Tested On
OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface: 0.11.0
Hardware: Virtual Box 4.2.10
About
Graylog2 is an open source software to manage your logs and get the most out of them.
In this guide I will show how to install graylog2 server with elasticsearch and mongodb on the same server.
Prerequisite
- Install depndencies packages
yum install make wget java-1.7.0-openjdk openssl-devel libyaml-devel httpd git ImageMagick ImageMagick-devel libxml2-devel libxslt-devel gcc-c++ curl-devel httpd-devel apr-devel apr-util-devel -y
- Download and install Ruby
mkdir /usr/local/src/graylog2 cd /usr/local/src/graylog2 wget https://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.2-p320.tar.gz tar xzf ruby-1* cd ruby-1* ./configure && make && make install cd ext/openssl/ ruby extconf.rb make && make install
- Install required gems
gem install passenger bundler --no-rdoc --no-ri
- Download and extract ElasticSearch
cd /usr/local/src/graylog2 wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.20.4.tar.gz -O elasticsearch.tar.gz tar zxf elasticsearch.tar.gz rm -f elasticsearch.tar.gz mv elasticsearch-* /opt/elasticsearch wget https://github.com/elasticsearch/elasticsearch-servicewrapper/tarball/master -O elasticsearch-servicewrapper.tar.gz tar zxf elasticsearch-servicewrapper.tar.gz rm -f elasticsearch-servicewrapper.tar.gz mv *servicewrapper*/service /opt/elasticsearch/bin/ /opt/elasticsearch/bin/service/elasticsearch install
- Configure ElasticSearch
vi /opt/elasticsearch/config/elasticsearch.yml
cluster.name: graylog2
- Start ElasticSearch
service elasticsearch start
- Install MongoDB, configure it to start at boot and start MongoDB
rpm -ihv https://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install mongodb mongodb-server -y chkconfig mongod on service mongod start
- Configure MongoDB (change user and password to your own requirements)
mongo use admin db.addUser('admin', 'humus234') db.auth('admin', 'humus234') use graylog2 db.addUser('graylog', 'graylog') db.auth('graylog', 'graylog') exit
Install Graylog2
- Download and extract graylog2-server
cd /usr/local/src/graylog2 wget https://download.graylog2.org/graylog2-server/graylog2-server-0.11.0.tar.gz -O graylog2-server.tar.gz tar zxf graylog2-server.tar.gz rm -f graylog2-server.tar.gz mv graylog2-server-* /opt/graylog2-server cd /opt/graylog2-server
- Configure Graylog2 and start Graylog2 Server
cp elasticsearch.yml.example /etc/graylog2-elasticsearch.yml cp graylog2.conf.example /etc/graylog2.conf vi /etc/graylog2.conf (change user and password to your own requirements)
... mongodb_user = graylog mongodb_password = graylog ...
- Create Graylog2 Server start script
vi /etc/init.d/graylog2-server
#!/bin/bash # # graylog2-server: graylog2 message collector # # chkconfig: - 98 02 # description: This daemon start graylog2-server # # Source function library. . /etc/rc.d/init.d/functions CMD=$1 NOHUP=`which nohup` STOP_TIMEOUT=30 BINARY=java PROG=graylog2-server HOME_DIR=/opt/graylog2-server LOG_FILE=${HOME_DIR}/log/${PROG}.log JAR_FILE=graylog2-server.jar GRAYLOG2_CONFIG_SH=${GRAYLOG2CTL_DIR}/bin/graylog2_config.sh CONF_FILE=/etc/graylog2.conf PID_FILE=/var/run/graylog2.pid [ -f $GRAYLOG2_CONFIG_SH ] && . $GRAYLOG2_CONFIG_SH start() { graylog2_status > /dev/null 2>&1 if [ ${RETVAL} -eq 3 ] then echo "Starting ${PROG} ..." cd ${HOME_DIR} $NOHUP > /dev/null 2>&1 ${BINARY} -jar ${JAR_FILE} -f ${CONF_FILE} -p ${PID_FILE} >> ${LOG_FILE} & RETVAL=0 else echo "${PROG} is already running" fi } stop() { echo -n $"Stopping $PROG: " killproc -p ${PID_FILE} -d ${STOP_TIMEOUT} ${PROG} RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${PID_FILE} } graylog2_status() { status -p ${PID_FILE} ${PROG} RETVAL=$? } restart() { echo "Restarting ${PROG} ..." stop start } case "$CMD" in start) start ;; stop) stop ;; restart) restart ;; status) graylog2_status ;; *) echo "Usage $0 {start|stop|restart|status}" RETVAL=1 esac exit ${RETVAL}
- Configure Graylog2 Server to start at boot and start it
chmod +x /etc/init.d/graylog2-server chkconfig --add graylog2-server chkconfig graylog2-server on service graylog2-server start
- Download and extract Graylog2-Web-Interface
cd /usr/local/src/graylog2 wget https://download.graylog2.org/graylog2-web-interface/graylog2-web-interface-0.11.0.tar.gz -O graylog2-web-interface.tar.gz tar zxf graylog2-web-interface.tar.gz rm -f graylog2-web-interface.tar.gz mv graylog2-web-interface-* /var/www/graylog2-web-interface chown -R apache:apache /var/www/graylog2-web-interface
- Install graylog2-webinterface dependencies
cd /var/www/graylog2-web-interface bundle install --without=development
- Install Passenger module for apache
cd /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/bin ./passenger-install-apache2-module
- Configure and restart apache
vi /etc/httpd/conf/httpd.conf
... #<VirtualHost *:80> # ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost> LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/mod_passenger.so PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19 PassengerRuby /usr/local/bin/ruby <VirtualHost *:80> ServerAdmin admin@humus234.local ServerName graylog2.local DocumentRoot /var/www/graylog2-web-interface/public <Directory "/var/www/graylog2-web-interface/public"> AllowOverride all Order deny,allow Allow from all Options -MultiViews </Directory> </VirtualHost>
- Configure apache to run at boot ant start it
chkconfig httpd on service httpd start
- Configure DNS name graylog2.humus234.local to resolve the IP address of the graylog2 server (DNS or hosts file)
- Browse to https://graylog2.humus234.local and create first user
That’s all. Now you need to configure your servers to send logs to graylog2 server and you can work with your new Graylog2 system to analyze logs data.
Here is a couple of guides to send logs to graylog2:
If you want to build graylog2 server that will handle high traffic you can use graylog2-radio with RabbitMQ. You can start with the following guide: Graylog2-Radio Installation
More guides in Graylog2 Category.
Please visit https://www.graylog2.org for more information about Graylog2 configuration and usage.