Installing and Configuring Graylog - jwells24/Tech-Journal GitHub Wiki

Installing and Configuring Graylog

Installing the Dependents

  • First, we need to ensure java is installed as all the packages require it, which we can do with this command: sudo yum install java-<version_number>-openjdk-headless.x86_64 (Use '11' for Java Version Number)

  • Next, we need to install mongodb. In order to do this, we need to create a repository in /etc/yum.repos.d/mongodb-org-5.0.repo. The file necessary in this repo is: Mongodb Repo File. Next, install mongodb with the command: sudo yum install -y mongodb-org. Once we have this installed, we enable and start mongod.service using systemctl.

  • The next dependent we need to install is elasticsearch. I installed elastic search differently than mongod because of issues with yum, and I did it using these commands: wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.0-x86_64.rpm | sudo rpm --install elasticsearch-7.17.0-x86_64.rpm Once elastic search is installed, we first need to edit the config file for elastic search which is found at /etc/elasticsearch/elasticsearch.yml.

  • In this config file, we need to uncomment the cluster.name line and put graylog as our input. Also, below this, add the line action.auto_create_index: false. Once this is done, enable and start elasticsearch.service with systemctl.

Installing and configuring Graylog itself

  • Graylog is installed easily using RPM with these two commands: sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.rpm | sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

  • Once graylog is installed, we need to edit the config file found at /etc/graylog/server/server.conf and add passwords before our graylog will start. Create a secret password of a random number greater than 64 characters, and add a root_password_sha2 with the command: echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1. Also in the graylog config file, change the line http_bind_address to the IP and port you want your log server at. Make sure to add the port/type to the firewall. Enable and start graylog-server.service using systemctl, and then navigate to graylog using a browser.

Adding an input to graylog

  • In order to see logs in graylog, you must add an input in System>inputs to detect logs. Set the port, and other default information about the input in graylog. Back on your log client, edit the rsyslog.d configuration file and specify the graylog listening port of the log server in order for the logs to be sent to gray log. Now, you can see the logs generated by the graylog client configured systems.