Technical

Graylog installation – CentOS7

Server installation: (Docker container)

docker run --name mongo --restart=always -d mongo:3
 docker run --name elasticsearch     -e "http.host=0.0.0.0"     -e "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" --restart=always     -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.8
 docker run --name graylog --link mongo --link elasticsearch     -p 8080:9000 -p 13003:13003 --restart=always     -e GRAYLOG_HTTP_EXTERNAL_URI="http://graylog.provlima.com:8080/"     -d graylog/graylog:3.2

-Increase vm.max_map_count (needed for elastic search)

grep vm.max_map_count /etc/sysctl.conf
 vim /etc/sysctl.conf
 add to file:
 vm.max_map_count=262144
 reload settings:
 sysctl -p

Graylog Configuration:

-Create API Token:

  • login to graylog-> System/Authentication -> Sidecars -> Create or reuse a token for the graylog-sidecar user -> Create token -> Copy to clipboard (SideCarToken)

-Create Beats input:

  • System-> inputs – >select input type (Beats) then Launch
Global: Checked
 Title: Beats input
 Bind adrress: 0.0.0.0
 Port: 13003
 Do not add Beats type as prefix: Checked

– System -> sidecar -> configuration -> create a new configuration – >

*The configuration here are specific to the host so it could be grouped based on usage. (This is also the place to define what logs to be collected)

Sample filebeat configuraiton:
 # Needed for Graylog
 fields_under_root: true
 fields.collector_node_id: ${sidecar.nodeName}
 fields.gl2_source_collector: ${sidecar.nodeId}
 fields.source: ${sidecar.nodeName}
  filebeat.inputs:
 input_type: log paths: /var/log/*.log
 /home/user1/tomcat/logs/*.log
 type: log
 output.logstash:
 hosts: ["4.4.4.4:13003"]
 path:
 data: /var/lib/graylog-sidecar/collectors/filebeat/data
 logs: /var/lib/graylog-sidecar/collectors/filebeat/log 

– To assign the created configuration to a host go to

  • System -> sidecar -> configuration -> Administration

You’ll see list of of active hosts. Check what collector to assign and then on the same screen (right upper corner to the gray bar) click configure and pick the configuration to apply.
back to same page System -> sidecar -> configuration -> Administration, you’ll see the host (running) and what configuration been applied there.

Host configuration:

-Sidecar installation:

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm
 yum install graylog-sidecar -y
 vim /etc/graylog/sidecar/sidecar.yml
 add
 server_api_token: "xxxxxxxx" server_url: "http://4.4.4.4:13002/api/"
 graylog-sidecar -service install       
 systemctl restart graylog-sidecar
 systemctl enable graylog-sidecar
 *Now the host should appear in System-> sidecar overview page

-File-beat installation:  (nothing to configure here – pushed automatically by sidecar)

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
 vim /etc/yum.repos.d/elastic.repo
         [elastic-7.x]
         name=Elastic repository for 7.x packages
         baseurl=https://artifacts.elastic.co/packages/7.x/yum
         gpgcheck=1
         gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
         enabled=1
         autorefresh=1
         type=rpm-md
 yum install filebeat -y
 systemctl enable filebeat
 systemctl start filebeat

*To view if File-beat configuration being pushed or not: cat  /var/lib/graylog-sidecar/generated/filebeat.conf

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA