On this article we will discuss how to install Graylog Open Source version 3.3.81 on CentOS 8.
Graylog is open-source log management tools which is centrally captures, stores, and enables real-time search and log analysis from any component in the IT infrastructure and applications. Graylog was founded in 2009 by Lennart Koopmann and began as an open-source project in Hamburg, Germany. The headquarters are in Houston, Texas. Graylog released its first commercial offering in 2016 making its enterprise product available. Graylog has grown to over 35,000 installations worldwide on 2018. The software uses a three-tier architecture and scalable storage based on Elasticsearch and MongoDB.
Graylog Installation On CentOS 8
On this article we will deploy a minimum setup, the minimum Graylog setup can be used for smaller, non-critical, or test setups. None of the components are redundant, and they are easy and quick to setup, as described on Graylog Architectural considerations.
The installation of Graylog on CentOS 8 requrires any application to be deployed first, namely : Java, Elasticsearch and MongoDB.
- Elasticsearch – Stores the log messages received from the Graylog server and provides a facility to search them whenever required. Elasticsearch is a resource monger as it does indexing of data, so allocate more memory and use SAS or SAN disks.
- MongoDB – Stores the configurations and meta information.
- Graylog server – Receive and parsing the logs then provides built-in Web Interface to handle those logs.
The Graylog installation steps will be divided into several steps :
- Greylog Installation
To install Graylog on CentOS 8, there are many prerequisite to be fulfilled first. Here are the prerequisites to be met :
- CentOS 8 Operating system with sufficient space
- root account or user with sudo privilege
- Java installed on the system at lest version 8 or newer (for OpenJDK or Oracle Java)
- Elasticsearch (5.x or 6.x), where Graylog 3 does not work with Elasticsearch 7.x!
- MongoDB (3.6, 4.0 or 4.2)
At the section below, we will discuss how fulfill the requirement for no. 3,4 and 5.
To verify the Java was installed on the system, we just issue the command line
java --version, as described below:
[mpik@diginetapp02 ~]$ java --version openjdk 11.0.8 2020-07-14 LTS OpenJDK Runtime Environment 18.9 (build 11.0.8+10-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10-LTS, mixed mode, sharing)
The OpenJDK version 11.0.8 has been installed on our system. For Java installation, could be found on installing OpenJDK on CentOS 8 or installing OpenJDK on Ubuntu 20.04 LTS or install Oracle Java on Ubuntu articles.
As mentioned on Graylog documentation, if Graylog is only supported by Elasticsearch version 5.x and version 6.x. On our system there is no Elasticesearch version 5.x or 6.x has been installed, so we have to install it first. On this section we will install Elasticsearch version 6.x.
- Install Elastic GPG key
The first step is starting with installing Elastic GPG Key. We have to install it first, by submitting commad below :
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch.
- Add Elasticsearch Repository File
We have to acknowledge the system with Elasticsearch 6.x software by adding new file. We will create a new file by submitting command line :
sudo vi /etc/yum.repos.d/elasticsearh.repo.
- Install Elasticsearch version 6.x
Then we will install the Ealsticsearch by submitting command line :
sudo dnf install elasticsearch-oss
the output will be :
- Configuring Elasticsearch
After Elasticsearch installation was completed, then we have to configure it to be fit with Graylog application need. We will update the
/etc/elasticsearch/elasticsearch.ymlfile and update the cluster.name parameter to be graylog.
cluster.name = graylog
- Enabling and Starting Elasticsearch Services
The next step is to enable and start the Elasticsearch service and verify it has been met with Graylog application.
We will be using systemctl command line for this purposes. The command line will be as below:
sudo systemctl [enable | restart | status] elasticsearch
then we will verify the Elasticsearch has been running by submitting command line
curl -X GET "localhost:9200/"or using web browser by hitting its url and port. It will show the “graylog” for cluster name parameter as shown below :
The Elasticsearch 6.x installation has been completed done successfully. Then next step we will install MongoDB version 4.2.
