How to Install Graylog Centralized Log Management System on Rocky Linux

Graylog is a free and open-source log-management platform for capturing, storing, and enabling real-time analysis of your data and logs. It's written in Java and built on top of other open-source software like MongoDB and Elasticsearch. Graylog provides one of the most efficient, fast, and flexible centralized log management platforms. With Graylog, you can send and analyze both structured and unstructured data from almost any data source.

In this tutorial, you will set up the Centralized Log Management using the Graylog on the Rocky Linux server. This tutorial includes the basic installation of some Graylog dependencies such as Elasticsearch and MongoDB. Additionally, you will also set up the Graylog Input and send logs from the Linux machine to the Graylog Server via the Syslog Ingest.

Prerequisites

To follow this tutorial, you will need the following requirements:

  • A server running Rocky Linux 8.
  • A non-root user with sudo/administrator privileges.
  • A firewalld running and enabled.

Installing Java OpenJDK

The Graylog Server is an application server mainly written in Java. To install Graylog, you will be required to install the Java OpenJDK on your Rocky Linux system. At the time of this writing, the Graylog Server required at least Java v8 or higher.

On the Rocky Linux repository, there is multiple Java OpenJDK version that you can install. You can check all available OpenJDK versions using the below command.

sudo dnf search openjdk

In this demo, you will install and use the Java OpenJDK v11 for the Graylog Server. Run the below dnf command to install java OpenJDK to your Rocky Linux system.

When prompted to confirm the installation, input 'y' and press ENTER.

sudo dnf install java-11-openjdk-devel

When the java OpenJDK installation is finished, run the following 'java' command to check and verify the Java OpenJDK version. You should see the OpenJDK v11 installed on your Rocky Linux system.

java version

check java

Installing MongoDB NoSQL Database

You will now install the MongoDB NoSQL database as the dependencies for the Graylog Server. MongoDB is used for storing data of the Graylog Server.

To install MongoDB, you will be required to add the MongoDB repository. Then, you can install MongoDB packages.

Run the following command to add the MongoDB repository for the Rocky Linux system.

cat <<EOF | sudo tee /etc/yum.repos.d/mongodb-org-6.repo
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOF

Now run the dnf command below to check and verify the list of the available repository on your system. You should see the "mongodb" repository added.

sudo dnf repolist

add mongodb repo

Next, install the MongoDB package using the following dnf command. When asked to confirm the installation, input 'y' and press ENTER to continue.

sudo dnf install mongodb-org

install mongodb

Additionally, you will also be prompted to confirm the MongoDB repository GPG key. Input 'y' to confirm and add the MongoDB GPG key.

add gpg key

if the MongoDB installation is finished, run the following command to reload the systemd manager and apply the new MongoDB service file.

sudo systemctl daemon-reload

Now start the MongoDB service with the name 'mongod' using the following system command. Then, enable the 'mongod' service to start automatically at system startup.

sudo systemctl enable mongod
sudo systemctl start mongod

Lastly, run the following systemctl command to check and verify the 'mongod' service. You should see the MongoDB service 'mongod' is running and it's enabled at system boot.

sudo systemctl status mongod

check mongodb service

Installing Elasticsearch

The elasticsearch handles the search engine for the Graylog Server Log Management Stack. At the time of this writing, you will need to install Elasticsearch v7.x.

The current version of Graylog Server will be running only with Elasticsearch v7.x. If you install the latest elasticsearch such as v8.x or v9.x, you will get an error.

Now run the following command to set up the Elasticsearch v7.x repository for the Rocky Linux system.

cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Run the below command to check and verify the list of the repository on your system. You will see the Elasticsearch v7.x repository is added.

sudo dnf repolist

add elasticsearch repository

Next, install the Elasticsearch package using the dnf command below. When prompted to confirm the installation, input 'y' to confirm and press ENTER.

sudo dnf install elasticsearch

install elasticsearch

Also, you will be prompted to add the GPG key to the Elasticsearch repository. Input 'y' to add the GPG key. And the installation will be finished.

add gpg key

Next, you will need to set up the Elasticsearch server for the basic installation that will be used by Graylog Server.

Edit the default Elasticsearch configuration file '/etc/elasticsearch/elasticsearch.yml' using the below command.

sudo nano /etc/elasticsearch/elasticsearch.yml

Add and uncomment the following basic Elasticsearch configuration.

cluster.name: graylog-rocky8
action.auto_create_index: false

Save and close the file when you are finished.

