How to install Graylog Log Server in CentOS 7 Linux

September 23, 2019October 1, 2019

In this tutorial, you will learn how to install Graylog Server on CentOS 7. Graylog is a leading centralized log management solution built with fast, interactive log analysis of data from all of your servers. for more information you can refer to Graylog website.

1- Install JAVA

If you don’t have a Java Runtime Environment (JRE) already, you’ll have to install it
first.

Any JRE should work, as long as it’s version 1.7 or later. Typically, you install the
one from Oracle (www.java.com/en/download/index.jsp) or the open-source implementation,
OpenJDK (http://download.java.net/openjdk/)

Install JAVA 8 (It’s recommended to install Oracle Java):
Download .rpm file from http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html.

#yum -y install /download_path/jdk-8u-linux-x64.rpm

verify Java version:

#java -version

Set JAVA_HOME and JRE_HOME environment variables:

#echo "export JAVA_HOME=/usr/java/jdk1.8.0_/" >> ~/.bash_profile
#echo "export JRE_HOME=/usr/java/jdk1.8.0_/jre" >> ~/.bash_profile
#source ~/.bash_profile

2- Install Elasticsearch

Download .rpm file from https://www.elastic.co/downloads/past-releases. Download 5.6.x version (Elasticsearch 6.x.x is not compatible with Graylog 2.3.x).

yum install -y elasticsearch-5.6.4.rpm

open the Elasticsearch default configuration file:

#vim /etc/elasticsearch/elasticsearch.yml

Find the “cluster.name: my-application”, uncomment it and change the value from my-application to graylog.
cluster.name: graylog

#Add ES_HEAP_SIZE to /etc/sysconfig/elasticsearch like this :

ES_HEAP_SIZE=

#Add to file /etc/security/limits.conf:

elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited

Start Elasticsearch and enable it:

#systemctl enable elasticsearch
#systemctl start elasticsearch

Verify that Elasticsearch is working properly by running:

#curl -XGET 'localhost:9200/?pretty'

Open port 9200 tcp on firewall

You should see output similar to the following:

{
"name" : "node-1",
"cluster_name" : "graylog",
"cluster_uuid" : "tV_f28DQQpeq1qW5HaCC9g",
"version" : {
"number" : "5.6.4",
"build_hash" : "8bbedf5",
"build_date" : "2017-10-31T18:55:38.105Z",
"build_snapshot" : false,
"lucene_version" : "6.6.1"
},
"tagline" : "You Know, for Search"
}

3- Install MongoDB

Download following .rpm files from https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.4/x86_64/RPMS/:

mongodb-org
mongodb-org-mongos
mongodb-org-server
mongodb-org-shell
mongodb-org-tools

Install MongoDB:

#yum install -y /download_path/mongodb-org-mongos
#yum install -y /download_path/mongodb-org-server
#yum install -y /download_path/mongodb-org-shell
#yum install -y /download_path/mongodb-org-tools
#yum install -y /download_path/mongodb-org

Start MongoDB server and enable it:

#systemctl start mongod
#systemctl enable mongod

4- Install Graylog Server

Download the latest repository for Graylog server:

#rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm
#yum -y update

Install Graylog by running:

#yum -y install graylog-server

5- Configure Graylog

Install pwgen utility to generate strong passwords:

#yum -y install pwgen

Now generate a strong password secret:

#pwgen -N 1 -s 96

You will output similar to:

#pwgen -N 1 -s 96
pJqhNbdEY9FtNBfFUtq20lG2m9daacmsZQr59FhyoA0Wu3XQyVZcu5FedPZ9eCiDfjdiYWfRcEQ7a36bVqxSyTzcMMx5Rz8v

Also, generate a 256-bit hash for the password of the root admin user:

echo -n StrongPassword | sha256sum

Replace StrongPassword with the password you wish to set for admin user. So you will see:

#echo -n StrongPassword | sha256sum
05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223 -

Open the Graylog configuration file:

#vim /etc/graylog/server/server.conf

Find password_secret =, copy and paste the password generated through pwgen command:

password_secret = pJqhNbdEY9FtNBfFUtq20lG2m9daacmsZQr59FhyoA0Wu3XQyVZcu5FedPZ9eCiDfjdiYWfRcEQ7a36bVqxSyTzcMMx5Rz8v

Find root_password_sha2 =, copy and paste the converted SHA 256-bit hash of your admin password:

root_password_sha2 = 05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223

Set Timezone to your location:

timedatectl set-timezone `timedatectl list-timezones | grep Zagreb`

Uncomment and set your time zone at root_timezone:

root_timezone = Europe/Zagreb

Enable the web-based Graylog interface by uncommenting

web_enable = false
and setting the value to true:
web_enable = true

Also uncomment and change the following lines as specified:

rest_listen_uri = http://0.0.0.0:9000/api/
rest_transport_uri = http://your_public_IP:9000/api/
web_listen_uri = http://0.0.0.0:9000/

Restart the Graylog service by running:

#systemctl restart graylog-server

6- Configure NGINX as a Reverse Proxy

By default, the Graylog web interface listens to localhost on port 9000 and the API listens on port 9000 with URL /api.

In this tutorial, we will use Nginx as the reverse proxy so that the application can be access via standard HTTP port.

So install Nginx web server based on this doc from source code with-stream:

https://www.nginx.com/resources/admin-guide/installing-nginx-open-source/

https://www.nginx.com/resources/wiki/start/topics/examples/systemd/

Open the default virtual host:

#vim /etc/nginx/nginx.conf

Find the server block under http, and replace the whole server block with the following lines:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name <log.afranet.com|your_url> ;

location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/api;
proxy_pass http://127.0.0.1:9000;
}
}

Start Nginx and enable it to start automatically at boot time:

#systemctl start nginx
#systemctl enable nginx

7- Configure firewall and SELinux

We recommend to install csf for firewall. So refere to how to install CSF on CentOS 7 Linux.

then open the ports: 80,443,9200

If you have SELinux enabled on your system, then you will need to add a few exceptions in SELinux policies.

#setsebool -P httpd_can_network_connect 1
#semanage port -a -t http_port_t -p tcp 9000
#semanage port -a -t http_port_t -p tcp 9200
#semanage port -a -t mongod_port_t -p tcp 27017

You can now access the Graylog server on http://your_public_ip or http://graylog.example.com