Install Graylog5

December 19, 2022

Page content

Graylog is defined in terms of log management platform for collecting, indexing, and analyzing both structured and unstructured data from almost any source.

Install requirement

yum install epel-release -y
yum install java-17-openjdk-headless.x86_64 pwgen nano wget curl git -y
java -version

setenforce 0
sed -i 's/=\(enforcing\|permissive\)/=disabled/g' /etc/sysconfig/selinux
sed -i 's/=\(enforcing\|permissive\)/=disabled/g' /etc/selinux/config

Important to configure the time correctly for the graphs to populating correctly

Set Timezone

dnf install -y chrony ntpstat

timedatectl set-timezone CET
timedatectl set-ntp true
systemctl enable chronyd --now

OpenSearch 2.x

rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp

curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo \
-o /etc/yum.repos.d/opensearch-2.x.repo

yum install opensearch -y

Configure the OpenSearch

swapoff -a

echo "* hardnofile 65535" >> /etc/security/limits.conf
echo "* soft nofile 65535" >> /etc/security/limits.conf

echo "vm.max_map_count=262144" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
cat /proc/sys/vm/max_map_count

sed -i "s|::1|#::1|" /etc/hosts


nano /etc/opensearch/opensearch.yml
cluster.name: graylog
...
network.host: 127.0.0.1
...
plugins.security.ssl.http.enabled: false
...
node.max_local_storage_nodes: "1"
...
discovery.type: single-node
action.auto_create_index: ".watches,.triggered_watches,.watcher-history-*"
bootstrap.memory_lock: true

You may prefer to disable transparent hugepages to improve performance before installing.

cat > /etc/systemd/system/disable-transparent-huge-pages.service <<EOF
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
EOF

systemctl daemon-reload
systemctl enable disable-transparent-huge-pages.service
systemctl start disable-transparent-huge-pages.service

Edit service to disable memory lock

nano /usr/lib/systemd/system/opensearch.service

[Service]
LimitMEMLOCK=infinity

Add half of the host memory to the opensearch

nano /etc/opensearch/jvm.options

-Xms4g
-Xmx4g

Start end test OpenSearch

systemctl daemon-reload
systemctl restart opensearch
systemctl enable opensearch
systemctl status opensearch

curl -XGET 'http://admin:admin@localhost:9200/_cluster/health?pretty=true'

Mongodb

echo '[mongodb-org-5.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/5.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc' | tee /etc/yum.repos.d/mongodb-org.repo

yum -y install mongodb-org

systemctl restart mongod
systemctl enable  mongod
systemctl status  mongod

Graylog5

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.rpm
yum -y install graylog-server

Important to configure the time correctly for the graphs to populating correctly

Configure Graylog server

SECRET=$(pwgen -s 96 1)
sed -i -e 's/password_secret =.*/password_secret = '$SECRET'/' /etc/graylog/server/server.conf
PASSWORD=$(echo -n Password1 | sha256sum | awk '{print $1}')
sed -i -e 's/root_password_sha2 =.*/root_password_sha2 = '$PASSWORD'/' /etc/graylog/server/server.conf

# Set to your timezone
sed -i -e 's/#root_timezone = UTC/root_timezone = CET/' /etc/graylog/server/server.conf

# Set to your email
sed -i -e 's/#root_email = ""/root_email = "admin@devopstales.intra"/' /etc/graylog/server/server.conf
sed -i -e 's/elasticsearch_shards = 4/elasticsearch_shards = 1/' /etc/graylog/server/server.conf
sed -i -e 's/#http_bind_address = 127.0.0.1:9000/http_bind_address = 127.0.0.1:9400/' /etc/graylog/server/server.conf
sed -i -e "s|#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200|elasticsearch_hosts = http://admin:admin@127.0.0.1:9200|" /etc/graylog/server/server.conf

# go to https://dev.maxmind.com/geoip/geoip2/geolite2/ and download
# or use an old one
cd /etc/graylog/server
wget https://github.com/socfortress/Wazuh-Rules/releases/download/1.0/GeoLite2-City.mmdb
wget https://github.com/socfortress/Wazuh-Rules/releases/download/1.0/GeoLite2-ASN.mmdb

systemctl daemon-reload
systemctl restart graylog-server
systemctl enable graylog-server

tail -f /var/log/graylog-server/server.log

If everything goes well, you should see below message in the logfile:
2022-12-19T13:37:04.059Z INFO  [ServerBootstrap] Graylog server up and running.

Install Grafana

echo '[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
' > /etc/yum.repos.d/grafana.repo


yum install -y grafana
grafana-cli plugins install grafana-piechart-panel
grafana-cli plugins install netsage-sankey-panel
grafana-cli plugins install grafana-worldmap-panel
grafana-cli plugins install savantly-heatmap-panel

sed -i -e 's/;http_addr =/http_addr = 127.0.0.1/' /etc/grafana/grafana.ini

systemctl start grafana-server
systemctl status grafana-server
systemctl enable grafana-server

OpenSearch Dashboard

curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/opensearch-dashboards-2.x.repo \
-o /etc/yum.repos.d/opensearch-dashboards-2.x.repo


yum install opensearch-dashboards -y

nano /etc/opensearch-dashboards/opensearch_dashboards.yml
opensearch.hosts: [http://localhost:9200]

systemctl restart opensearch-dashboards
systemctl enable opensearch-dashboards
systemctl status opensearch-dashboards

Nginx Proxy

yum install nginx -y

echo 'server {
    listen 80;
    server_name graylog.mydomain.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/;
      proxy_pass       http://127.0.0.1:9400;
    }
}' > /etc/nginx/conf.d/graylog.conf

echo 'server {
    listen 80;
    server_name grafana.mydomain.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:3000;
    }
}' > /etc/nginx/conf.d/grafana.conf

echo 'server {
    listen 80;
    server_name kibana.mydomain.intra;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass       http://127.0.0.1:5601;
    }
}' > /etc/nginx/conf.d/kibana.conf

nginx -t
systemctl restart nginx
systemctl enable nginx