Additionally, you can also set up the max memory allocation for the Elasticsearch server by editing the file '/etc/elasticsearch/jvm.options' using the below command.

sudo nano /etc/elasticsearch/jvm.options

uncomment and change the default configuration as below. You can change the max memory allocation here with the max memory of your server.

-Xms1g
-Xmx1g

Save and close the file when you are finished.

Now run the following systemctl command below to reload the systemd manager and apply a new service file for the Elasticsearch server.

sudo systemctl daemon-reload

Next, start and enable the Elasticsearch server using the below command. The Elasticsearch service will automatically be running at system startup, and the current status of Elasticsearch now should be running.

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

configure elasticsearch

Lastly, run the following command to check the Elasticsearch service and make sure the service is running. You should see the output that the Elasticsearch service is running and enabled.

sudo systemctl status ealsticsearch

check elasticsearch

Additionally, you can also access your Elasticsearch server via the curl command below. You should get the output of the basic information about your Elasticsearch server, including the cluster name, cluster uuuid, the Elasticsearch version, and the Lucene version (the core of Elasticsearch).

curl localhost:9200

test elasticsearch

Installing Graylog Server

After you have installed the Java OpenJDK, MongoDB, and the Elasticsearch, you will now to install the Graylog Server. Before that, you will need to set up the Graylog repository on the Rocky Linux server. Then, you can start configuring the Graylog Server, which includes configuring the password authentication for Graylog, and setting up the http_bind_address that will be used by Graylog Server.

At the time of this writing, the latest version of Graylog Server is v4.3. Run the following command to add the Graylog repository to your server.

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.rpm

Check the list of repositories for Graylog Server using the below command. You should see the Graylog Server repository is added.

sudo dnf repolist

add graylog repo

Next, run the following dnf command to install the Graylog Server package. When prompted to confirm the installation, input 'y' to confirm and press ENTER.

sudo dnf install graylog-server graylog-integrations-plugins

install graylog

Also, you will be prompted to add the GPG key to the Graylog Server repository. Input 'y' to add the GPG key to your system and press ENTER. And the Graylog Server installation will be finished.

add gpg key

Now you will be setting up the basic Graylog Server. before that, run the dnf command below to install the 'pwgen' package. Input 'y' when prompted to confirm the installation and press ENTER.

The pwgen package provides a command-line tool for generating secrets and passwords that will be used for setting up the Graylog Server.

sudo dnf install pwgen

install pwgen

Next, run the following pwgen command to generate the 'password_secret' for the Graylog Server. Be sure to copy the generated secret to your note.

sudo pwgen -N 1 -s 96

Now run the following command to generate the sha256 hash password of the 'root_password_sha2' for the Graylog Server. this password will be used to log in to the Graylog Server dashboard. Be sure to use the strong password and copy the generated sha256 hash password to your note.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

generate password secret

Next, edit the Graylog Server config file '/etc/graylog/server/server.conf' using the below command.

sudo nano /etc/graylog/server/server.conf

Change the value of the option 'password_secret' and 'root_password_sha2' with your generated password. Additionally, you can also change the default username for logging in to the Graylog Server on the option 'graylog_username'.

password_secret = R8zwuO2NDewUcwRFQ0QDm07tn6AppmwThty0aagxOoqMDWNqPJLwrffpz7DdQyQVY1uHq54QwgYMNkZnBLuXQf3B1giq5RKX
root_password_sha2 = a7fdfe53e2a13cb602def10146388c65051c67e60ee55c051668a1c709449111

Now change the 'http_bind_address' option with the internal IP address of your server. Also, the default port for Graylog Server is TCP '9000'.

http_bind_address = 0.0.0.0:9000

Save and close the file when you are finished.

configure graylog

Now run the following systemctl command to reload the systemd manager and apply the Graylog Server service file.

sudo systemctl daemon-reload

Start and enable the 'graylog-server' service using the systemctl command below. The Graylog Server should now be running and enabled, which will automatically start at system boot.

sudo systemctl enable graylog-server
sudo systemctl start graylog-server

start graylog

Check and verify the 'graylog-server' service using the following command. You should see the output of the current status of Graylog Server is running, and it's enabled and will be run automatically at boot.

sudo systemctl status graylog-server

Lastly, you will need to add the port '9000' that is used by the Graylog Server to the firewalld.

Run the following firewall-cmd command to add the port '9000' to the firewalld. Then, reload the firewalld rules to apply new changes.

