Red Hat Installation: Single Graylog Node
This installation guide covers installing Graylog on Red Hat 7, 8, or 9 on a Core cluster, which is composed of one Graylog and MongoDB node and one Data Node. If you are deploying a multiple Graylog-node cluster on Red Hat, see Red Hat Installation: Multiple Graylog Nodes.
This article will guide you through installing three services that comprise the Graylog stack: MongoDB, Graylog Data Node, and Graylog.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
Verify that all required ports are open. We assume in the following steps that firewalls are disabled and traffic can flow across all necessary ports.
-
We strongly recommend the use of an XFS file system for storage.
-
Review the Core architecture diagram and our recommendations for resource allocation before you begin installation.
Server Timezone
To set a specific time zone on a Graylog server, you can use the following command. (For more information on setting a time zone, we recommend this blog post.)
sudo timedatectl set-timezone UTC
Configuration and Service Files
Before you begin the process of installing Graylog and its required components, it is important to note that there are multiple configuration files and service files included in the Graylog and MongoDB operating system packages that should be adjusted during the initial deployment process to optimize your system performance. For your reference, the files mentioned in this installation guide for each service are as follows:
-
MongoDB: The MongoDB configuration file. For extensive information on the configuration properties included in this file, we recommend you review the MongoDB documentation. We offer some additional guidance on the use and maintenance of this file in Additional Configuration.
-
Data Node: The Graylog Data Node has both a configuration file and a service file that should be adjusted during deployment. A full reference for the Data Node configuration file can be found in Data Node Configuration Settings Reference. Also, the Data Node service file must be adjusted for heap settings; additional information on this file may be found in Additional Configuration.
-
Graylog: Graylog also has both a configuration file and a service file that should be adjusted during deployment. We recommend you review Initial Configuration Settings first. A full reference for the Graylog server configuration file can also be found in Graylog Server Configuration Settings Reference. Also, the Graylog service file must be adjusted for heap settings; additional information on this file may be found in Additional Configuration.
Install MongoDB
MongoDB is a NoSQL database designed to store and manage data in a flexible, scalable, and high-performance manner. As a part of the Graylog stack, MongoDB serves as the metadata database for the system.
The official MongoDB documentation provides a helpful tutorial on installation with Red Hat. For information on installing MongoDB for use with Graylog, we recommend you generally follow the process below.
1. Create the repository file:
sudo nano /etc/yum.repos.d/mongodb-org.repo
2. Add the following MongoDB repository configuration:
[mongodb-org-7.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-7.0.asc
3. Install the latest stable version of MongoDB:
sudo yum update
sudo yum install mongodb-org
4. Hold the currently installed version of the MongoDB package to prevent it from being automatically upgraded to a newer version when updates are installed:
sudo yum versionlock add mongodb-org
5. Open the MongoDB configuration file:
sudo nano /etc/mongod.conf
6. By default, MongoDB only listens locally. You must modify either the bindIp
or bindIpAll
setting in the MongoDB configuration file so that the port binds to an interface address or a host name or listens on all interfaces. See the example configurations below.
To listen on all interfaces:
net:
port: 27017
bindIpAll: true
To bind to a specific interface, like 192.168.50.71
:
net:
port: 27017
bindIp: 192.168.50.71
To bind to a host name, like graylog01
:
net:
port: 27017
bindIp: graylog01
7. Enable MongoDB and start the service:
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl start mongod.service
Install Data Node
Data Node is a component in Graylog's architecture designed to handle log ingestion, processing, and indexing, managing communication with OpenSearch for storing and querying logs efficiently. As noted in the Core architecture, the Data Node service should be maintained on its own node, separate from Graylog and MongoDB.
To install Data Node, we recommend you follow the process below:
1. Install the Data Node package:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.rpm
sudo yum install graylog-datanode
2. Ensure that the Linux setting vm.max_map_count
is set to at least 262144
. To check the current value:
sudo sysctl -w vm.max_map_count=262144
To increase the value:
echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.d/99-graylog-datanode.conf
sudo sysctl --system
cat /proc/sys/vm/max_map_count
3. Create your password_secret
. This is a secure, randomly generated string used to encrypt sensitive data within the system:
< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;
4. Open the Data Node configuration file:
sudo nano /etc/graylog/datanode/datanode.conf
5. Add the password_secret
value to the Data Node configuration file. Note that you must add this same value to the Graylog server configuration file in a later step since it is crucial that this value be the same for the Graylog node.
