Install Graylog4

Graylog is defined in terms of log management platform for collecting, indexing, and analyzing both structured and unstructured data from almost any source.

Install requirement

yum install epel-release -y
yum install java-1.8.0-openjdk-headless.x86_64 pwgen nano wget curl git -y
java -version

Set Timezone

timedatectl set-timezone CET

yum install -y ntp
ntpd

Elasticsearch

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

echo '[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
' | tee /etc/yum.repos.d/elasticsearch.repo

sudo yum -y install elasticsearch

sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: .watches,.triggered_watches,.watcher-history-*
EOT

systemctl restart elasticsearch
systemctl enable elasticsearch

curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Mongodb

echo '[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc' | tee /etc/yum.repos.d/mongodb-org.repo

yum -y install mongodb-org

systemctl restart mongod
systemctl enable  mongod

Graylog4

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.rpm
yum -y install graylog-server graylog-integrations-plugins

SECRET=$(pwgen -s 96 1)
sudo -E sed -i -e 's/password_secret =.*/password_secret = '$SECRET'/' /etc/graylog/server/server.conf
PASSWORD=$(echo -n Password1 | sha256sum | awk '{print $1}')
sudo -E sed -i -e 's/root_password_sha2 =.*/root_password_sha2 = '$PASSWORD'/' /etc/graylog/server/server.conf

# Set to your timezone
sudo -E sed -i -e 's/#root_timezone = UTC/root_timezone = CET/' /etc/graylog/server/server.conf

# Set to your email
sudo -E sed -i -e 's/#root_email = ""/root_email = "admin@devopstales.intra"/' /etc/graylog/server/server.conf
sudo -E sed -i -e 's/elasticsearch_shards = 4/elasticsearch_shards = 1/' /etc/graylog/server/server.conf
sudo -E sed -i -e 's/#http_bind_address = 127.0.0.1:9000/http_bind_address = 127.0.0.1:9400/' /etc/graylog/server/server.conf

# got ta https://dev.maxmind.com/geoip/geoip2/geolite2/ and download
# or use an old one
wget -t0 -c https://github.com/DocSpring/geolite2-city-mirror/raw/master/GeoLite2-City.tar.gz
tar -xvf GeoLite2-City.tar.gz
cp GeoLite2-City_*/GeoLite2-City.mmdb /etc/graylog/server

systemctl daemon-reload
systemctl restart graylog-server
systemctl enable graylog-server

tailf /var/log/graylog-server/server.log

If everything goes well, you should see below message in the logfile:
2019-06-20T13:37:04.059Z INFO  [ServerBootstrap] Graylog server up and running.

Install Grafana

echo '[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
' > /etc/yum.repos.d/grafana.repo


sudo yum install -y grafana
grafana-cli plugins install grafana-piechart-panel

sudo -E sed -i -e 's/;http_addr =/http_addr = 127.0.0.1/' /etc/grafana/grafana.ini

systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server

Kibana

yum install kibana -y

sudo -E sed -i -e 's/#server.host: "localhost"/server.host: "127.0.0.1"/' /etc/kibana/kibana.yml


systemctl start kibana
systemctl enable kibana

Nginx Proxy

yum install nginx -y

echo 'server {
    listen 80;
    server_name graylog.devopstales.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/;
      proxy_pass       http://127.0.0.1:9400;
    }
}' > /etc/nginx/conf.d/graylog.conf

echo 'server {
    listen 80;
    server_name grafana.devopstales.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:3000;
    }
}' > /etc/nginx/conf.d/grafana.conf

echo 'server {
    listen 80;
    server_name kibana.devopstales.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:5601;
    }
}' > /etc/nginx/conf.d/kibana.conf

nginx -t
systemctl restart nginx
systemctl enable nginx