As mentioned otn Graylog installation if Graylog requires MongoDB version 3.6, 4.0 or 4.2. On this section we will use MongoDB version 4.2 as components for Graylog installation.
- Add MongoDB 4.2 Repository File
We have to acknoledge our CentOS 8 system with MongoDB 4.2 software by adding new file. We will create a
/etc/yum.repos.d/mongodb-org.repofile as shown below.
- Install MongoDB
Then we install the MongoDB 4.2 by submitting command line :
sudo dnf install mongodb-org
The output will be :
- Enabling and Starting MongoDB Services.
The next step is to enable and start the Elasticsearch service. We will be using systemctl command line for this purposes. The command line will be as below:
sudo systemctl [enable | restart | status] mongod
It seems if the MongoDB 4.2 has already running properly on our CentOS 8 system.
After all prerequisites are met, the next step is install and configure Graylog on CentOS 8. We will use Graylog version 3.3.18 on our tutorial. So we will install the Graylog 3.3 repository rpm on our system.
We will add graylog repository to our system, find out the latest Gaylog repository on Graylog official website.
[mpik@diginetapp02 ~]$ sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.rpm [sudo] password for mpik: Retrieving https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.rpm Verifying… ################################# [100%] Preparing… ################################# [100%] Updating / installing… 1:graylog-3.3-repository-1-1 ################################# [100%]
Before installing Graylog, we have to update our CentOS 8 system first. Submit the following command lines :
sudo dnf update and
sudo dnf install graylog-server.
[mpik@diginetapp02 ~]$ sudo dnf update graylog 1.4 kB/s | 10 kB 00:07 Last metadata expiration check: 0:00:01 ago on Wed 28 Oct 2020 12:21:23 AM PDT. Dependencies resolved. Package Arch Version Repo Size Installing: kernel x86_64 4.18.0-193.19.1.el8_2 BaseOS 2.8 M kernel-core x86_64 4.18.0-193.19.1.el8_2 BaseOS 28 M kernel-devel x86_64 4.18.0-193.19.1.el8_2 BaseOS 15 M kernel-modules x86_64 4.18.0-193.19.1.el8_2 BaseOS 23 M
After system updated, then we install the Graylog server package on our system, by submittingon command line below:
[mpik@diginetapp02 ~]$ sudo dnf install graylog-server [sudo] password for mpik: Last metadata expiration check: 7:41:23 ago on Wed 28 Oct 2020 12:21:23 AM PDT. Dependencies resolved. Package Architecture Version Repository Size Installing: graylog-server noarch 3.3.8-1 graylog 121 M Transaction Summary Install 1 Package Total download size: 121 M Installed size: 121 M Is this ok [y/N]: y Downloading Packages: graylog-server-3.3.8-1.noarch.rpm 301 kB/s | 121 MB 06:51
On this section we will configure Graylog which was installed. The main focus is configuring the Graylog configuration file which is located on the
/etc/graylog/server/server.conf file. I will use the vi editor for editing this file.
On this file we will setting the paremeters:
password_secret parameter is fulfilled with the secret code generator,
mpik@diginetapp02 ~]$ sudo pwgen -N 1 -s 98 [sudo] password for mpik: 4nWed8DrvxOEmCl6AdYXLYGBSpzHdKe8jFhjqrxYdIPgawuwfOT5vDO01RaGhqPe9JoxcmHFNB5tCnzIVt2v10PGHCvGxXAHMp
root_password_sha2 parameter is produced by the hashed password which is generated by the
[mpik@diginetapp02 ~]$ sudo echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 [sudo] password for mpik: Enter Password: Welcome202! 82ff1a0027bcf92a7a4ef8aa9e7541724b50539d35ecc99eb28cf0e204c0b66e
You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. Generate one by using for example: pwgen -N 1 -s 96 ATTENTION: This value must be the same on all Graylog nodes in the cluster. Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens) password_secret =
4nWed8DrvxOEmCl6AdYXLYGBSpzHdKe8jFhjqrxYdIPgawuwfOT5vDO01RaGhqPe9JoxcmHFNB5tCnzIVt2v10PGHCvGxXAHMpThe default root user is named 'admin' root_username = admin You MUST specify a hash password for the root user (which you only need to initially set up the system and in case you lose connectivity to your authentication backend) This password cannot be changed using the API or via the web interface. If you need to change it, modify it in this file. Create one by using for example: echo -n yourpassword | shasum -a 256 and put the resulting hash value into the following line root_password_sha2 = 82ff1a0027bcf92a7a4ef8aa9e7541724b50539d35ecc99eb28cf0e204c0b66e The email address of the root user. The email address of the root user. Default is empty root_email = "firstname.lastname@example.org" The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones. Default is UTC root_timezone = UTC
Configuring Graylog Web Interface
After all parameter are set, then we will configure Graylog web interface. The default porrt for Graylog is 9000. We will update
/etc/graylog/server/server.conf file for enabling Graylog web interface. Update http_bind_address parameter and fill it with your IP Address’s server. (On our server is using IP Address 192.168.19.132).