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --reload

Setting Up SELinux

If you are running the Graylog Server with the SELinux enabled on the 'enforcing' mode, you will need to set up the SELinux rules for the Graylog Server.

Before managing SELinux, run the dnf command below to install the command-line tool for managing SELinux. When prompted to confirm the installation, input 'y' and press ENTER.

sudo dnf install policycoreutils policycoreutils-python-utils

install SEL:inux management tools

Next, run the following command to add the SELinux rules for the Graylog Server, Elasticsearch, and MongoDB.

sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Now you can access your Graylog Server.

Create New Graylog Input

To be able to receive logs from your applications or client machiens, you will need to set up an input on your Graylog Server. There are multiple types of Graylog inputs that you can use, check the Graylog Documentation for details. The Graylog input will be running on the TCP/UDP protocol, and be able to recieve logs in multiple formats such as Syslog, GELF, CEF, or RAW. Also, you can receive logs seucrely via the TCP/HTTPS protocol.

In this demo, you will create a Graylog input that will be used to receive logs from a Linux machine clients. This input will use the "Syslog UDP" and will receive logs messages from client machine via UDP protocol.

Open up your web browser and visit the server IP address followed by the Graylog Server port '9000' (i.e http://192.168.5.100:9000/). You will see the login page of your Graylog Server installation.

To log in to the Graylog Server dashboard, input your username and password. Then, click 'Sign In'.

graylog login

Now you should see the new window of the Graylog Server administration dashboard.

graylog dashboard

To create a new Graylog Input, click on the menu "System" and select "Inputs".

create input

Select the type of the input and click "Launch new input". In this example, you will create a new input type "Syslog UDP". All Linux client machines will be sending logs via the Syslog UDP protocol to this input.

create syslog udp input

Now input the details of your new input as below:

  • Title: we will use the title 'syslog-udp-input'.
  • Bind address: input the internal IP address of your Graylog Server, or you can use '0.0.0.0' if you are on the internal network.
  • Port: in this example, we will use the UDP port '5142' for this input.

Now click "Save" to add the input.

syslog udp input configurations

Now you should see the status of your Graylog input with the status "running". And athe bottom, you should see details informations about your Graylog input.

graylog input udp running

Lastly, back to your Graylog Server and run the firewall-cmd command below to add the UDP port '5142' that will be used by the 'syslog-udp-input'.

sudo firewall-cmd --add-port=5142/udp --permanent
sudo firewall-cmd --reload

Sending Log via Ingest Syslog to Graylog Server

You have created the Graylog Syslog UDP Input on the Graylog Server. Now you will set up a Linux machine to use the Rsyslog to send logs to the Graylog Server. In this example, we will use the Rocky Linux clinet machine with the hostname "linux-host1" and the Graylog Server IP address is '192.168.5.100'.

Connect to your Linux client machine and run the following command to check the 'rsyslog' service on your linux machine. You should get the output of the 'rsyslog' service running.

sudo systemctl status rsyslog

check rsyslog

Next, create a new additional rsyslog config file that will be used to send logs to the Graylog Server. Run the following command to create a new file '/etc/rsyslog.d/graylog.conf'.

sudo nano /etc/rsyslog.d/graylog.conf

Add the following configuration to the file. With this configuration, the rsyslog service on the 'linux-host1' will send logs to the Graylog Server Input that runs on the server IP address '192.168.5.100' with the UDP port '5142'.

*.*@192.168.5.100:5142;RSYSLOG_SyslogProtocol23Format

Save and close the file when you are finished.

Now run the following systemctl command to restart the 'rsyslog' service and apply new changes on the config file. And the rsyslog service will be sending system logs to the Graylog Server, you can wait for some minutes.

sudo systemctl restart rsyslog

Next, back to the Graylog Server administration dashboard. Then, click the "Search" menu. Now you should see logs from the 'linux-host1' machine and it's available on the Graylog Server.

centralized log with graylog server

Conclusion

Throughout this tutorial, you have learned how to install the Graylog Server on the Rocky Linux server. This includes the installation of some dependencies such as Java OpenJDK, Elasticsearch, and MongoDB. Also, you have configured the Graylog Server on Rocky Linux with the SELinux enabled with enforcing mode and the firewalld enabled.

In the end, you have now learned how to set up Graylog Input with the type "Syslog UDP" which can be used as the centralized log management system for Linux machines. Also, you have learned how to send logs from the Linux machines to the Graylog Server via the Rsyslog service. You have now also set up more inputs for your applications or added new Linux machines to the Graylog Server.

Share this page:

0 Comment(s)