Additional setup for master node
Setup graylog-server on master node
Install instructions from http://docs.graylog.org/en/2.2/pages/installation.html
Setup Note: This deployment is not using a prebuilt rpm package, many of the next steps will be moving files, creating directories, creating additional files, and setting up the proper permissions on the linux command line. An rpm package is available but because when this guide for first written, the RPM only had support for openjdk v1.7.0, I choose to go this route.
Manual install steps
Change to root’s home directory
cd /root
Download the latest version of graylog
wget https://packages.graylog2.org/releases/graylog/graylog-2.2.2.tgz
Extract the tar archive, which should result in a folder at the following path /root/graylog-2.2.2
tar -xvf graylog-2.2.2.tgz
Create directory /etc/graylog/server
mkdir -p /etc/graylog/server
Move the example config to /etc/graylog/server/
mv /root/graylog-2.2.2/graylog.conf.example /etc/graylog/server/server.conf
Setup a user and group for the graylog-server user
groupadd -r graylog useradd -r -c "Graylog server" -s /sbin/nologin -g graylog -m -d /var/lib/graylog-server graylog
Create an application log directory at /var/log/graylog/server and set ownership
mkdir -p /var/log/graylog/server chown graylog:graylog /var/log/graylog/server
Create a journal directory at /var/lib/graylog-server/journal and set ownership (you can put this on a different disk too)
mkdir -p /var/lib/graylog-server/journal chown graylog:graylog /var/lib/graylog-server/journal
Move the extracted directory to /opt and set correct ownership
mv /root/graylog-2.2.2 /opt/graylog-server chown -R graylog:graylog /opt/graylog-server
Create empty files that will contain configuration settings (see Setup Note for link to contents)
touch /etc/graylog/server/log4j2.xml touch /etc/graylog/server/node-id touch /etc/sysconfig/graylog-server touch /opt/graylog-server/bin/graylog-server touch /usr/lib/systemd/system/graylog-server.service
Set modes on the empty files
chmod 644 /etc/graylog/server/log4j2.xml chmod 644 /etc/graylog/server/node-id chmod 644 /etc/init.d/graylog-server chmod 755 /opt/graylog-server/bin/graylog-server chmod 644 /usr/lib/systemd/system/graylog-server.service
Set ownership on the empty files
chown root:root /etc/graylog/server/log4j2.xml chown graylog:graylog /etc/graylog/server/node-id chown root:root /etc/init.d/graylog-server chown root:root /opt/graylog-server/bin/graylog-server chown root:root /usr/lib/systemd/system/graylog-server.service
Remove the control script that comes with the tarball and the log dir
rm /opt/graylog-server/bin/graylogctl rm -r /opt/graylog-server/log
Setup Note: Remember to copy the appropriate content into the proper files if doing a manual install.
Path: /etc/sysconfig/graylog-server graylog-server systemconfig
Path: /usr/lib/systemd/system/graylog-server.service graylog-server.service
Path: /opt/graylog-server/bin/graylog-server graylog-server control
Path: /etc/graylog/server/log4j2.xml log4j2.xml
Update the Graylog configuration file
Setup Note: If you read the config file, there is mention of a program named pwgen. Since this setup is based off a CentOS minimal install, guess what isn’t there? If you want to use the pwgen program, it can be found in the epel repos.
Setup EPEL repo and install pwgen
yum install epel-release.noarch yum install pwgen
Edit the graylog server config
vi /etc/graylog/server/server.conf
Change the setting for node_id_file
set node_id_file = /etc/graylog/server/node-id
Change the setting for password_secret
set password_secret = random string > 64 characters or output of pwgen -N 1 -s 96
sed -i.bak “s/.*password_secret =.*/password_secret = `pwgen -N 1 -s 96`/g” /etc/graylog/server/server.conf
Change the setting for root_password_sha2
set root_password_sha2 = echo -n Pa$$w0rd | sha256sum | awk ‘{print $1}’
sed -i.bak “s/.*root_password_sha2 =.*/root_password_sha2 = `echo -n Pa$$w0rd | sha256sum | awk ‘{print $1}’`/g” /etc/graylog/server/server.conf
Change the setting for root_timezone
Set root_timezone=”whatever your timezone is”
Change setting for plugin_dir
set plugin_dir = /opt/graylog-server/plugin
Change setting for elasticsearch_config_file
set elasticsearch_config_file = /etc/elasticsearch/elasticsearch.yml
Change setting for elasticsearch_replicas
set elasticsearch_replicas = 1
Change setting for elasticsearch_cluster_name
set elasticsearch_cluster_name = same as previously setup cluster.name: graylog
Setup Note: the default configuration is setup for multicast. If you would like to disable multicast make the next two changes.
Change the setting for discovery.zen.ping.multicast.enabled
uncomment discovery.zen.ping.multicast.enabled: false
Change the setting for discovery.zen.ping.unicast.hosts
set discovery.zen.ping.unicast.hosts: [“node-master- hostname”] this should be set to the name of the node that will function as the master node.
Verify the setting for elasticsearch_node_master and elasticsearch_node_data
elasticsearch_node_master = false
elasticsearch_node_data = false
Change setting for message_journal_dir
set message_journal_dir = /var/lib/graylog-server/journal
Change setting for mongodb_uri (with auth enabled)
set mongodb_uri = mongodb://gluser:Pa$$word@localhost:27017/graylog
Change setting for content_packs_dir
set content_packs_dir = /opt/graylog-server/data/contentpacks
Configure firewalld rules
Now that the config file is edited, let’s make some firewall rule changes. If for some reason you aren’t using a firewall then you can skip this.
Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)
Create a new service file for our our graylog node
vi /etc/firewalld/services/gl-transport.xml
Use this as the contents for gl-transport.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>gl-transport</short> <description>transport for graylog internal elasticsearch nodes.</description> <port protocol="tcp" port="9350"/> </service>
Permanently create an selinux context label
semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/gl-transport.xml
Apply the new selinux label
restorecon -vF /etc/firewalld/services/gl-transport.xml
Add rich rules to allow connections from other nodes. (this should be the list of all elasticsearch nodes that need to talk with each other)
firewall-cmd --zone=internal --add-rich-rule="rule family="ipv4" source address="xxx.xxx.xxx.xxx/32" service name="gl-transport" accept" --permanent
Reload the current firewall config
firewall-cmd --reload
Check the interface and verify the services
firewall-cmd --zone=internal --list-services
Verify the config
Set graylog to start on boot
systemctl enable graylog-server.service
Start graylog
systemctl start graylog-server.service