Centralized log management is a critical aspect of any organization’s IT infrastructure. It enables businesses to capture, store, and analyze vast amounts of data and logs, helping them gain valuable insights and troubleshoot issues efficiently. One popular open-source solution for centralized log management is Graylog. In this tutorial, we will guide you through the process of setting up a centralized log management system using Graylog on the Rocky Linux server.
Before we dive into the installation process, let’s ensure we have all the necessary requirements in place:
- A server running Rocky Linux 8.
- A non-root user with sudo/administrator privileges.
- Firewalld running and enabled.
Installing Java OpenJDK
To install Graylog, we need to install Java OpenJDK on our Rocky Linux system. At the time of writing, Graylog requires at least Java v8 or higher. We can install Java OpenJDK by following these steps:
- Check the available Java OpenJDK versions using the following command:
sudo dnf search openjdk
- Install Java OpenJDK v11, which we will use for our Graylog Server, using the following command:
sudo dnf install java-11-openjdk-devel
- Verify the installation by checking the Java OpenJDK version:
Installing MongoDB NoSQL Database
Next, we need to install MongoDB, which serves as the database for the Graylog Server. We can install MongoDB by following these steps:
- Add the MongoDB repository to your Rocky Linux system by running the following command:
sudo tee /etc/yum.repos.d/mongodb-org-6.repo <<EOF [mongodb-org-6.0] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc EOF
- Verify that the MongoDB repository has been added successfully:
sudo dnf repolist
- Install the MongoDB package by running the following command:
sudo dnf install mongodb-org
- After the installation is complete, reload the systemd manager and apply the new MongoDB service file:
sudo systemctl daemon-reload
- Start the MongoDB service and enable it to start automatically at system startup:
sudo systemctl start mongod sudo systemctl enable mongod
- Verify that the MongoDB service is running:
sudo systemctl status mongod
Elasticsearch serves as the search engine for the Graylog Server Log Management Stack. It’s essential to install Elasticsearch v7.x, as the current version of Graylog Server only supports Elasticsearch v7.x. Here’s how you can install Elasticsearch:
- Set up the Elasticsearch v7.x repository for Rocky Linux by running the following command:
sudo tee /etc/yum.repos.d/elasticsearch.repo <<EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
- Verify that the Elasticsearch repository has been added successfully:
sudo dnf repolist
- Install the Elasticsearch package by running the following command:
sudo dnf install elasticsearch
- Configure Elasticsearch by editing the Elasticsearch configuration file:
sudo nano /etc/elasticsearch/elasticsearch.yml
- Set the cluster name and disable automatic index creation by adding the following lines:
cluster.name: graylog-rocky8 action.auto_create_index: false
- Set the maximum memory allocation for Elasticsearch by editing the JVM options file:
sudo nano /etc/elasticsearch/jvm.options
- Uncomment and modify the following lines to allocate the desired amount of memory:
- Reload the systemd manager and start the Elasticsearch service:
sudo systemctl daemon-reload sudo systemctl start elasticsearch
- Enable the Elasticsearch service to start automatically at system startup:
sudo systemctl enable elasticsearch
- Verify that the Elasticsearch service is running:
sudo systemctl status elasticsearch
- Test the Elasticsearch server by accessing it via the curl command:
Installing Graylog Server
Now that we have installed the necessary dependencies, we can proceed to install the Graylog Server. Follow these steps to install and configure Graylog Server:
- Add the Graylog repository to your server by running the following command:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.rpm
- Verify that the Graylog repository has been added successfully:
sudo dnf repolist
- Install the Graylog Server package by running the following command:
sudo dnf install graylog-server graylog-integrations-plugins
- Install the ‘pwgen’ package, which will be used to generate passwords for the Graylog Server:
sudo dnf install pwgen
- Generate the ‘password_secret’ for the Graylog Server by running the following command:
sudo pwgen -N 1 -s 96
- Generate the sha256 hash password for the ‘rootpasswordsha2′ by running the following command:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d 'n' | sha256sum | cut -d" " -f1
- Edit the Graylog Server configuration file:
sudo nano /etc/graylog/server/server.conf
- Set the ‘passwordsecret’, ‘rootpasswordsha2′, and ‘httpbind_address’ options with the generated values and the internal IP address of your server. Save and close the file.
- Reload the systemd manager and start the Graylog Server service:
sudo systemctl daemon-reload sudo systemctl start graylog-server
- Enable the Graylog Server service to start automatically at system startup:
sudo systemctl enable graylog-server
- Add the ‘9000’ port, which is used by the Graylog Server, to the firewalld:
sudo firewall-cmd --add-port=9000/tcp --permanent sudo firewall-cmd --reload
Setting Up SELinux
If you’re running the Graylog Server with SELinux enabled in enforcing mode, you need to set up SELinux rules to allow communication with the Graylog Server. Here’s how you can do it:
- Install the necessary tools for managing SELinux:
sudo dnf install policycoreutils policycoreutils-python-utils
- Add the SELinux rules for the Graylog Server, Elasticsearch, and MongoDB:
sudo setsebool -P httpd_can_network_connect 1 sudo semanage port -a -t http_port_t -p tcp 9000 sudo semanage port -a -t http_port_t -p tcp 9200 sudo semanage port -a -t mongod_port_t -p tcp 27017
Creating a Graylog Input
To receive logs from your applications or client machines, you need to set up an input on your Graylog Server. In this example, we will create a Graylog input that uses the “Syslog UDP” type to receive logs from Linux client machines. Follow these steps to create a Graylog input:
- Log in to the Graylog Server dashboard using your username and password.
- Click on the “System” menu and select “Inputs”.
- Click on “Launch new input” and select the “Syslog UDP” type.
- Configure the input by providing a title, bind address (internal IP address of your Graylog Server), and port.
- Click “Save” to add the input.
- Verify that the input is running and ready to receive logs.
Sending Logs via Rsyslog to Graylog Server
Now that we have set up the Graylog input, we need to configure a Linux machine to send logs to the Graylog Server using Rsyslog. Here’s how you can do it:
- Check the status of the Rsyslog service on your Linux machine:
sudo systemctl status rsyslog
- Create a new additional Rsyslog config file to send logs to the Graylog Server:
sudo nano /etc/rsyslog.d/graylog.conf
- Add the following configuration to the file, replacing the Graylog Server IP address and UDP port with your own:
- Restart the Rsyslog service to apply the changes:
sudo systemctl restart rsyslog
- Check the Graylog Server dashboard to ensure that logs are being received from the Linux machine.
Congratulations! You have successfully set up a centralized log management system using Graylog on your Rocky Linux server. By following the steps outlined in this tutorial, you have installed the necessary dependencies, configured the Graylog Server, set up inputs, and enabled log ingestion from Linux client machines. Centralized log management is crucial for maintaining the security and stability of your IT infrastructure, and Graylog provides a flexible and powerful solution for this purpose.
Remember to regularly monitor and analyze your logs within the Graylog Server dashboard to gain valuable insights into your system’s performance and troubleshoot any issues that may arise. By leveraging the capabilities of Graylog, you can streamline your log management processes and ensure the efficient operation of your IT environment.
For more information about centralized log management and other cloud hosting solutions, visit Shape.host. Shape.host offers reliable and scalable Linux SSD VPS hosting services, empowering businesses with efficient cloud solutions.