Install Graylog on Rocky Linux 8
Welcome to this guide where we shall be discussing how to set up Graylog server on Rocky Linux 8. Graylog is an open-source project for a solution that can be used for centralized log analysis. With Graylog, we can easily gather logs to one place, analyze them using Elasticsearch and visualize them on the Graylog dashboard.
For system administrators, logs are one of the quickest ways to pinpoint a root cause of a system failure or to forecast one. It is however a tedious task to manually gather logs and analyze them. This is where Graylog comes in.
Graylog comprises four open-source components. These are:
- Elasticsearch - This is the engine that indexes and analyses the logs.
- MongoDB - This is a NoSQL database that is used to store the analyzed data and cluster configs.
- Java - This is the runtime environment for Elasticsearch and Graylog.
- Graylog server - The application that is used for visualization of the analyzed data.
You can also use Nginx as a reverse proxy to the Graylog server. This is if you have a fully qualified domain name, FQDN, and would like to secure your connections using SSL.
Follow the steps below to set up your Graylog server on Rocky Linux 8.
Prerequisites
Before we can proceed with the installation and configuration, we first need to make sure that our system passes the below minimum requirements.
- 4 GB RAM
- 2 CPUs
- 50 GB / disk
- Port 9000 allowed through the firewall
Step 1 - Install OpenJDK on Rocky Linux 8
We need to install Java Runtime Environment on Rocky Linux 8 to enable us to run Elasticsearch and Graylog.
Get OpenJDK-11 from Rocky Linux's base repositories:
$ sudo dnf install java-11-openjdk-devel
....
Installing weak dependencies:
abattis-cantarell-fonts noarch 0.0.25-6.el8 appstream 154 k
dconf x86_64 0.28.0-4.el8 appstream 107 k
gtk3 x86_64 3.22.30-6.el8 appstream 4.5 M
Enabling module streams:
javapackages-runtime 201801
Transaction Summary
====================================================================================================
Install 72 Packages
Total download size: 70 M
Installed size: 251 M
Is this ok [y/N]: y
Verify that Java has been installed on your Rocky Linux 8 instance:
$ java -version
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)
Step 2 - Install Elasticsearch 7.x
The next step is to install Elasticsearch version 7.x on Rocky Linux 8. Before we can do that, we need to add the Elasticsearch 7.x repo to our system. Run the command below to achieve that:
cat <<EOF | sudo tee /etc/yum.repos.d/elasticsearch.repo [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
After setting up the repo, we will then import the GPG key for the same:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
We can now install Elasticsearch 7.x as shown below:
[root@rocky ~]# sudo dnf install -y elasticsearch
Elasticsearch repository for 7.x packages 2.5 MB/s | 29 MB 00:11
Last metadata expiration check: 0:00:17 ago on Sat 28 Aug 2021 03:07:09 AM EDT.
Dependencies resolved.
=================================================================
Package Architecture Version Repository Size
=================================================================
Installing:
elasticsearch x86_64 7.14.0-1 elasticsearch-7.x 328 M
Transaction Summary
=================================================================
Install 1 Package
Total download size: 328 M
Installed size: 537 M
After a successful installation, you may want to verify the version of Elasticsearch installed to your system:
[root@rocky ~]# rpm -qi elasticsearch
Sample Output:
Step 3 - Configure Elasticsearch on Rocky Linux 8
We need to change a few variables on our Elasticsearch configuration files to suit the Graylog application.
Change the cluster name of Elasticsearch to graylog.
$ sudo vim /etc/elasticsearch/elasticsearch.yml # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: graylog #
You can also modify the Java memory options by editing the file /etc/elasticsearch/jvm.options
-Xms1g -Xmx1g
The above lines show that the maximum JVM memory requirement has been set to 1GB. You can set a higher or lower capacity, depending on your system's capabilities.
Finally, start and enable Elasticsearch.
sudo systemctl daemon-reload sudo systemctl enable --now elasticsearch.service
You can send an HTTP GET request to verify that Elasticsearch is ready to receive requests:
[root@rocky ~]# curl http://127.0.0.1:9200
Sample Output:
Step 4 - Install MongoDB 4 Server on Rocky Linux 8
Install MongoDB 4 on your Rocky Linux instance. Add the MongoDB repo first:
cat <<EOF | sudo tee /etc/yum.repos.d/mongodb-org-4.repo [mongodb-org-4] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc EOF
Then finally install MongoDB 4
[root@rocky ~]# sudo dnf install -y mongodb-org
MongoDB Repository 17 kB/s | 28 kB 00:01
Dependencies resolved.
=========================================================================================================
Package Arch Version Repository Size
=========================================================================================================
Installing:
mongodb-org x86_64 4.4.8-1.el8 mongodb-org-4 11 k
Installing dependencies:
cyrus-sasl x86_64 2.1.27-5.el8 baseos 95 k
cyrus-sasl-gssapi x86_64 2.1.27-5.el8 baseos 49 k
cyrus-sasl-plain x86_64 2.1.27-5.el8 baseos 46 k
mongodb-database-tools x86_64 100.5.0-1 mongodb-org-4 47 M
mongodb-org-database-tools-extra x86_64 4.4.8-1.el8 mongodb-org-4 23 k
mongodb-org-mongos x86_64 4.4.8-1.el8 mongodb-org-4 17 M
mongodb-org-server x86_64 4.4.8-1.el8 mongodb-org-4 22 M
mongodb-org-shell x86_64 4.4.8-1.el8 mongodb-org-4 14 M
mongodb-org-tools x86_64 4.4.8-1.el8 mongodb-org-4 11 k
python3-pip noarch 9.0.3-19.el8.rocky appstream 19 k
python3-setuptools noarch 39.2.0-6.el8 baseos 162 k
python36 x86_64 3.6.8-2.module+el8.4.0+597+ddf0ddea appstream 18 k
Enabling module streams:
python36 3.6
Transaction Summary
=========================================================================================================
Install 13 Packages
Total download size: 100 M
Start MongoDB service and enable it to run on reboot
sudo systemctl enable --now mongod
Verify that MongoDB service has started:
[root@rocky ~]# systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2021-08-28 03:17:17 EDT; 27s ago
Docs: https://docs.mongodb.org/manual
Process: 3650 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3647 ExecStartPre=/usr/bin/chmod 0755 /var/run/mongodb (code=exited, status=0/SUCCESS)
Process: 3646 ExecStartPre=/usr/bin/chown mongod:mongod /var/run/mongodb (code=exited, status=0/SUCCESS)
Process: 3644 ExecStartPre=/usr/bin/mkdir -p /var/run/mongodb (code=exited, status=0/SUCCESS)
Main PID: 3652 (mongod)
Memory: 125.7M
CGroup: /system.slice/mongod.service
└─3652 /usr/bin/mongod -f /etc/mongod.conf
Aug 28 03:17:16 rocky systemd[1]: Starting MongoDB Database Server...
Aug 28 03:17:16 rocky mongod[3650]: about to fork child process, waiting until server is ready for connections.
Aug 28 03:17:16 rocky mongod[3650]: forked process: 3652
Aug 28 03:17:17 rocky mongod[3650]: child process started successfully, parent exiting
Aug 28 03:17:17 rocky systemd[1]: Started MongoDB Database Server
Step 5. Install Graylog Server on Rocky Linux 8
After installing the other dependencies, we need to install Graylog server.
We need to download and install Graylog repo as follows:
# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.rpm
Sample output:
Now install Graylog server on Rocky Linux 8:
[root@rocky ~]# dnf install -y graylog-server
graylog 2.2 kB/s | 7.6 kB 00:03
Dependencies resolved.
=========================================================================================================
Package Architecture Version Repository Size
=========================================================================================================
Installing:
graylog-server noarch 4.1.3-1 graylog 188 M
Transaction Summary
=========================================================================================================
Install 1 Package
Total download size: 188 M
Installed size: 188 M
Verify that the installation was successful by checking the RPM files installed
# rpm -qi graylog-server
Sample Output:
Step 6 - Configure Graylog Server
The next step is to configure the credentials for Graylog server admin login. We are required to configure a password_secret and a root_password_sha2.
Install pwgen utility to assist you to generate a random password of 96 characters.
sudo dnf install -y epel-release sudo dnf install -y pwgen
Generate a random password of 96 characters:
sudo pwgen -N 1 -s 96
You should get an output similar to:
root@rocky:~# pwgen -N 1 -s 96
x7WrtpHwuGFR1awjy3amUhStUmH9BeqybchdYd3lJHR2ZxpMNvuydpCussgzimBOT6p7HRhkA3QPFZcbsGaLpt4BPsnwdk3n
Copy the generated password to a text editor. This password will be used in the next few steps.
Next, create a sha2 password encryption for a password that you will use to login to the Graylog instance:
$ echo -n Str0ngP@ssw0rd | sha256sum
You should get an output such as the one below:
$ echo -n Str0ngP@ssw0rd | sha256sum
a5bd1f14adcda15f127a87b8ebc5a705232ec2c9f83d6447b5f958f7d4580a56 -
Copy the 96-character password and the sha2 password then paste them in the file /etc/graylog/server/server.conf
for the entries of password_secret
and root_password_sha2
respectively.
$ sudo vi /etc/graylog/server/server.conf
....
password_secret= x7WrtpHwuGFR1awjy3amUhStUmH9BeqybchdYd3lJHR2ZxpMNvuydpCussgzimBOT6p7HRhkA3QPFZcbsGaLpt4BPsnwdk3n
root_password_sha2 = a5bd1f14adcda15f127a87b8ebc5a705232ec2c9f83d6447b5f958f7d4580a56
....
Sample Output:
Configure Graylog to ping the port on the IP of the server, or you can use 0.0.0.0
for Graylog to use any IP.
$ sudo vi /etc/graylog/server/server.conf
# If the port is omitted, Graylog will use port 9000 by default.
#
# Default: 127.0.0.1:9000
http_bind_address = 0.0.0.0:9000
Start and enable Graylog service:
systemctl daemon-reload systemctl start graylog-server systemctl enable graylog-server
Verify that Graylog service is up and running:
[root@rocky ~]# systemctl status graylog-server
● graylog-server.service - Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2021-08-28 03:25:26 EDT; 1min 14s ago
Docs: http://docs.graylog.org/
Main PID: 3972 (graylog-server)
Tasks: 110 (limit: 11388)
Memory: 801.1M
CGroup: /system.slice/graylog-server.service
├─3972 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─4009 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow
Step 7 - Configure Firewall
We need to configure the firewall to allow traffic through port 9000 for Graylog server.
firewall-cmd --zone=public --add-port=9000/tcp --permanent firewall-cmd --reload
Step 8 - Access Graylog server Web interface
We are now ready to access Graylog server through the web interface. Navigate to http://<Graylog-server-IP>:9000
You should land to a login page. The credentials for the Graylog server will be:
username: admin password: The plain password you set at the root_password_sha2
Sample Output:
You can now proceed to creating your dashboards and visualizing your logs.
Conclusion
The steps above have summarized how to set up Graylog server on Rocky Linux. As we have seen, the steps are straight forward easy to follow. Please feel free to reach out in case you encounter any challenge setting this up.