Graylog is a nice log server. The documentation of its installation procedure is not as nice yet. Here is my log of how we installed it at work.
We are going to install Graylog on a single machine with all of its components on the same machine. If you have lots of logs you may need to look into setting up a cluster of machines and tell me how you did it.
As a bonus I also enabled Active Directory authentication and authorization.
- Start of with a basic install of CentOS 7. It may be nice to put /var on a separate partition, volume or disk. All of the log data is going to be stored in Elasticsearch which has its datadir in /var/lib/elasticsearch. In this example the server has the hostname log.company.com
- I won’t bother with SELinux. Open /etc/selinux/config and set
SELINUX=disabled
- Disable firewall or deal with it yourself.
chkconfig firewalld off service firewalld stop
- Make sure that the firewall is empty
iptables -L
- We still need iptables to set up some forwarding for us later
yum install iptables-services chkconfig iptables on
- Enable EPEL
yum install epel-release
- Install Java. I used Oracle Java because I am set in my ways. I built my own Java RPM with the help of the nosrc-RPM and instructions on City-Fan.org. You most likely could just use the OpenJDK that is in the CentOS distro.
yum install ./java-1.8.0-oracle-headless-1.8.0.60-2.0.cf.x86_64.rpm
- Download and install Elasticsearch
wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.2.noarch.rpm yum install ./elasticsearch-1.7.2.noarch.rpm
- Elasticsearch has two config files you need to know about.
/etc/sysconfig/elasticsearch – The JVM parameters is set here
/etc/elasticsearch/elasticsearch.yml – Main ES config file.Open the main ES config file and set the following parameterscluster.name: graylog-production discovery.zen.ping.multicast.enabled: false discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
- You can now start Elasticsearch
chkconfig elasticsearch on service elasticsearch start
- Install MongoDB, enable and start MongoDB
yum install mongodb-server chkconfig mongod on service mongod start
- Time to install Graylog
wget https://packages.graylog2.org/repo/el/7/1.2/x86_64/graylog-server-1.2.1-1.noarch.rpm wget https://packages.graylog2.org/repo/el/7/1.2/x86_64/graylog-web-1.2.1-1.noarch.rpm yum install ./graylog-{server,web}-1.2.1-1.noarch
- You need to generate a secret key and a hash of your chosen admin password. Save these for the next steps. I did this on my workstation where I have the tools for that
# First a secret key the graylog-server and graylog-web share apg -a1 -MNCL -n1 -m64 -x64 echo -n "my-long-and-complicated-admin-password" | sha256sum
- Edit /etc/graylog/server/server.conf and set the following parameters
password_secret = The first secret you generated above root_password_sha2 = The second hash generated above rotation_strategy = time # Makes most sense for us # elasticsearch_max_docs_per_index # Comment out this # Rotate index every day elasticsearch_max_time_per_index = 1d # How many days you want to keep elasticsearch_max_number_of_indices = 14 # What elasticsearch cluster to connect to etc elasticsearch_cluster_name = graylog-production elasticsearch_node_name = graylog2-server elasticsearch_node_master = false elasticsearch_node_data = false elasticsearch_discovery_zen_ping_multicast_enabled = false elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
- You should now be able to start the graylog server
chkconfig graylog-server on service graylog-server start
- Config graylog-web by editing /etc/graylog/web/web.conf and set
application.secret="same as password_secret in server.conf" timezone="Europe/Stockholm" # You set your timezone
- And a few steps to enable HTTPS to the webUI. Get a certificate. I got it in PFX format, uploaded it to /tmp/ and imported it into a Java keyring
cd /var/lib/graylog-web mkdir graylog-key chown graylog-web:graylog-web graylog-key chmod 0700 graylog-key cd graylog-key keytool -importkeystore -deststorepass "goodkeystorepass" \ -destkeypass "maybethesamepass?" \ -destkeystore graylog.keystore \ -srckeystore /tmp/logserver.pfx \ -srcstoretype PKCS12 \ -srcstorepass "password_the_pfx_file_has" chown graylog-web:graylog-web graylog.keystore chmod 0600 graylog.keystore
- Enable HTTPS in graylog-web by editing /etc/sysconfig/graylog-web and set
# This is one long line GRAYLOG_WEB_JAVA_OPTS="-Dhttps.port=9443 -Dhttp.port=disabled -Dhttps.keyStore=/var/lib/graylog-web/graylog-key/graylog.keystore -Dhttps.keyStorePassword=goodkeystorepass"
- As graylog-web is run as a non-privileged user it cannot listen to port 443. IPTables will have to forward the connections to its high port on 9443. The Ethernet interface on my machine is eth0. Adjust rules to your interface names.
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 \ -j REDIRECT --to-ports 9443 iptables -t nat -A PREROUTING -i lo0 -p tcp -m tcp --dport 443 \ -j REDIRECT --to-ports 9443 service iptables save
- You may now enable and start graylog-web
chkconfig graylog-web on service graylog-web start
- You should now be able to point your browser to https://<address-of-server>/ and log in as admin and the password you later hashed in step 13.
- And now the bonus LDAP/Active Directory integration. I will give you reasonable paths and names but you will have to read up on LDAP if you haven’t. You need a AD user that has access to authenticate users and look up users and groups. You will also need three groups that will give users different access to Graylog. Here are what we may call them
ad-auth-user graylog-access : CN=graylog-access,OU=Groups,OU=Data,DC=company,DC=com graylog-admins : CN=graylog-admins,OU=Groups,OU=Data,DC=company,DC=com graylog-users : CN=graylog-users,OU=Groups,OU=Data,DC=company,DC=com
- In Graylog webUI, navigate to System → Users and click Configure LDAP
- Here are a gazillion options. I like to login with UPN so I have it setup this way.
The long and complicated LDAP query may look something like this(&(&(objectClass=user)(userPrincipalName={0}))(memberof=CN=graylog-access,OU=Groups,OU=Data,DC=company,DC=com))
This requires the user to be a member of graylog-access and we look up the user by its UPN.
- Save and then create a role called Users. I alter gave admin rights to all dashboards to our Users role, reader rights to all streams to our Users role and admin rights to all streams to our Admin role. You still need to be an admin to create a dashboard but then the users may edit them and add widgets to their wishes.
- Back on System → Users you click LDAP groups mapping and map groups to roles.
We are now done enough to call Graylog installed. You should now add inputs and streams and stuff. Remember to add the new streams and dashboards to the roles you created earlier.
And now my friend, you’ve earned a cold one.