http_bind_address = 192.168.19.132:9000
Until this step, we have almost reached the final step. All paramters are set, then we enabling and starting Graylog services.
As mentioned earlier on this article, if Graylog requires MongoDB and Elasticsearch. These two applications must be started and running well. Then we start the Graylog services.
[mpik@diginetapp02 ~]$ sudo systemctl daemon-reload [sudo] password for mpik: [mpik@diginetapp02 ~]$ sudo systemctl restart graylog-server [mpik@diginetapp02 ~]$ sudo systemctl status graylog-server ● graylog-server.service - Graylog server Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-10-28 08:58:32 PDT; 8s ago Docs: http://docs.graylog.org/ Main PID: 6762 (graylog-server) Tasks: 16 (limit: 49605) Memory: 291.7M CGroup: /system.slice/graylog-server.service ├─6762 /bin/sh /usr/share/graylog-server/bin/graylog-server └─6787 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+C> Oct 28 08:58:32 diginetapp02 systemd: Started Graylog server. Oct 28 08:58:32 diginetapp02 graylog-server: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was > Oct 28 08:58:33 diginetapp02 graylog-server: WARNING: sun.reflect.Reflection.getCallerClass is not supported.> Oct 28 08:58:38 diginetapp02 graylog-server: WARNING: An illegal reflective access operation has occurred Oct 28 08:58:38 diginetapp02 graylog-server: WARNING: Illegal reflective access by com.google.inject.assisted> Oct 28 08:58:38 diginetapp02 graylog-server: WARNING: Please consider reporting this to the maintainers of co> Oct 28 08:58:38 diginetapp02 graylog-server: WARNING: Use --illegal-access=warn to enable warnings of further> Oct 28 08:58:38 diginetapp02 graylog-server: WARNING: All illegal access operations will be denied in a futur>
To enable Graylog server is starting automatically on system startup, just submit this command below.
[mpik@diginetapp02 ~]$ sudo systemctl enable graylog-server
The output log will be located on this file :
tail -f /var/log/graylog-server/server.log
By default, the firewall rules are set to block most of the traffic coming from the external machines, so we have to add a rule to enable the access for Graylog web interface. For this purpose, submit the command line below:
[mpik@diginetapp02 ~]$ sudo firewall-cmd --permanent --add-port=9000/tcp success [mpik@diginetapp02 ~]$ sudo firewall-cmd --reload success
The Graylog web interface is located on
http://ip-address:9000, it could be accessed through web browser. On our tutorial, we will hit url :
We use username :
admin and password
Graylog web interface first appearance. Showing Graylog version 3.3.8.
Graylog system overview :
So far, the installation was completed done successfully. The next thing… learn more in depth to install, configure and operate Graylog so that it can bring benefits to the environment in which we work.
Until here, we have installed the Graylog version 3.3.81 on CentOS 8 successfully. This guide does not cover security settings. As we knows, the security is main issue on this information age. Make sure if the Graylog we have deployed is not breached unwanted information.
Have a nice weekend, stay safe.