After installed a perfect OS
First you need to install java
#yum -y install java
#java -version
here you must seen the version
next start install graylog2.1.0, so first you have to install Elasticsearch
elasticsearch is an important component for graylog, it stores the data coming from graylog input and display the message whenever the user request over the graylog. it has been worked based on indexing method.
you have to import GPG signing key before the installation.
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Create an Eleasticsearch repo file to get the latest package from the official repository
# vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
save the file and install now
# yum install elasticsearch
#service start elasticsearch and made auto start on every boot
To make Elasticsearch work with Graylog setup, modify the cluster name and set it to “graylog“. Edit the elasticsearch.yml, update it like shown below.
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog (setting cluster name)
script.disable_dynamic:true (dynamic script disable) both insert from last line
save and restart elasticsearch
elasticsearch installed.check the state normal
#curl -X GET http://localhost:9200
{
"name" : "Boobalan",
"cluster_name" : "graylog",
"version" : {
"number" : "2.3.3",
"build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
"build_timestamp" : "2016-05-17T15:40:04Z",
"build_snapshot" : false,
"lucene_version" : "5.5.0"
},
"tagline" : "You Know, for Search"
}
here you seen like that you are done right
Install mongodb
setup mongorepos
# vi /etc/yum.repos.d/mongodb-org-3.2.repo
[mongodb-org-3.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc
here we need to allow selinux for work mongodb refer middle of the video here i simply disabled selinux mongodb port -27107
install mongodb
# yum install -y mongodb-org
#service start mongod (start on boot)
Install graylog
here you can download your wish rmp
# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
# yum -y install graylog-server
//now want to set user password so graylog need to command "pwgen N 1 -s 96"
Edit the server.conf file to begin the graylog configuration.
# vi /etc/graylog/server/server.conf
#pwgen -N 1 -s 96
NZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0s
If you get an error like “pwgen: command not found“, install pwgen using the following command.
# yum -y install pwgen //if fails try this
Place the secret like below in server.conf
password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
Set the hash password for the root user, i.e., admin of graylog. You would need this password to login into the graylog web.
If you ever want to change/reset forgotten password of admin, you can edit/update the server.conf with hashed password.
Replace “yourpassword” with the choice of yours.
# echo -n yourpassword | sha256sum
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Place the hash password.
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
You can setup email address admin user.
root_email = "itzgeek.web@gmail.com"
Set timezone of root (admin) user.
root_timezone = UTC
Graylog server will try to find the Elasticsearch nodes automatically by using multicast mode. But when it comes to larger network, it is recommended to use unicast mode which is best suited one for production.
Add the following entry to graylog server.conf file, replace ipaddress with your ipaddress. You can add multiple hosts with comma separated.
elasticsearch_discovery_zen_ping_unicast_hosts = ipaddress:9300
Set only one master node by defining the below variable, the default setting is true.
If you add any second Graylog node, set it to false to make the node as a slave. Master node does some periodic tasks that slave nodes won’t perform.
is_master = true
Set the number of log messages to keep per index; it is recommended to have several smaller indices instead of larger ones.
elasticsearch_max_docs_per_index = 20000000
The following parameter defines to have a total number of indices; if this number is reached old index will be deleted.
elasticsearch_max_number_of_indices = 20
Shards setting rely on the number of nodes in the particular Elasticsearch cluster, if you have only one node, set it as 1.
elasticsearch_shards = 1
This the number of replicas for your indices, if you have only one node in Elasticsearch cluster; set it as 0.
elasticsearch_replicas = 0
Install graylog web interface
From the Graylog version 2.x, the web interface is served directly by Graylog server, so no more Graylog web interface setup is required.
Enable Graylog web interface by editing the server.conf file.
# vi /etc/graylog/server/server.conf
Modify the entries to let Graylog Web Interface to connect to the Graylog server.
rest_listen_uri = http://your-server-ip:12900/
web_listen_uri = http://your-server-ip:9000/
Restart Graylog service.
# systemctl daemon-reload
# systemctl restart graylog-server
Make Graylog server to start automatically on system startup.
# systemctl enable graylog-server
You can check out the server startup logs; it will be useful for you to troubleshoot Graylog for any issues.
$ sudo tailf /var/log/graylog-server/server.log
If everything goes well, you should see below message in server.log file.
2016-07-01T08:21:41.538Z INFO [ServerBootstrap] Graylog server up and running.
Enable firewall
In CentOS 7 / RHEL 7, default firewall rules are set to block most of the traffic coming from the external machines.You would need to set rules for Graylog to work properly.
### To access Graylog web interface from the externall machine
firewall-cmd --permanent --zone=public --add-port=9000/tcp
### To allow Graylog web interace to connect with Graylog server
firewall-cmd --permanent --zone=public --add-port=12900/tcp
### Optional: If you have configured any input to receive logs on port no 1514
firewall-cmd --permanent --zone=public --add-port=1514/tcp
Reload firewalld to take an effect of the new rules.
