Setup & Configure Graylog2 – Centos 7/ RHEL

Graylog2 is a centralized log management system. It is based on Elasticsearch
and MongoDB, and are able to analyze and aggregate log messages from multiple sources.
I don’t think it would be wrong to say that Graylog2 is one of the big players when
it comes to centralized log management systems.
It won’t take you a long time to understand how to use Graylog2 and when you do, then
you wouldn’t be with out it!

I am using Graylog2 to pull log files from all my servers and a PfSense firewall,
and my life have become much more simple afterward! it is so easy to create a stream of the exact log files you want to collect.
Just to give you a example of what a stream is then i have created a stream
there is showing me Accepted/Failed SSH and OpenVPN login attempts. And one for every
time a root user is being used.

Table of Content :
– Step 1. Pre-requisites
– Step 2. Install & configure Elasticsearch
– Step 3. Install MongoDB
– Step 4. Install & Configure Graylog2
– Step 5. Install Graylog- web interface
– Step 6. Create a syslog input
– Step 7. Configure rsyslog (Client) to send to graylog

Step 1. Pre-requisites

You have to be root!
the first thing we are gonna do is to disable Centos firewall and SeLinux as a start. (we will enable the firewall later.)

to see if SeLinux is enabled on your system type sestatus if it is disabled then skip this part,

If it is enabled then open the .config file

find the line below and set it to SELINUX=disabled

and restart your system. once you are in again then try to see the status again. It should have changed disabled now

Enable EPEL Repository

and after you have enabled EPEL then install Java.

Verify that Java have been installed

We are also going to need pwgen later

Step 2. Install & configure Elasticsearch

First import the GPG-Key

Add Elasticsearch to your repositoriy

And insert the following lines

You should be ready to install Elasticsearch now

Configure Elasticseach to start during system startup.

There is only one important configuration we have to set in Elasticsearch
to make it work with Graylog2

Find line 32 in the file and set the cluster name to graylog2

that should be it. now restart the service to make it read the new settings

Step 3. Install MongoDB

Almos same procedure as in step 2. but this time will we add the repository
for MongoDB

Add the lines below quit and save.

Install MongoDB

Step 4. Install & Configure Graylog2

First install Graylog2’s repository

Then install Graylog2

Before we are going to configure Graylog2’s .conf file i want you to do two things.
remember to copy and save the output.!

Number 1. Create a password with pwgen for password_secret

Number 2. Get the sha265 sum of your accounts password

And now is the time to configure Graylog2.
open the .conf file

Find the lines below in the configuration file and edit them. (This is a configuration example for only one host)

and restart the Graylog2 server to make it load the new configuration.

Step 5. Install Graylog- web interface

We are going to install a web interface for Graylog2 as well.

And first create a new password with pwgen(remember to copy the output)

edit the following lines in the configuration file. if you want to add more Graylog2 nodes in the future then just separate the IP with a comma.

we are going to let CentOS start graylog-web on boot.

and open your web-browser and type in raylog2_ip:9000.The username is admin and the password is the one you created earlier in the guide.

Graylog2 login

Step 6. Create a syslog input

We are going to create a syslog UPD input now.

Go to System -> input

pic1

Choose Syslog UPD from the drop down bar and click on launch new input

Pic2

Choose your Graylog2 node, give the input a title and set your Graylog2 server IP
as bind address. If you have been looking at other guides and noticed they all run
their syslog UPD input on port 514 then forget everything about that and set it to 1514.
The reason to do this is that ports below 1024 have to be assigned by a root user and in this case
we don’t want that! (Have been in touch with a Graylog2 dev.)
scroll down and click on launch.

Pic3

Step 7. Configure rsyslog (Client) to send to graylog

Now you should login to that server you want to pull the logfiles from and
make sure rsyslog is installed!

For Ubuntu 14.04 ->

Centos 7 ->

After you have install rsyslog we will create a file and tells is to send the logs from the server to our Graylog2 server.

add the lines below in the .conf file.
And make sure to insert your Graylog servers IP!

And restart your server

you should login to Graylo2-web and be able to see the log files
from the server we just added.