Installing Graylog on CentOS 7

Graylog is a nice log server. The documentation of its installation procedure is not as nice yet. Here is my log of how we installed it at work.

We are going to install Graylog on a single machine with all of its components on the same machine. If you have lots of logs you may need to look into setting up a cluster of machines and tell me how you did it.

As a bonus I also enabled Active Directory authentication and authorization.

  1. Start of with a basic install of CentOS 7. It may be nice to put /var on a separate partition, volume or disk. All of the log data is going to be stored in Elasticsearch which has its datadir in /var/lib/elasticsearch. In this example the server has the hostname log.company.com
  2. I won’t bother with SELinux. Open /etc/selinux/config and set 
    SELINUX=disabled
  3. Disable firewall or deal with it yourself. 
    chkconfig firewalld off
service firewalld stop
  4. Make sure that the firewall is empty 
    iptables -L
  5. We still need iptables to set up some forwarding for us later 
    yum install iptables-services
chkconfig iptables on
  6. Enable EPEL 
    yum install epel-release
  7. Install Java. I used Oracle Java because I am set in my ways. I built my own Java RPM with the help of the nosrc-RPM and instructions on City-Fan.org. You most likely could just use the OpenJDK that is in the CentOS distro. 
    yum install ./java-1.8.0-oracle-headless-1.8.0.60-2.0.cf.x86_64.rpm
  8. Download and install Elasticsearch 
    wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.2.noarch.rpm
yum install ./elasticsearch-1.7.2.noarch.rpm
  9. Elasticsearch has two config files you need to know about.
    /etc/sysconfig/elasticsearch – The JVM parameters is set here
    /etc/elasticsearch/elasticsearch.yml – Main ES config file.Open the main ES config file and set the following parameters

    cluster.name: graylog-production
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]
  10. You can now start Elasticsearch 
    chkconfig elasticsearch on
service elasticsearch start
  11. Install MongoDB, enable and start MongoDB 
    yum install mongodb-server
chkconfig mongod on
service mongod start
  12. Time to install Graylog 
    wget https://packages.graylog2.org/repo/el/7/1.2/x86_64/graylog-server-1.2.1-1.noarch.rpm
wget https://packages.graylog2.org/repo/el/7/1.2/x86_64/graylog-web-1.2.1-1.noarch.rpm
yum install ./graylog-{server,web}-1.2.1-1.noarch
  13. You need to generate a secret key and a hash of your chosen admin password. Save these for the next steps. I did this on my workstation where I have the tools for that 
    # First a secret key the graylog-server and graylog-web share
apg -a1 -MNCL -n1 -m64 -x64
echo -n "my-long-and-complicated-admin-password" | sha256sum
  14. Edit /etc/graylog/server/server.conf and set the following parameters 
    password_secret = The first secret you generated above
root_password_sha2 = The second hash generated above
rotation_strategy = time  # Makes most sense for us
# elasticsearch_max_docs_per_index # Comment out this
# Rotate index every day
elasticsearch_max_time_per_index = 1d
# How many days you want to keep
elasticsearch_max_number_of_indices = 14
# What elasticsearch cluster to connect to etc
elasticsearch_cluster_name = graylog-production
elasticsearch_node_name = graylog2-server
elasticsearch_node_master = false
elasticsearch_node_data = false
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
  15. You should now be able to start the graylog server 
    chkconfig graylog-server on
service graylog-server start
  16. Config graylog-web by editing /etc/graylog/web/web.conf and set 
    application.secret="same as password_secret in server.conf"
timezone="Europe/Stockholm" # You set your timezone
  17. And a few steps to enable HTTPS to the webUI. Get a certificate. I got it in PFX format, uploaded it to /tmp/ and imported it into a Java keyring 
    cd /var/lib/graylog-web
mkdir graylog-key
chown graylog-web:graylog-web graylog-key
chmod 0700 graylog-key
cd graylog-key
keytool -importkeystore -deststorepass "goodkeystorepass" \
 -destkeypass "maybethesamepass?" \
 -destkeystore graylog.keystore \
 -srckeystore /tmp/logserver.pfx \
 -srcstoretype PKCS12 \
 -srcstorepass "password_the_pfx_file_has"
chown graylog-web:graylog-web graylog.keystore
chmod 0600 graylog.keystore
  18. Enable HTTPS in graylog-web by editing /etc/sysconfig/graylog-web and set 
    # This is one long line
GRAYLOG_WEB_JAVA_OPTS="-Dhttps.port=9443 -Dhttp.port=disabled 
 -Dhttps.keyStore=/var/lib/graylog-web/graylog-key/graylog.keystore
 -Dhttps.keyStorePassword=goodkeystorepass"
  19. As graylog-web is run as a non-privileged user it cannot listen to port 443. IPTables will have to forward the connections to its high port on 9443. The Ethernet interface on my machine is eth0. Adjust rules to your interface names. 
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 \
 -j REDIRECT --to-ports 9443
iptables -t nat -A PREROUTING -i lo0 -p tcp -m tcp --dport 443 \
 -j REDIRECT --to-ports 9443
service iptables save
  20. You may now enable and start graylog-web 
    chkconfig graylog-web on
service graylog-web start
  21. You should now be able to point your browser to https://<address-of-server>/ and log in as admin and the password you later hashed in step 13.
  22. And now the bonus LDAP/Active Directory integration. I will give you reasonable paths and names but you will have to read up on LDAP if you haven’t. You need a AD user that has access to authenticate users and look up users and groups. You will also need three groups that will give users different access to Graylog. Here are what we may call them 
    ad-auth-user
graylog-access : CN=graylog-access,OU=Groups,OU=Data,DC=company,DC=com
graylog-admins : CN=graylog-admins,OU=Groups,OU=Data,DC=company,DC=com
graylog-users  : CN=graylog-users,OU=Groups,OU=Data,DC=company,DC=com
  23. In Graylog webUI, navigate to System → Users and click Configure LDAP
  24. Here are a gazillion options. I like to login with UPN so I have it setup this way.
    graylog-ldap
    The long and complicated LDAP query may look something like this

    (&(&(objectClass=user)(userPrincipalName={0}))(memberof=CN=graylog-access,OU=Groups,OU=Data,DC=company,DC=com))

    This requires the user to be a member of graylog-access and we look up the user by its UPN.

  25. Save and then create a role called Users. I alter gave admin rights to all dashboards to our Users role, reader rights to all streams to our Users role and admin rights to all streams to our Admin role. You still need to be an admin to create a dashboard but then the users may edit them and add widgets to their wishes.
  26. Back on System → Users you click LDAP groups mapping and map groups to roles.

We are now done enough to call Graylog installed. You should now add inputs and streams and stuff. Remember to add the new streams and dashboards to the roles you created earlier.

And now my friend, you’ve earned a cold one.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s