How to Install Graylog2 onto CentOS 6.x (x64) minimal

Graylog2 is an OpenSource log management tool that consolidates all your logging onto one system that can be easily searchable. It is a free alternative to paid for log software such as splunk and has a very user friendly interface to visually view log data as well as the ability to add on plugins

https://www.graylog2.org

Prerequisites

  • CentOS 6.x Server (x64) minimal
  • Elasticsearch Latest Release
  • MongoDB Latest Release
  • Java 1.7
  • yum EPEL 6
  • IPtables turned off (turn on for added security)
  • SELinux Disabled
  • Graylog2 + Graylog2 Web Interface

 

1. Install Java 1.7

  • Download latest version of Java DK 1.7 from http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html and install

[[email protected] ~]# rpm -ivh jdk-7u71-linux-x64.rpm
Preparing… ########################################### [100%]
1:jdk ########################################### [100%]
Unpacking JAR files…
rt.jar…
jsse.jar…
charsets.jar…
tools.jar…
localedata.jar…
jfxrt.jar…

 

2. Install Latest Version of MongoDB

  • Create a /etc/yum.repos.d/mongodb.repo file and add the following
[mongodb]
name=MongoDB Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/
gpgcheck=0
enabled=1
  • Install MongoDB via yum
sudo yum install -y mongodb-org
  • Start Mongo

service mongod start

  • Add Graylog user and auth to Mongo

> use admin
switched to db admin
> db.addUser(‘admin’, ‘adminpassword’)
Successfully added user: { “user” : “admin”, “roles” : [ “root” ] }
> db.auth(‘admin’, ‘admin’)
1
> use graylog2
switched to db graylog2
> db.addUser(‘grayloguser’, ‘grayloguserpassword’)
Successfully added user: { “user” : “grayloguser”, “roles” : [ “dbOwner” ] }
> db.auth(‘grayloguser’, ‘grayloguser’)
1
> exit

 

 

3. Install Latest Elasticsearch and Configure

  • Download latest version of Elasticsearch from http://www.elasticsearch.org/downloads and install

 [[email protected] ~]# tar xvf elasticsearch-1.4.2.tar.gz -C /opt

  • Make a symbolic link to make Elasticsearch easier to manage

[[email protected] opt]# ln -s /opt/elasticsearch-1.4.2 /opt/elasticsearch

  •  Install Elasticsearch service wrapper

[[email protected] opt]# curl -k -L http://github.com/elasticsearch/elasticsearch-servicewrapper/tarball/master | tar -xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 1998k 0 0 1336k 0 –:–:– 0:00:01 –:–:– 4867k
[[email protected] opt]# mv *servicewrapper*/service elasticsearch/bin/
[[email protected] opt]# rm -Rf *servicewrapper*
[[email protected] opt]# /opt/elasticsearch/bin/service/elasticsearch install
Detected RHEL or Fedora:
Installing the Elasticsearch daemon..

 

  •  Modify elasticsearch.yml in /opt/elasticsearch/config/elasticsearch.yml and uncomment/modify these lines

cluster.name: graylog2
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: [“YOUR-IP-ADDRESS”]

  •  Start up Elasticsearch

[[email protected] config]# service elasticsearch start
Starting Elasticsearch…
Waiting for Elasticsearch……
running: PID:3666

 

4. Install Graylog2 server

  •  Download latest graylog2 server from https://www.graylog2.org/download and install

[[email protected] ~]# tar xvf graylog2-server-0.92.4.tgz -C /opt

  •  Create a symbolic link to make Graylog2 server easier to manage

 [[email protected] opt]# ln -s /opt/graylog2-server-0.92.4 /opt/graylog2

  •  Copy graylog2 example configuration file

[[email protected] /]# cp /opt/graylog2/graylog2.conf.example /etc/graylog2.conf

  • Create an sha256 hash admin password with the following

[[email protected] etc]# echo -n password | sha256sum
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

  • Create a secret password with pwgen

[[email protected] ~]# pwgen -N 1 -s 96
ol4LZaPosNJdPE5i3Z7941IwrunSzZ3PwnNVnmTaDCw9A7kucshiCKJmB7ubn59zWRIlwf5RLB69U5i4sH03JaEgyUzBo4nb

  • Modify /etc/graylog2.conf file and modify/change the following lines

root_password_sha2 = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
password_secret = ol4LZaPosNJdPE5i3Z7941IwrunSzZ3PwnNVnmTaDCw9A7kucshiCKJmB7ubn59zWRIlwf5RLB69U5i4sH03JaEgyUzBo4nb
elasticsearch_shards = 1
elasticsearch_cluster_name = graylog2
mongodb_useauth = true
mongodb_user = grayloguser
mongodb_password = grayloguserpassword
mongodb_host = 127.0.0.1
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = YOUR-IP-ADDRESS:9300

 

  •  Test Graylog to see if it can come up cleanly. If you see Graylog2 Server up and Running then all configurations should be working correctly

[email protected] graylog2]# java -jar graylog2-server.jar –debug
2015-01-19 15:18:15,170 DEBUG: org.graylog2.security.ShiroSecurityBinding – Resource method org.graylog2.rest.resources.count.CountResource#total requires an authenticated user.
2015-01-19 15:18:15,170 DEBUG: org.graylog2.security.ShiroSecurityBinding – Resource method org.graylog2.rest.resources.count.CountResource#total requires an authorization checks.
2015-01-19 15:18:15,171 DEBUG: org.graylog2.shared.metrics.jersey2.MetricsDynamicBinding – Setting up filter for Timed resource method: org.graylog2.rest.resources.count.CountResource#total
2015-01-19 15:18:15,196 INFO : org.graylog2.shared.initializers.RestApiService – Adding security context factory: <[email protected]>
2015-01-19 15:18:15,218 INFO : org.graylog2.shared.initializers.RestApiService – Started REST API at <http://127.0.0.1:12900/>
2015-01-19 15:18:15,219 INFO : org.graylog2.shared.initializers.ServiceManagerListener – Services are healthy
2015-01-19 15:18:15,222 INFO : org.graylog2.Main – Services started, startup times in ms: {MetricsReporterService [RUNNING]=30, GroovyShellSetupService [RUNNING]=51, InputSetupService [RUNNING]=64, OutputSetupService [RUNNING]=70, BufferSynchronizerService [RUNNING]=76, DashboardRegistryService [RUNNING]=282, PeriodicalsService [RUNNING]=326, ProcessBufferService [RUNNING]=3048, IndexerSetupService [RUNNING]=3923, RestApiService [RUNNING]=20524}
2015-01-19 15:18:15,222 DEBUG: org.graylog2.shared.initializers.InputSetupService – Lifecycle is now Running [LB:ALIVE]
2015-01-19 15:18:15,226 INFO : org.graylog2.shared.initializers.InputSetupService – Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2015-01-19 15:18:15,226 DEBUG: org.graylog2.shared.initializers.InputSetupService – Launching persisted inputs now.
2015-01-19 15:18:15,234 INFO : org.graylog2.Main – Graylog2 Server up and running.
2015-01-19 15:18:15,371 DEBUG: org.graylog2.caches.DiskJournalCache – Committing input-cache (entries 0)
2015-01-19 15:18:15,720 DEBUG: org.graylog2.periodical.BatchedElasticSearchOutputFlushThread – Checking for outputs to flush …

  •  Make Graylog2 a service, add these to the following /etc/init.d folder

[[email protected] graylog2]# ln -s  /opt/graylog2-server/bin/graylog2ctl /etc/init.d/graylog2-server

  • Modify /etc/init.d/graylog2-server and put the following on top of the startup script

#!/bin/bash
#————————-
#chkconfig: 2345 90 60
#
#————————-

  • Add graylog2 to the chkconfig services and enable

[[email protected] init.d]# chkconfig –add graylog2-server
[[email protected] init.d]# chkconfig graylog2-server on
[[email protected] init.d]# service graylog2-server start
Starting graylog2-server …

 

5. Install Graylog2 Web Interface

  • Download and Extract Graylog Web interface

[[email protected] ~]# tar xvf graylog2-web-interface-0.92.4.tgz -C /opt

  • Create a symbolic link to make Graylog2-web interface easier to manage

[[email protected] opt]# ln -s /opt/graylog2-web-interface-0.92.4 /opt/graylog2-web-interface

