Howto install Graylog2 log management solution under Centos
In this post we will do a presentation of Graylog2 features, components and installation details on Centos 5.
Graylog2 features and components presentation
Graylog2 is a free and open source log management solution that provide you a centralized repository and access to all your infrastructures logs. All the logs are stored in MongoDB, a scalable and high-performance database.
Graylog2 is composed of a server written in Java that will accept Syslog messages via TCP, UDP or AMQP (Advanced Message Queuing Protocol). AMPQ is an open standard for Messaging Middleware that allow different platforms in different languages to send messages to one another. Graylog2 is also using Drools Expert to evaluate all incoming messages against user defined rule file.
Graylog2 Web interface will allow you to search through the logs, filter them, blacklist out certain messages and create “streams“. An unlimited number of user can access the Web interface how will be able only to read defined and subscribed “streams“. Graylog2 Web interface also provide a way to use Nagios to check of the number of new log messages exceeds a given maximum.
Graylog2 “streams” are saved searches that permit you to quickly access to an overview of specifics occurrences. You can forward your “streams” to other endpoints through UDP Syslog, GELF or to Loggly, a cloud log management solution. GELF (Graylog Extended Log Format) will allow you to by pass Syslog limitations (message length, structure, timeouts, connection troubles) for your applications and servers. ”Streams” will also allow you to send alarms when the number of new message reaching a given maximum during a given period. All users who subscribed to the “stream alarms” or to the “stream” will get an email alarm.
Graylog2 Centos 5 installation
In order to have a complete and functional Graylog2 log management solution we have to install three main components, MongoDB, graylog2-server and graylog2-web-interface.
MongoDB database installation
MongoDB propose to Centos and Fedora users yum-installable RPM packages for x86 and x86_64 platforms. “mongo-10gen” (mongodb client) and “mongo-10gen-server” (mongodb server) are available through the 10gen MongoDB repository. Just follow the “Centos and Fedora Packages” documentation to allow you server to install these packages. Then simply execute the following command to install MongoDB server and client.
$ sudo yum install mongo-10gen-server
MongoDB configuration file is located in “/etc/mongod.conf” and the associated sysconfig file is in “/etc/sysconfig/mongod“. When started MongoDB will run under mongod user and group.
First edit the MongoDB configuration file and change “nohttpinterface = false” to “nohttpinterface = false“. Then start MongoDB server with the following command.
$ sudo /etc/init.d/mongod start
Now we will create a user and password to allow Graylog2 to connect to MongoDB server. The database will directly be created during the user creation, and the database will be stored in “/var/lib/mongo“. To connect you to MongoDB server you have only to run the “mongo” client.
$ sudo mongo
> use graylog2
> db.addUser(“login”, “password”)
We have now a user (login) created, with his associated password, for database graylog2. If we wish to perform further operations we need to execute the following command.
> db.auth(“login”, “password”)
We can view existing users for the database with the following command.
For further security and authentication configurations please follow the MongoDB documentation.
We need now to configure the MongoDB server default listener port (27017/TCP). Just uncomment “port = 27017” line in the MongoDB configuration file. MongoDB will listen on the loopback (127.0.0.1). Also we need to turn on security for authentication by uncommenting the “auth = true” line.
Now restart MongoDB with the following command.
$ sudo /etc/init.d/mongod restart
Graylog2 server installation
Graylog2 server require to install openjdk.
$ sudo yum install openjdk
Download Graylog2 server from Github and adapt the following commands to your need.
$ sudo cp graylog2-server-0.9.5p1.tar.gz /opt/
$ sudo cd /opt$ sudo tar -zxvf graylog2-server-0.9.5p1.tar.gz
$ sudo ln -s graylog2-server-0.9.5p1 graylog2
$ sudo cd graylog2
We need to have the graylog2 server configuration file in “/etc/” folder.
