Installing Graylog on CentOS 7

Graylog is a nice log server. The documentation of its installation procedure is not as nice yet. Here is my log of how we installed it at work.

We are going to install Graylog on a single machine with all of its components on the same machine. If you have lots of logs you may need to look into setting up a cluster of machines and tell me how you did it.

As a bonus I also enabled Active Directory authentication and authorization.

  1. Start of with a basic install of CentOS 7. It may be nice to put /var on a separate partition, volume or disk. All of the log data is going to be stored in Elasticsearch which has its datadir in /var/lib/elasticsearch. In this example the server has the hostname
  2. I won’t bother with SELinux. Open /etc/selinux/config and set
  3. Disable firewall or deal with it yourself.
    chkconfig firewalld off
    service firewalld stop
  4. Make sure that the firewall is empty
    iptables -L
  5. We still need iptables to set up some forwarding for us later
    yum install iptables-services
    chkconfig iptables on
  6. Enable EPEL
    yum install epel-release
  7. Install Java. I used Oracle Java because I am set in my ways. I built my own Java RPM with the help of the nosrc-RPM and instructions on You most likely could just use the OpenJDK that is in the CentOS distro.
    yum install ./
  8. Download and install Elasticsearch
    yum install ./elasticsearch-1.7.2.noarch.rpm
  9. Elasticsearch has two config files you need to know about.
    /etc/sysconfig/elasticsearch – The JVM parameters is set here
    /etc/elasticsearch/elasticsearch.yml – Main ES config file.Open the main ES config file and set the following parameters graylog-production false [""]
  10. You can now start Elasticsearch
    chkconfig elasticsearch on
    service elasticsearch start
  11. Install MongoDB, enable and start MongoDB
    yum install mongodb-server
    chkconfig mongod on
    service mongod start
  12. Time to install Graylog
    yum install ./graylog-{server,web}-1.2.1-1.noarch
  13. You need to generate a secret key and a hash of your chosen admin password. Save these for the next steps. I did this on my workstation where I have the tools for that
    # First a secret key the graylog-server and graylog-web share
    apg -a1 -MNCL -n1 -m64 -x64
    echo -n "my-long-and-complicated-admin-password" | sha256sum
  14. Edit /etc/graylog/server/server.conf and set the following parameters
    password_secret = The first secret you generated above
    root_password_sha2 = The second hash generated above
    rotation_strategy = time  # Makes most sense for us
    # elasticsearch_max_docs_per_index # Comment out this
    # Rotate index every day
    elasticsearch_max_time_per_index = 1d
    # How many days you want to keep
    elasticsearch_max_number_of_indices = 14
    # What elasticsearch cluster to connect to etc
    elasticsearch_cluster_name = graylog-production
    elasticsearch_node_name = graylog2-server
    elasticsearch_node_master = false
    elasticsearch_node_data = false
    elasticsearch_discovery_zen_ping_multicast_enabled = false
    elasticsearch_discovery_zen_ping_unicast_hosts =
  15. You should now be able to start the graylog server
    chkconfig graylog-server on
    service graylog-server start
  16. Config graylog-web by editing /etc/graylog/web/web.conf and set
    application.secret="same as password_secret in server.conf"
    timezone="Europe/Stockholm" # You set your timezone
  17. And a few steps to enable HTTPS to the webUI. Get a certificate. I got it in PFX format, uploaded it to /tmp/ and imported it into a Java keyring
    cd /var/lib/graylog-web
    mkdir graylog-key
    chown graylog-web:graylog-web graylog-key
    chmod 0700 graylog-key
    cd graylog-key
    keytool -importkeystore -deststorepass "goodkeystorepass" \
     -destkeypass "maybethesamepass?" \
     -destkeystore graylog.keystore \
     -srckeystore /tmp/logserver.pfx \
     -srcstoretype PKCS12 \
     -srcstorepass "password_the_pfx_file_has"
    chown graylog-web:graylog-web graylog.keystore
    chmod 0600 graylog.keystore
  18. Enable HTTPS in graylog-web by editing /etc/sysconfig/graylog-web and set
    # This is one long line
    GRAYLOG_WEB_JAVA_OPTS="-Dhttps.port=9443 -Dhttp.port=disabled 
  19. As graylog-web is run as a non-privileged user it cannot listen to port 443. IPTables will have to forward the connections to its high port on 9443. The Ethernet interface on my machine is eth0. Adjust rules to your interface names.
    iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 \
     -j REDIRECT --to-ports 9443
    iptables -t nat -A PREROUTING -i lo0 -p tcp -m tcp --dport 443 \
     -j REDIRECT --to-ports 9443
    service iptables save
  20. You may now enable and start graylog-web
    chkconfig graylog-web on
    service graylog-web start
  21. You should now be able to point your browser to https://<address-of-server>/ and log in as admin and the password you later hashed in step 13.
  22. And now the bonus LDAP/Active Directory integration. I will give you reasonable paths and names but you will have to read up on LDAP if you haven’t. You need a AD user that has access to authenticate users and look up users and groups. You will also need three groups that will give users different access to Graylog. Here are what we may call them
    graylog-access : CN=graylog-access,OU=Groups,OU=Data,DC=company,DC=com
    graylog-admins : CN=graylog-admins,OU=Groups,OU=Data,DC=company,DC=com
    graylog-users  : CN=graylog-users,OU=Groups,OU=Data,DC=company,DC=com
  23. In Graylog webUI, navigate to System → Users and click Configure LDAP
  24. Here are a gazillion options. I like to login with UPN so I have it setup this way.
    The long and complicated LDAP query may look something like this


    This requires the user to be a member of graylog-access and we look up the user by its UPN.

  25. Save and then create a role called Users. I alter gave admin rights to all dashboards to our Users role, reader rights to all streams to our Users role and admin rights to all streams to our Admin role. You still need to be an admin to create a dashboard but then the users may edit them and add widgets to their wishes.
  26. Back on System → Users you click LDAP groups mapping and map groups to roles.

We are now done enough to call Graylog installed. You should now add inputs and streams and stuff. Remember to add the new streams and dashboards to the roles you created earlier.

And now my friend, you’ve earned a cold one.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s