Setting up a multi-tiered log infrastructure Part 6 -- Graylog Setup

  1. Setting up a multi-tiered log infrastructure Part 1 -- Getting Started
  2. Setting up a multi-tiered log infrastructure Part 2 -- System Overview
  3. Setting up a multi-tiered log infrastructure Part 3 -- System Build
  4. Setting up a multi-tiered log infrastructure Part 4 -- Elasticsearch Setup
  5. Setting up a multi-tiered log infrastructure Part 5 -- MongoDB Setup
  6. Setting up a multi-tiered log infrastructure Part 6 -- Graylog Setup
  7. Setting up a multi-tiered log infrastructure Part 7 -- Graylog WebUI Setup
  8. Setting up a multi-tiered log infrastructure Part 8 -- Rsyslog Setup
  9. Setting up a multi-tiered log infrastructure Part 9 -- Rsyslog HA Setup
  10. Setting up a multi-tiered log infrastructure Part 10 -- HA Cluster Setup
  11. Setting up a multi-tiered log infrastructure Part 11 -- Cluster Tuning

Additional setup for master node

Setup graylog-server on master node

Install instructions from

Setup Note: This deployment is not using a prebuilt rpm package, many of the next steps will be moving files, creating directories, creating additional files, and setting up the proper permissions on the linux command line. An rpm package is available but because when this guide for first written, the RPM only had support for openjdk v1.7.0, I choose to go this route.

Manual install steps

Change to root’s home directory

cd /root

Download the latest version of graylog


Extract the tar archive, which should result in a folder at the following path /root/graylog-2.2.2

tar -xvf graylog-2.2.2.tgz

Create directory /etc/graylog/server

mkdir -p /etc/graylog/server

Move the example config to /etc/graylog/server/

mv /root/graylog-2.2.2/graylog.conf.example /etc/graylog/server/server.conf

Setup a user and group for the graylog-server user

groupadd -r graylog
useradd -r -c "Graylog server" -s /sbin/nologin -g graylog -m -d /var/lib/graylog-server graylog

Create an application log directory at /var/log/graylog/server and set ownership

mkdir -p /var/log/graylog/server
chown graylog:graylog /var/log/graylog/server

Create a journal directory at /var/lib/graylog-server/journal and set ownership (you can put this on a different disk too)

mkdir -p /var/lib/graylog-server/journal
chown graylog:graylog /var/lib/graylog-server/journal

Move the extracted directory to /opt and set correct ownership

mv /root/graylog-2.2.2 /opt/graylog-server
chown -R graylog:graylog /opt/graylog-server

Create empty files that will contain configuration settings (see Setup Note for link to contents)

touch /etc/graylog/server/log4j2.xml
touch /etc/graylog/server/node-id
touch /etc/sysconfig/graylog-server
touch /opt/graylog-server/bin/graylog-server
touch /usr/lib/systemd/system/graylog-server.service

Set modes on the empty files

chmod 644 /etc/graylog/server/log4j2.xml
chmod 644 /etc/graylog/server/node-id
chmod 644 /etc/init.d/graylog-server
chmod 755 /opt/graylog-server/bin/graylog-server
chmod 644 /usr/lib/systemd/system/graylog-server.service

Set ownership on the empty files

chown root:root /etc/graylog/server/log4j2.xml
chown graylog:graylog /etc/graylog/server/node-id
chown root:root /etc/init.d/graylog-server
chown root:root /opt/graylog-server/bin/graylog-server
chown root:root /usr/lib/systemd/system/graylog-server.service

Remove the control script that comes with the tarball and the log dir

rm /opt/graylog-server/bin/graylogctl
rm -r /opt/graylog-server/log

Setup Note: Remember to copy the appropriate content into the proper files if doing a manual install.

Path: /etc/sysconfig/graylog-server graylog-server systemconfig

Path: /usr/lib/systemd/system/graylog-server.service graylog-server.service

Path: /opt/graylog-server/bin/graylog-server graylog-server control

Path: /etc/graylog/server/log4j2.xml log4j2.xml

Update the Graylog configuration file

Setup Note: If you read the config file, there is mention of a program named pwgen. Since this setup is based off a CentOS minimal install, guess what isn’t there? If you want to use the pwgen program, it can be found in the epel repos.

Setup EPEL repo and install pwgen

yum install epel-release.noarch
yum install pwgen

Edit the graylog server config

vi /etc/graylog/server/server.conf

Change the setting for node_id_file

set node_id_file = /etc/graylog/server/node-id

Change the setting for password_secret

set password_secret = random string > 64 characters or output of pwgen -N 1 -s 96

sed -i.bak “s/.*password_secret =.*/password_secret = `pwgen -N 1 -s 96`/g” /etc/graylog/server/server.conf

Change the setting for root_password_sha2

set root_password_sha2 = echo -n Pa$$w0rd | sha256sum | awk ‘{print $1}’

sed -i.bak “s/.*root_password_sha2 =.*/root_password_sha2 = `echo -n Pa$$w0rd | sha256sum | awk ‘{print $1}’`/g” /etc/graylog/server/server.conf

Change the setting for root_timezone

Set root_timezone=”whatever your timezone is”

Change setting for plugin_dir

set plugin_dir = /opt/graylog-server/plugin

Change setting for elasticsearch_config_file

set elasticsearch_config_file = /etc/elasticsearch/elasticsearch.yml

Change setting for elasticsearch_replicas

set elasticsearch_replicas = 1

Change setting for elasticsearch_cluster_name

set elasticsearch_cluster_name = same as previously setup graylog

Setup Note: the default configuration is setup for multicast. If you would like to disable multicast make the next two changes.

Change the setting for

uncomment false

Change the setting for

set [“node-master- hostname”] this should be set to the name of the node that will function as the master node.

Verify the setting for elasticsearch_node_master and elasticsearch_node_data

elasticsearch_node_master = false

elasticsearch_node_data = false

Change setting for message_journal_dir

set message_journal_dir = /var/lib/graylog-server/journal

Change setting for mongodb_uri (with auth enabled)

set mongodb_uri = mongodb://gluser:Pa$$word@localhost:27017/graylog

Change setting for content_packs_dir

set content_packs_dir = /opt/graylog-server/data/contentpacks

Configure firewalld rules

Now that the config file is edited, let’s make some firewall rule changes. If for some reason you aren’t using a firewall then you can skip this.

Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)

Create a new service file for our our graylog node

vi /etc/firewalld/services/gl-transport.xml

Use this as the contents for gl-transport.xml

<?xml version="1.0" encoding="utf-8"?>
    <description>transport for graylog internal elasticsearch nodes.</description>
    <port protocol="tcp" port="9350"/>

Permanently create an selinux context label

semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/gl-transport.xml

Apply the new selinux label

restorecon -vF /etc/firewalld/services/gl-transport.xml

Add rich rules to allow connections from other nodes. (this should be the list of all elasticsearch nodes that need to talk with each other)

firewall-cmd --zone=internal --add-rich-rule="rule family="ipv4" source address="" service name="gl-transport" accept" --permanent

Reload the current firewall config

firewall-cmd --reload

Check the interface and verify the services

firewall-cmd --zone=internal --list-services

Verify the config

Set graylog to start on boot

systemctl enable graylog-server.service

Start graylog

systemctl start graylog-server.service

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by