$ sudo cp graylog2.conf.example /etc/graylog2.conf
In “/etc/graylog2.conf” configuration file change all “mongodb*” settings with your MongoDB configuration. For example :
# MongoDB Configuration
mongodb_useauth = true
mongodb_user = login
mongodb_password = password
mongodb_host = localhost
#mongodb_replica_set = localhost:27017,localhost:27018,localhost:27019
mongodb_database = graylog2
mongodb_port = 27017
Also configure, in the same configuration file, the Syslog server listener port and protocol. By default the Syslog server is listening on 514/UDP.
Now start Graylog2 server with the following command.
$ sudo cd /opt/graylog2/bin/
$ sudo ./graylog2ctl start
To stop graylog2 server execute the following command.
$ sudo ./graylog2ctl stop
Graylog2 Web interface installation
Graylog2 Web interface is running under Ruby, so we first need to install the latest version of Ruby. Please remove all your previous Ruby installation cause Centos 5 only support an old release of Ruby how is not compatible with Graylog2 and other dependencies.
$ sudo yum erase ruby ruby-libs ruby-mode ruby-rdoc ruby-irb ruby-ri ruby-docs
Make sure you have all the required development tools :
$ sudo yum install openssl-devel zlib-devel gcc gcc-c++ make autoconf readline-devel curl-devel expat-devel gettext-devel
Download the latest Ruby sources and proceed with installing :
$ ./configure –enable-shared –enable-pthread –prefix=/usr
$ sudo make install
Ruby 1.9.2 and above now includes RubyGems so there’s no need to install it separately.
Test that everything installed successfully :
Update all the gems, install git and rake
$ sudo gem update && gem install git rake
Now download Graylog2 Web interface from Github and adapt to your needs the following commands.
$ sudo cp graylog2-web-interface-0.9.5p2.tar.gz /opt/
$ sudo cd /opt
$ sudo tar -zxvf graylog2-web-interface-0.9.5p2.tar.gz
$ sudo ln -s graylog2-web-interface-0.9.5p2 graylog2-web-interface
$ sudo cd graylog2-web-interface
We have also to install bundler with the following commands.
$ sudo gem install bundler
$ sudo bundle install
Edit all “*.yml” configuration files in “/opt/graylog2-web-interface/config/” folder.
“email.yml” configuration file will contain all required email configurations for alarms.
“general.yml” configuration file will contain all Graylog2 server general configurations such as hostname, automatic Graylog2 version check, etc.
“mongoid.yml” configuration file will contain all MongoDB configurations. For example :
We will server Graylog2 Web interface through Apache and Passenger.
To install Passanger just run the following command :
$ sudo gem install passenger
$ sudo passenger-install-apache2-module
$ sudo chown -R apache:apache /opt/graylog2-web-interface-0.9.5p2
$ sudo chown -R apache:apache /opt/graylog2-web-interface
Create a “passenger.conf” file in “/etc/httpd/conf.d/” directory and add the following entries :
LoadModule passenger_module /usr/lib/ruby/gems/1.9.1/gems/passenger-3.0.7/ext/apache2/mod_passenger.so
The in your “httpd.conf” file include the “passenger.conf” file.
Add a Virtual Host in your “httpd.conf“, for example :
Allow from all
CustomLog /var/log/httpd/xxx.xxx.com_access.log combined
Also include the “passenger.conf” in the “httpd.conf” file and restart apache :
Now you will be able to connect you on your vhost, configure the Graylog2 first user and connect into the Web interface.
I recommend you to read these related posts
- ArcSight Logger File Receiver Configuration
- Why and howto calculate your Events Per Second
- Why And Howto Calculate Your Events Log Size
- Free Novell Sentinel Log Manager 25 features and limits
- ArcSight SmartConnector commands and features
- ArcSight L750MB Logger Centos installation
- ArcSight Logger L750MB – Syslog SmartConnector and Snare installation
- ArcSight Logger configuration backup and restoration
- ArcSight L750MB Logger features and limits
- Unix Auditd Authentication Events Analysis and Visualisations with ArcSight Logger