Graylog is an open-source log management system. Graylog centrally captures, collects, enhances, stores, and analyzes log data. It is an affordable alternative to Splunk.
Below are a couple of steps to install Graylog on CentOS 7.
Edit interface, change ONBOOT from “no” to “yes”, and restart network service.
![](https://tungle.ca/wp-content/uploads/2022/01/image-45.png)
![](https://tungle.ca/wp-content/uploads/2022/01/image-46.png)
Step #1: Update your system and install needed packages.
hostnamectl set-hostname graylog
yum update -y
yum install epel-release
yum install pwgen vim
![](https://tungle.ca/wp-content/uploads/2022/01/image-47.png)
![](https://tungle.ca/wp-content/uploads/2022/01/image-48.png)
![](https://tungle.ca/wp-content/uploads/2022/01/image-49.png)
![](https://tungle.ca/wp-content/uploads/2022/01/image-70.png)
Step #2: Install JAVA
yum install java-1.8.0-openjdk-headless.x86_64
Check the java version.
java -version
![](https://tungle.ca/wp-content/uploads/2022/01/image-72.png)
Create a repository file. Then add the content below to this repository.
vim /etc/yum.repos.d/mongodb-org.repo
--
[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc
![](https://tungle.ca/wp-content/uploads/2022/01/image-50.png)
Install MongoDB
yum install mongodb-org
![](https://tungle.ca/wp-content/uploads/2022/01/image-73.png)
Enable and start mongoDB service on system.
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl start mongod.service
sudo systemctl --type=service --state=active | grep mongod
![](https://tungle.ca/wp-content/uploads/2022/01/image-51.png)
Check MongoDB service port.
netstat -antp | grep 27017
![](https://tungle.ca/wp-content/uploads/2022/01/image-37.png)
Step #4: Installing Elasticsearch
Graylog can be used with Elasticsearch 6x, 7.x, In this lab, I have used version 6x of Elasticsearch.
Install the Elastic GPG key.
rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
![](https://tungle.ca/wp-content/uploads/2022/01/image-52.png)
Create a repository, then add the following contents to the file.
vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
![](https://tungle.ca/wp-content/uploads/2022/01/image-53.png)
Install the open-source version of Elasticsearch.
yum install elasticsearch-oss
Modify the Elasticsearch configuration file. Set the cluster name to graylog and add “action.auto_create_index: false” to the file.
vim /etc/elasticsearch/elasticsearch.yml
![](https://tungle.ca/wp-content/uploads/2022/01/image-54.png)
Save and exit the file.
Enable, start and check the status of elastic search on the system.
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch
Check elastic search health.
curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
![](https://tungle.ca/wp-content/uploads/2022/01/image-55.png)
Step #5: Installing the Graylog
Now install the Graylog repository configuration with the following commands:
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.rpm
Install Graylog-server.
yum install graylog-server
![](https://tungle.ca/wp-content/uploads/2022/01/image-56.png)
Configure Graylog:
Add “password_secret” and “root_password_sha2” to server.conf file.
Generate password_secret.
pwgen -N 1 -s 96
![](https://tungle.ca/wp-content/uploads/2022/01/image-57.png)
Generate root_password_sha2.
echo -n foss@dan123 | sha256sum | cut -d” ” -f1
![](https://tungle.ca/wp-content/uploads/2022/01/image-58.png)
Edit etc/graylog/server/server.conf file.
vim /etc/graylog/server/server.conf
![](https://tungle.ca/wp-content/uploads/2022/01/image-59.png)
Uncomment the following line.
http_bind_address = 127.0.0.1:9000
and add http_bind_address = 10.0.0.33:9000
![](https://tungle.ca/wp-content/uploads/2022/01/image-60.png)
Enable and Start service.
systemctl enable graylog-server.service
systemctl start graylog-server.service
Monitor server logs.
tail -f /var/log/graylog-server/server.log
![](https://tungle.ca/wp-content/uploads/2022/01/image-61.png)
Copy Geo-IP database to Graylog server.
![](https://tungle.ca/wp-content/uploads/2022/01/image-62.png)
![](https://tungle.ca/wp-content/uploads/2022/01/image-63.png)
Check log again.
![](https://tungle.ca/wp-content/uploads/2022/01/image-64.png)
Check Graylog Server listening port.
netstat -antp | grep 9000
![](https://tungle.ca/wp-content/uploads/2022/01/image-65.png)
Check the port is opened on a remote host.
![](https://tungle.ca/wp-content/uploads/2022/01/image-66.png)
Allow Graylog service on Firewall.
![](https://tungle.ca/wp-content/uploads/2022/01/image-67.png)
Access Graylog web interface on another machine.
![](https://tungle.ca/wp-content/uploads/2022/01/image-68.png)
![](https://tungle.ca/wp-content/uploads/2022/01/image-69.png)