Install Graylog Monitoring Server on CentOS 8

Graylog is a powerful platform for simplified log management of structured or unstructured data. Additionally, it is useful for debugging applications.

Graylog is broadly based upon Scala, MongoDB, and Elasticsearch. It has a main server to receive data from the clients that may be installed over different servers. Similarly, Graylog features a web interface for the visualization of data. It facilitates work over the logs that the main server aggregates.

Graylog is primarily used as a stash for logs for any web application in use. Alternately, Graylog is also effective when working with raw strings, such as Syslog.

In this tutorial, we will show you how to install the Graylog Monitoring server on CentOS 8.

Step 1 – Install Required Dependencies

Before starting, you will need to install Java and other required dependencies on your server.

First, install the EPEL repository with the following command:

dnf install epel-release -y

Next, install the Java using the following command:

dnf install -y java-1.8.0-openjdk-headless -y

Once Java is installed, you can verify it with the following command:

java -version

You should get the following output:

openjdk version "1.8.0_265"
OpenJDK Runtime Environment (build 1.8.0_265-b01)
OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode)

Next, install other required packages with the following command:

dnf install wget pwgen perl-Digest-SHA -y

Step 2 – Install Elasticsearch

Graylog uses Elasticsearch to store log messages and its search function. By default, the latest version of Elasticsearch is not available in the CentOS 8 default repository, so you will need to add the Elasticsearch repo to your system.

First, import the GPG key with the following command:

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Next, create Elasticsearch repo with the following command:

nano /etc/yum.repos.d/elasticsearch.repo

Add the following lines:

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Save and close the file then install the Elasticsearch with the following command:

dnf install elasticsearch-oss -y

Once the Elasticsearch is installed, edit the Elasticsearch main configuration file:

nano /etc/elasticsearch/elasticsearch.yml

Define your cluster name and add another line as shown below:

cluster.name: my-graylog
action.auto_create_index: false

Save the file, then reload the systemd daemon and enable Elasticsearch to start at system reboot with the following command:

systemctl daemon-reload
systemctl enable elasticsearch

Next, restart the Elasticsearch service with the following command:

systemctl restart elasticsearch

You can now check the Elasticsearch response using the following command:

curl -X GET http://localhost:9200

If everything is correct, you should get the following output:

{
"name" : "7FL0524",
"cluster_name" : "my-graylog",
"cluster_uuid" : "C4OvK0Y_TjCiVzBiHbz0pA",
"version" : {
"number" : "6.8.12",
"build_flavor" : "oss",
"build_type" : "rpm",
"build_hash" : "7a15d2a",
"build_date" : "2020-08-12T07:27:20.804867Z",
"build_snapshot" : false,
"lucene_version" : "7.7.3",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}

Step 3 – Install MongoDB Server

Graylog uses MongoDB to store configurations and meta information. By default, MongoDB is not available in the CentOS 8 standard repository, so you will need to create a repository for MongoDB.

You can create it with the following command:

nano /etc/yum.repos.d/mongodb-org-4.0.repo

Add the following lines:

[mongodb-org-4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc

Save and close the file, then update the repository with the following command:

dnf update -y

Next, install the MongoDB server with the following command:

dnf install mongodb-org -y

Once MongoDB is installed, start the MongoDB service and enable it to start at system reboot:

systemctl start mongod
systemctl enable mongod

Step 4 – Install and Configure Graylog Server

By default, the Graylog server package is not available in the CentOS 8 standard repository, so you will need to create a repo for Graylog.

You can install the Graylog repo using the following command:

dnf install https://packages.graylog2.org/repo/packages/graylog-3.2-repository_latest.rpm -y

Once the repository is created, you can install the Graylog server with the following command:

dnf install graylog-server -y

After installing Graylog server, you will need to generate a secret key for Graylog. You can generate it with the following command:

pwgen -N 1 -s 96

Output:

un5R8H7vmoq1japNYvHD2pEkawKyBzZpWeFsfVEk4Ustl5sWPtcdMbgTV18mHyqBnBK0sk83fcEmceTtyNzxntWqWhNPYe9N

You will also need to generate a secure password for Graylog. You can generate it with the following command:

echo -n your-password | shasum -a 256

You should get the following output:

616384da8ed2fb86db3462ec827bc433256324e323a2438f48ae32930e707065 -

Note: You can use this password “your-password” to log in to the Graylog web interface.

Next, edit the Graylog main configuration file and define your secret key, password, and other settings:

nano /etc/graylog/server/server.conf

Change the following lines:

password_secret = un5R8H7vmoq1japNYvHD2pEkawKyBzZpWeFsfVEk4Ustl5sWPtcdMbgTV18mHyqBnBK0sk83
fcEmceTtyNzxntWqWhNPYe9N
root_username = admin
root_password_sha2 = 616384da8ed2fb86db3462ec827bc433256324e323a2438f48ae32930e707065
root_timezone = UTC
http_bind_address = your-server-ip:9000

Save and close the file, then reload the systemd daemon with the following command:

systemctl daemon-reload

Next, start the Graylog service and enable it to start at system reboot with the following command:

systemctl start graylog-server
systemctl enable graylog-server

You can check the Graylog server log to verify whether the Graylog server is started or not:

tail -f /var/log/graylog-server/server.log

If the Graylog server is started successfully, you should get the following output:

2020-10-02T11:46:15.649-04:00 INFO [InputSetupService] Triggering launching persisted inputs, 
node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2020-10-02T11:46:15.654-04:00 INFO [ServerBootstrap] Graylog server up and running.

At this point, the Graylog server is started and listening on port 9000.

Step 5 – Access Graylog Interface

Now, you can access the Graylog web interface using the URL http://your-server-ip:9000. You should see the Graylog login page:

Provide your admin username and password and click on the Sign–in button. You should see the Graylog dashboard on the following page:

Conclusion

Congratulations! You have successfully installed and configured the Graylog server on CentOS 8. You can now configure your Graylog server to receive Rsyslog logs from external servers. For more information, you can visit the Graylog documentation. Get started with Graylog today on VPS Hosting from Atlantic.Net.