How To Install Graylog 4 on CentOS 7|RHEL 7

In this guide, I’ll take you through  the steps to install Graylog 4 on CentOS 7|RHEL 7 Linux system. Graylog is an open source log management platform which enables you to aggregate up to terabytes of log data, from multiple log sources, DCs, and geographies with the capability to scale horizontally in your data center, cloud, or both.

The Graylog search function is really fast and powerful, so you can group your servers into streams for easy log searching. Graylog UI is simple and intuitive with a complete user management and support for LDAP. It also has support for alerting and reporting.

Graylog 4.x has full support for Elasticsearch 7.x and any latest version of MongoDB – 4.x. If you are an Ubuntu and CentOS 8 user, check:

• Install GrayLog on Ubuntu 20.04 / Ubuntu 18.04
• Install GrayLog on CentOS 8

Graylog depends on Java, Elasticsearch, and MongoDB for its functions. Elasticsearch is responsible for logs storage and MongoDB is for storing Graylog related configurations.

Step 1: Configure SELinux

If you’re using SELinux on your system, set following settings:

sudo yum -y install curl vim policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Step 2: Add required repositories:

Enable EPEL repository.

CentOS 7:

sudo yum -y install epel-release

RHEL 7:

sudo subscription-manager repos --enable rhel-*-optional-rpms \
                           --enable rhel-*-extras-rpms \
                           --enable rhel-ha-for-rhel-*-server-rpms
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Add MongoDB Repository:

sudo tee /etc/yum.repos.d/mongodb-org-4.4.repo <<EOF
[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
EOF

Add Elasticsearch Repository:

sudo tee /etc/yum.repos.d/elasticsearch.repo <<EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Update YUM package index cache:

sudo yum clean all
sudo yum -y makecache

Confirm all repositories added are functional:

$ yum repolist
repo id                                                                             repo name                                                                                                 status
base/7/x86_64                                                                       CentOS-7 - Base                                                                                           10072
droplet-agent/x86_64                                                                DigitalOcean Droplet Agent                                                                                    8
elasticsearch-7.x                                                                   Elasticsearch repository for 7.x packages                                                                  1058
extras/7/x86_64                                                                     CentOS-7 - Extras                                                                                           509
mongodb-org-4.4                                                                     MongoDB Repository                                                                                          172
updates/7/x86_64                                                                    CentOS-7 - Updates                                                                                         3573
repolist: 15392

Step 3: Install Java, Elasticsearch, and MongoDB

Run this command to install all required packages.

sudo yum -y install vim pwgen java-11-openjdk java-11-openjdk-devel
sudo yum -y install pwgen elasticsearch-oss mongodb-org

Check if Java and other packages are now installed:

$ java -version
openjdk version "11.0.20" 2023-07-18 LTS
OpenJDK Runtime Environment (Red_Hat-11.0.20.0.8-1.el7_9) (build 11.0.20+8-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-11.0.20.0.8-1.el7_9) (build 11.0.20+8-LTS, mixed mode, sharing)

Start and enable MongoDB service.

Start mongod service and set it to start on boot.

sudo systemctl enable --now mongod
sudo systemctl status mongod

MongoDB paths:

Step 4: Configure Elasticsearch for Graylog

You need to modify the Elasticsearch configuration file and set the cluster name to graylog, Additionally you need to uncomment (remove the # as first character) the line, and add action.auto_create_index: false to the configuration file:

The file to edit is /etc/elasticsearch/elasticsearch.yml.

$ sudo vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false

Start and enable elasticsearch service:

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch

Confirm service status:

$ systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2023-08-21 14:26:45 UTC; 3s ago
     Docs: https://www.elastic.co
 Main PID: 8722 (java)
   CGroup: /system.slice/elasticsearch.service
           └─8722 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=tr...

Aug 21 14:26:26 centos-01 systemd[1]: Starting Elasticsearch...
Aug 21 14:26:26 centos-01 systemd[1]: Started Elasticsearch.

The default Elasticsearch file locations are:

Step 5: Install Graylog Server on CentOS 7|RHEL 7

Now install the Graylog repository and Graylog itself with the following commands:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.rpm
sudo yum -y install graylog-server

You also need to set add password_secret and root_password_sha2 variables under /etc/graylog/server/server.conf. 

### Generate root_password_sha2
$ echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: password <INPUT-PASSWORD>

Sha2 password is printed to the screen. We’ll use it in the configuration file to update it.

5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Generate password_secret using pwgen tool installed earlier.

$ pwgen -N 1 -s 96
pYJuHjPD0166gUEzhL3XUpTkacYAu26FFxVIRjvczINydWF7WwBbUEUaD5KukCUBIKpklbYn85ebWTOQg4UMMS0twWqB7Rep

These settings are mandatory and without them, Graylog will not start!

$ sudo vi /etc/graylog/server/server.conf
password_secret = Replace-me-with-generated-password-secret
root_password_sha2 = Replace-me-with-generated-hashed-root-secret

Example:

password_secret = pYJuHjPD0166gUEzhL3XUpTkacYAu26FFxVIRjvczINydWF7WwBbUEUaD5KukCUBIKpklbYn85ebWTOQg4UMMS0twWqB7Rep
root_password_sha2 = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Let’s also bind address to the network interface used by the Graylog HTTP interface

$ sudo vi /etc/graylog/server/server.conf
#line 105
http_bind_address = 0.0.0.0:9000

Restart graylog service for it to bind to all addresses on the system

sudo systemctl restart graylog-server

Graylog directory structure:

Step 6: Start Graylog service on CentOS 7|RHEL 7

Now start graylog service and enable it to start on system boot up

sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server.service

Confirm service status:

$ systemctl status  graylog-server.service
● graylog-server.service - Graylog server
   Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2022-03-19 08:25:09 UTC; 13s ago
     Docs: http://docs.graylog.org/
 Main PID: 19249 (graylog-server)
   CGroup: /system.slice/graylog-server.service
           ├─19249 /bin/sh /usr/share/graylog-server/bin/graylog-server
           └─19250 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+C...

Sep 16 09:08:11 cent701.novalocal systemd[1]: Stopped Graylog server.
Sep 16 09:08:11 cent701.novalocal systemd[1]: Started Graylog server.

Configure Graylog Firewalld

For a single node installation, you only need to open port 9000 for UI access and API. To do this on CentOS 7|RHEL 7, use firewalld.

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --reload

You can now access Graylog web interface using http://public_ip:9000. You should get an interface like below.

We have come to the end of Install Graylog 4.x with Elasticsearch 7.x on CentOS 7|RHEL 7. Read next article on configure Graylog Nginx reverse proxy with Let’s Encrypt SSL.

Progress to learn how to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.

Tags:

• Install Graylog 4 on CentOS 7
• Install Graylog 4 on RHEL 7
• Graylog installation on CentOS 7 / RHEL 7

Other Logs related articles:

• VMware vSphere and vCenter Central Logs Management with Rsyslog
• Manage Logs with Graylog server on Ubuntu 18.04
• How to get Postfix Mail Statistics from Logs