Graylog2 on Centos
Graylog is one of the most powerful and sophisticated log aggregation tool which is widely popular nowdays. You can forward any kind of logs to graylog , then you can use its powerful query language to search through log data to discover and analyze important information. It can send notification for any specific patterns found in the logs such as failed login attempts, 400 response codes in your webservers etc
With Graylog you can share the realtime log data within you team, in a secured way, for better collaberation while maintitaining compliance
Devops
For many Orgnanizations and teams, those are just starting their Devops journeys, just getting aggregation and analysis of logs in place is a good start. When you think about the opensource tools for this, definitely Graylog will be the first choice. It is fast, reliable,good GUI, search feature , dashboards and has many more features. It is a perfect substitute for enterprise tool “splunk” .
This guide helps you to install Graylog, forward system logs to it using Filebeat/Logstash and Visualize the logs in graylog web
Install Graylog
Enable following Repos
1 2 3 4 5 6 7 | [elasticsearch–2.x] name=Elasticsearch repository for 2.x packages baseurl=https://packages.elastic.co/elasticsearch/2.x/centos gpgcheck=1 gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch enabled=1 |
1 2 3 4 5 6 | [logstash–2.0] name=Logstash repository for 2.0.x packages baseurl=http://packages.elastic.co/logstash/2.0/centos gpgcheck=1 gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch enabled=1 |
1 2 3 4 5 | [mongodb] name=MongoDB Repository baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/ gpgcheck=0 enabled=1 |
Install Elasticsearch, mongdb and logstash
1 | yum install elasticsearch logstash mongodb–org |
Download Graylog source file from graylog website
1 | wget https://packages.graylog2.org/releases/graylog/graylog-2.0.3.tgz |
Uncompress it
1 | tar xvf graylog–2.0.3.tgz –C /opt |
Create a symlink
1 | ln –s /opt/graylog–2.0.3 /opt/graylog2 |
Copy the sample configuration file
1 | cp /opt/graylog2/graylog.conf.example /etc/graylog/server/server.conf |
Now Graylog installation finished, we can configure other components
Start mongodb
1 | service mongodb start |
Add users in mongodb
On Shell console, type
1 | mongo <ENTER> |
You will be into mongodb console
Run follwing commands to add the users
1 2 3 4 5 6 | use admin db.addUser(‘admin’,‘jshdhjEJSKJ98eh’) db.auth(‘admin’, ‘jshdhjEJSKJ98eh’) use graylog2 db.addUser(‘grayloguser’, ‘grayloguserpassword’) db.auth(‘grayloguser’, ‘grayloguserpassword’) |
Once users are created,exit from the mongo console by typing “quit”
Now Create admin password’s sha2 using following command
1 | echo –n “adminpasswordgoeshere” | sha256sum |
Make sure you use a strong password
Now generate another strong password which will be used inside graylog2 server
Start Elasticsearch
1 | /etc/init.d/elasticsearch start |
Now we can go ahead and modify graylog2 config file with the passwords we generated, mongodb username and password , elastic cluster details. Its is pretty simple and straighforward
Mainly you need to modify following configuration parameters
1 2 3 4 5 6 7 8 | password_secret root_password_sha2 rest_listen_uri web_listen_uri elasticsearch_http_enabled (make this tue) mongodb_uri = mongodb://grayloguser:[email protected]:27017/graylog2 |
Under “Email transport” section, give smtp server details. this is required only when you need to enable email notifications
Once done start graylog2 server using following command
1 2 3 | cd /opt/graylog2/ java –jar graylog.jar server |
Watch console output for any errors . If there are no errors you will be able to access the graylogweb using
1 2 3 4 5 | url : whatever you set as web_listen_uri in my case it was http://192.168.2.21:9000/ user : admin password : adminpasswordgoeshere |
Once you login , you can create a new stream input listening on some port nummber
1. System/Inputs >> Inputs >> Select “GELF UDP” from the list and click on “Launch new input”)
2. Create new Input with some port number , use port number above 10000 for thius. In log forwarder’s configuration, we will use this port number to send the logs
Configuring log forwarder/shipper
You can use logstash for collecting the logs and send to Graylog input. Sample logstash configuration is below
1 2 3 4 5 6 7 8 9 10 11 12 13 | input { file { path => [“/var/log/messages”] } } output { gelf { host => “192.168.2.21” port => 12201 } |
But logstash found to be heavy process and it can use high memory and CPU.So i dont prefer it running on my production servers. As an alternative, Elastic has released a new light weight log collecter called filebeat ,which can be used for collecting the log lines and shipping. Filebeat has “logstash” output feature, which will send the logs to central Logstash server. Logstash inturn send the logs to graylog. This is a simple setup, where you have filebeat running on all your servers which sends the logs to Logstash instance , Logstash configuration for such a setup is shown below
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | input { beats { type => beats port => 5000 } } output { gelf { host => “192.168.2.21” port => 12500 } } |
Filebeat stream logs to Logstash port 5000 which in turn send to Graylog input port 12500.
If everything goes well you should be able to see the logs on web GUI