Centralized logging is a crucial component of efficient monitoring and analysis in IT infrastructures. One of the popular tools for this purpose is Graylog, which allows aggregation, sorting, and analysis of logs from various sources. In this article, we will focus on implementing Graylog on the CentOS operating system, a Linux distribution known for its stability and security.
Prerequisites for Installation
Before we begin with the installation of Graylog, it is necessary to ensure that our CentOS system is up-to-date and has all the required dependencies installed. These dependencies include Java for Elasticsearch, MongoDB for data storage, and Elasticsearch for log indexing and searching.
Installation of MongoDB
MongoDB serves as the data store for Graylog. Installation is performed by adding the MongoDB repository and then installing it using the yum package manager.
sudo tee /etc/yum.repos.d/mongodb-org-4.4.repo <<EOF
[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
EOF
sudo yum install -y mongodb-org
sudo systemctl start mongod
sudo systemctl enable mongod
Installation and Configuration of Elasticsearch
Elasticsearch is the search and analytics engine used by Graylog for efficient log management. To install Elasticsearch, we add the Elasticsearch repository and install it using yum.
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elasticsearch.repo
sudo yum install -y elasticsearch
After installation, it's essential to modify the Elasticsearch configuration file /etc/elasticsearch/elasticsearch.yml and set cluster.name to "graylog" and discovery.type to "single-node".
cluster.name: graylog
discovery.type: single-node
Then, start and enable Elasticsearch.
sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch
Installation of Graylog
To install the Graylog server, we first add the Graylog repository and then install it.
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.rpm
sudo yum install graylog-server
A crucial step is to configure the Graylog server. In the file /etc/graylog/server/server.conf, set the administrator password (root_password_sha2) and specify Elasticsearch and MongoDB as backends.
After completing the configuration, start and enable the Graylog server.
sudo systemctl start graylog-server
sudo systemctl enable graylog-server
The implementation of a centralized logging solution with Graylog on CentOS enables effective monitoring and analysis of logs from various sources. By combining MongoDB, Elasticsearch, and Graylog, high efficiency in monitoring infrastructure in real-time, detecting anomalies, and improving security protocols through in-depth data analysis can be achieved.
