Install Graylog4

Page content

Graylog is defined in terms of log management platform for collecting, indexing, and analyzing both structured and unstructured data from almost any source.

Install requirement

yum install epel-release -y
yum install java-1.8.0-openjdk-headless.x86_64 pwgen nano wget curl git -y
java -version

Set Timezone

timedatectl set-timezone CET

yum install -y ntp
ntpd

Elasticsearch

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

echo '[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
' | tee /etc/yum.repos.d/elasticsearch.repo

sudo yum -y install elasticsearch

sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: .watches,.triggered_watches,.watcher-history-*
EOT

systemctl restart elasticsearch
systemctl enable elasticsearch

curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Mongodb

echo '[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc' | tee /etc/yum.repos.d/mongodb-org.repo

yum -y install mongodb-org

systemctl restart mongod
systemctl enable  mongod

Graylog4

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.rpm
yum -y install graylog-server graylog-integrations-plugins

SECRET=$(pwgen -s 96 1)
sudo -E sed -i -e 's/password_secret =.*/password_secret = '$SECRET'/' /etc/graylog/server/server.conf
PASSWORD=$(echo -n Password1 | sha256sum | awk '{print $1}')
sudo -E sed -i -e 's/root_password_sha2 =.*/root_password_sha2 = '$PASSWORD'/' /etc/graylog/server/server.conf

# Set to your timezone
sudo -E sed -i -e 's/#root_timezone = UTC/root_timezone = CET/' /etc/graylog/server/server.conf

# Set to your email
sudo -E sed -i -e 's/#root_email = ""/root_email = "admin@devopstales.intra"/' /etc/graylog/server/server.conf
sudo -E sed -i -e 's/elasticsearch_shards = 4/elasticsearch_shards = 1/' /etc/graylog/server/server.conf
sudo -E sed -i -e 's/#http_bind_address = 127.0.0.1:9000/http_bind_address = 127.0.0.1:9400/' /etc/graylog/server/server.conf

# got ta https://dev.maxmind.com/geoip/geoip2/geolite2/ and download
# or use an old one
wget -t0 -c https://github.com/DocSpring/geolite2-city-mirror/raw/master/GeoLite2-City.tar.gz
tar -xvf GeoLite2-City.tar.gz
cp GeoLite2-City_*/GeoLite2-City.mmdb /etc/graylog/server

systemctl daemon-reload
systemctl restart graylog-server
systemctl enable graylog-server

tailf /var/log/graylog-server/server.log

If everything goes well, you should see below message in the logfile:
2019-06-20T13:37:04.059Z INFO  [ServerBootstrap] Graylog server up and running.

Install Grafana

echo '[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
' > /etc/yum.repos.d/grafana.repo


sudo yum install -y grafana
grafana-cli plugins install grafana-piechart-panel

sudo -E sed -i -e 's/;http_addr =/http_addr = 127.0.0.1/' /etc/grafana/grafana.ini

systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server

Kibana

yum install kibana -y

sudo -E sed -i -e 's/#server.host: "localhost"/server.host: "127.0.0.1"/' /etc/kibana/kibana.yml


systemctl start kibana
systemctl enable kibana

Nginx Proxy

yum install nginx -y

echo 'server {
    listen 80;
    server_name graylog.devopstales.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/;
      proxy_pass       http://127.0.0.1:9400;
    }
}' > /etc/nginx/conf.d/graylog.conf

echo 'server {
    listen 80;
    server_name grafana.devopstales.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:3000;
    }
}' > /etc/nginx/conf.d/grafana.conf

echo 'server {
    listen 80;
    server_name kibana.devopstales.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:5601;
    }
}' > /etc/nginx/conf.d/kibana.conf

nginx -t
systemctl restart nginx
systemctl enable nginx