6. Ensure the heap settings are set to half your system memory, up to a max of 31 GB. To do so, you will need to add the following configuration property to your Data Node configuration file. For example, if you have 16 GB of RAM, you would set it to 8 GB, like in the example below:
opensearch_heap = 8g
datanode.conf
by default! It must be added to the file manually.
7. Also in the Data Node configuration file, set the MongoDB connection string. In the following example command, graylog01
represents the host name of the MongoDB node:
mongodb_uri = mongodb://graylog01:27017/graylog
8. Now, open the datanode
file found in the default directory at /etc/graylog/datanode/
:
sudo nano /etc/graylog/datanode
9. In this file, you must adjust the heap settings in jvm.options
for the Data Node service, as noted in Additional Configurations. This service needs very little memory and can be set at 1 or 2 GB, depending on your requirements. It is recommended to set both values to the same size, so setting a minimum of 2 GB for Xms2g
and a maximum of 2 GB for Xmx2g
would look like the following:
-Xms2g
-Xmx2g
10. Enable Data Node and start the service:
sudo systemctl daemon-reload
sudo systemctl enable graylog-datanode.service
sudo systemctl start graylog-datanode
Install Graylog
After Data Node installation is complete, you must install the core Graylog service. The Core architecture model is designed so that Graylog and MongoDB are installed on the same node.
To install Graylog, we recommend you follow the process below:
1. Install the Graylog package.
sudo yum install graylog-server
sudo yum install graylog-enterprise
sudo yum install graylog-enterprise
2. Use the following command to create your root_password_sha2
. This is the password for the root administrator account for the Graylog interface. Make sure you record this password as you will need it to log into the Graylog interface after preflight configuration:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
3. Open the Graylog server configuration file:
sudo nano /etc/graylog/server/server.conf
4. Enter the value you created for the root_password_sha2
in the previous step into the Graylog configuration file.
5. Retrieve the password secret from the Data Node configuration file as indicated in steps 3-5 of Install Data Node and add it to the password_secret
property in the Graylog configuration file.
6. Set the http_bind_address
value in the Graylog configuration file to the public host name or a public IP address on which the Graylog web and API server will listen for incoming HTTP requests:
http_bind_address = 0.0.0.0:9000
More information about these settings can be found in The Web Interface.
7. Adjust your journal settings. We recommend you configure your journal settings' max age to 72 hours and the size to your expected total log volume over a 72-hour period. So, if your expected daily log volume is 30 GB, your max size should be adjusted to 90 GB, as in the following example:
message_journal_max_age = 72h
message_journal_max_size = 90gb
8. Now, open the graylog-server
file found by default at /etc/graylog/
:
sudo nano /etc/graylog/graylog-server
9. In this file, adjust your heap settings to half the system memory up to a max of 16 GB for the Graylog service, as recommended in Additional Configuration. It is recommended that you set the minimum and maximum values to be the same, so if you are setting your minimum to 2 GB, like shown in -Xms2g
, and your maximum to 2 GB, like shown in -Xmx2g
, the setting may look like:
GRAYLOG_SERVER_JAVA_OPTS="-Xms2g -Xmx2g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow"
10. Enable Graylog and start the service:
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
Once installation is complete, proceed to the following section on the preflight login to access the Graylog web interface!
Preflight Login
After installation is complete, immediately proceed to The Web Interface for information on completing the preflight process and logging into Graylog for the first time. This preflight login will require the initial login credentials found in the log file after first starting the Graylog service!
Troubleshooting and Common Issues
The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.
Issue: Network Connectivity Issue During MongoDB Installation
It is possible you may receive a network connectivity issue while you are initiating the replica set for MongoDB. This may be related to your DNS and/or your TCP port or network configuration.
Solution: Modify Firewall and/or DNS Settings
If you encounter this issue, we recommend you test whether the required port TCP/27017
is open. You can use telnet or nc (Netcat) to test:
nc -vz <node_ip> 27017