# firewall-cmd --reload
finally you can access your graylog web interface
http://ipaddr:9000
Login with username “admin” and the password you configured at root_password_sha2 onserver.conf.
full ref
First you need to install java
#yum -y install java
#java -version
here you must seen the version
next start install graylog2.1.0, so first you have to install Elasticsearch
elasticsearch is an important component for graylog, it stores the data coming from graylog input and display the message whenever the user request over the graylog. it has been worked based on indexing method.
you have to import GPG signing key before the installation.
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Create an Eleasticsearch repo file to get the latest package from the official repository
# vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
save the file and install now
# yum install elasticsearch
#service start elasticsearch and made auto start on every boot
To make Elasticsearch work with Graylog setup, modify the cluster name and set it to “graylog“. Edit the elasticsearch.yml, update it like shown below.
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog (setting cluster name)
script.disable_dynamic:true (dynamic script disable) both insert from last line
save and restart elasticsearch
elasticsearch installed.check the state normal
#curl -X GET http://localhost:9200
{
"name" : "Boobalan",
"cluster_name" : "graylog",
"version" : {
"number" : "2.3.3",
"build_hash" : "218bdf10790eef486ff2c41a3df5cfa32dadcfde",
"build_timestamp" : "2016-05-17T15:40:04Z",
"build_snapshot" : false,
"lucene_version" : "5.5.0"
},
"tagline" : "You Know, for Search"
}
here you seen like that you are done right
Install mongodb
setup mongorepos
# vi /etc/yum.repos.d/mongodb-org-3.2.repo
[mongodb-org-3.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc
here we need to allow selinux for work mongodb refer middle of the video here i simply disabled selinux mongodb port -27107
install mongodb
# yum install -y mongodb-org
#service start mongod (start on boot)
Install graylog
here you can download your wish rmp
# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.0-repository_latest.rpm
# yum -y install graylog-server
//now want to set user password so graylog need to command "pwgen N 1 -s 96"
Edit the server.conf file to begin the graylog configuration.
# vi /etc/graylog/server/server.conf
#pwgen -N 1 -s 96
NZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0s
If you get an error like “pwgen: command not found“, install pwgen using the following command.
# yum -y install pwgen //if fails try this
Place the secret like below in server.conf
password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP
Set the hash password for the root user, i.e., admin of graylog. You would need this password to login into the graylog web.
If you ever want to change/reset forgotten password of admin, you can edit/update the server.conf with hashed password.
Replace “yourpassword” with the choice of yours.
# echo -n yourpassword | sha256sum
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Place the hash password.
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
You can setup email address admin user.
root_email = "itzgeek.web@gmail.com"
Set timezone of root (admin) user.
root_timezone = UTC
Graylog server will try to find the Elasticsearch nodes automatically by using multicast mode. But when it comes to larger network, it is recommended to use unicast mode which is best suited one for production.
Add the following entry to graylog server.conf file, replace ipaddress with your ipaddress. You can add multiple hosts with comma separated.
elasticsearch_discovery_zen_ping_unicast_hosts = ipaddress:9300
Set only one master node by defining the below variable, the default setting is true.
If you add any second Graylog node, set it to false to make the node as a slave. Master node does some periodic tasks that slave nodes won’t perform.
is_master = true
Set the number of log messages to keep per index; it is recommended to have several smaller indices instead of larger ones.
elasticsearch_max_docs_per_index = 20000000
The following parameter defines to have a total number of indices; if this number is reached old index will be deleted.
elasticsearch_max_number_of_indices = 20
Shards setting rely on the number of nodes in the particular Elasticsearch cluster, if you have only one node, set it as 1.
elasticsearch_shards = 1
This the number of replicas for your indices, if you have only one node in Elasticsearch cluster; set it as 0.
elasticsearch_replicas = 0
Install graylog web interface
From the Graylog version 2.x, the web interface is served directly by Graylog server, so no more Graylog web interface setup is required.
Enable Graylog web interface by editing the server.conf file.
# vi /etc/graylog/server/server.conf
Modify the entries to let Graylog Web Interface to connect to the Graylog server.
rest_listen_uri = http://your-server-ip:12900/
web_listen_uri = http://your-server-ip:9000/
Restart Graylog service.
# systemctl daemon-reload
# systemctl restart graylog-server
Make Graylog server to start automatically on system startup.
# systemctl enable graylog-server
You can check out the server startup logs; it will be useful for you to troubleshoot Graylog for any issues.
$ sudo tailf /var/log/graylog-server/server.log
If everything goes well, you should see below message in server.log file.
2016-07-01T08:21:41.538Z INFO [ServerBootstrap] Graylog server up and running.
Enable firewall
In CentOS 7 / RHEL 7, default firewall rules are set to block most of the traffic coming from the external machines.You would need to set rules for Graylog to work properly.
### To access Graylog web interface from the externall machine
firewall-cmd --permanent --zone=public --add-port=9000/tcp
### To allow Graylog web interace to connect with Graylog server
firewall-cmd --permanent --zone=public --add-port=12900/tcp
### Optional: If you have configured any input to receive logs on port no 1514
firewall-cmd --permanent --zone=public --add-port=1514/tcp
Reload firewalld to take an effect of the new rules.
# firewall-cmd --reload
finally you can access your graylog web interface
http://ipaddr:9000
Login with username “admin” and the password you configured at root_password_sha2 onserver.conf.
full ref
No comments:
Post a Comment