctl enable mongod


Install Graylog

Install Graylog repository.

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.rpm

Install Graylog and its dependencies.

sudo dnf -y install graylog-server


Generate root_password_sha2 & password_secret variables and add under /etc/graylog/server/server.conf configuration file.

Below command will generate root_password_sha2 value.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
14c8c4ea3ef197b1ea44b3c2a27976e03491745b718td9d547da255dbd2d76gc

Uncomment the line (remove the # as first character) root_username = admin and set the generated value in root_password_sha2.
In below we have used the generated value of <SHA2Password>. Use your own SHA password generated with above command.

$ sudo vim /etc/graylog/server/server.conf

root_username = admin
root_password_sha2 =
14c8c4ea3ef197b1ea44b3c2a27976e03491745b718td9d547da255dbd2d76gc


Below command will generate password_secret value.

$ sudo dnf -y install pwgen

$ pwgen -N 1 -s 96
x97hMk5iMTN470Q2eYwGOjiqgW2vNUZ3MX7Zb7h7aMLP1E4zGlNLcTY46jULierObsZYYwnGIzBrGUL7S7e1lJzlZvFgYPph

Set password_secret.

$ sudo vim /etc/graylog/server/server.conf

password_secret = x97hMk5iMTN470Q2eYwGOjiqgW2vNUZ3MX7Zb7h7aMLP1E4zGlNKcFV46jULierObsZYYwnGIzBrGUL7S7e1lJzlZvFgYPph


To connect Graylog, set http_bind_address to the public host name or a public IP address of the machine under /etc/graylog/server/server.conf.

$ sudo vim /etc/graylog/server/server.conf

http_bind_address = 0.0.0.0:9000


Allow http and other ports access from Firewall

sudo firewall-cmd --add-port={9000/tcp,80/tcp,514/udp} --permanent
sudo firewall-cmd --reload


Open browser and navigate to http://<server-ip>:9000

example- http://10.0.0.10:9000

Login with username admin and password configured at graylog server.conf file.