  • Modify /opt/graylog2-web-interface/conf/graylog2-web-interface.conf and change the following
  • application.secret is the key generated in previous step

application.secret=”ol4LZaPosNJdPE5i3Z7941IwrunSzZ3PwnNVnmTaDCw9A7kucshiCKJmB7ubn59zWRIlwf5RLB69U5i4sH03JaEgyUzBo4nb”
graylog2-server.uris=”http://127.0.0.1:12900″

  • Create a file /etc/graylog2-web-interface-log.xml and put this into the configuration
<configuration>
    <!–
    <appender name=”STDOUT”>
        <encoder>
            <pattern>%date %-5level [%thread] – [%logger]- %msg%n</pattern>
        </encoder>
    </appender>
    –>
    <appender name=“ROLLING_FILE”>
        <file>/var/log/graylog2/web/graylog2-web-interface.log</file>
        <rollingPolicy>
            <FileNamePattern>/var/log/graylog2/web/graylog2-web-interface.log.%d{yyyy-MM-dd}.%i.log.gz</FileNamePattern>
            <MaxHistory>30</MaxHistory>
            <timeBasedFileNamingAndTriggeringPolicy>
                <maxFileSize>100MB</maxFileSize>
            </timeBasedFileNamingAndTriggeringPolicy>
        </rollingPolicy>
        <encoder>
            <pattern>%date [%thread] %-5level %logger{36} – %msg%n</pattern>
        </encoder>
    </appender>
    <root level=“INFO”>
        <!–<appender-ref ref=”STDOUT” />–>
        <appender-ref ref=“ROLLING_FILE” />
    </root>
</configuration>
  • Create a file in /etc/init.d/graylog2-web and put the following
#!/bin/bash
#
#————————-
#chkconfig: 2345 90 60
#
#————————-
CMD=$1
NOHUP=‘which nohup’
GRAYLOG2WEB_DIR=/opt/graylog2-web-interface
PID_FILE=RUNNING_PID
LOGGER_CONFIG_FILE=/etc/graylog2-web-interface-log.xml
start() {
    echo “Starting graylog2-web-interface …”
    cd “$GRAYLOG2WEB_DIR”
    $NOHUP bin/graylog2-web-interface -Dlogger.file=$LOGGER_CONFIG_FILE &
}
stop() {
    PID=$(get_pid)
    echo “Stopping graylog2-web-interface ($PID) …”
    if kill $PID; then
        echo “graylog2-web-interface has been stopped “
        rm -rf ${GRAYLOG2WEB_DIR}/${PID_FILE}
    fi
}
restart() {
    echo “Restarting graylog2-web-interface …”
    stop
    start
}
status() {
    pid=$(get_pid)
    if [ ! -z $pid ]; then
        if pid_running $pid; then
            echo “graylog2-web-interface running as pid $pid”
            return 0
        else
            echo “Stale pid file with $pid – removing…”
            rm -rf ${GRAYLOG2WEB_DIR}/${PID_FILE}
        fi
    fi
    echo “graylog2-web-interface not running”
}
get_pid() {
    PID=“”
    if [ -f “${GRAYLOG2WEB_DIR}/${PID_FILE}” ]; then
        PID=$(cat “${GRAYLOG2WEB_DIR}/${PID_FILE}”)
    fi
    if [ -z $PID ]; then
        PID=$(ps aux | grep java | grep graylog2-web-interface | awk ‘{print $2}                                             ‘)
    fi
    echo ${PID}
}
pid_running() {
    kill -0 $1 2> /dev/null
}
case “$CMD” in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        restart
        ;;
    status)
        status
        ;;
    *)
        echo “Usage $0 {start|stop|restart|status}”
        RETVAL=1
esac
  • Add the following to chkconfig to make it run on start

[[email protected] init.d]# chkconfig –add graylog2-web
[[email protected] init.d]# chkconfig graylog2-web on
[[email protected] init.d]# service graylog2-web start

 

6. Log into Graylog

  • Go to a web broswer and enter in http://YOUR-IP-ADDRESS:9000 and you should get the graylog2 WebGUI

graylog

 

 

Leave a Comment