Installing Graylog2 0.9.6, ElasticSearch 0.18.7, & MongoDB 2.0.3 on CentOS 5 (With RVM)

Posted on by

Gorilla Party Rocking your logs like an open-source mogul.  

Graylog2‘s moto should be LMFAO (logging my freaking apps off).

Graylog2 is lovely little Splunk-like server that collects your logs and provides a nice interface for searching and analyzing them.

From the site

Graylog2 is an open source log management solution that stores your logs in ElasticSearch. It consists of a server written in Java that accepts your syslog messages via TCP, UDP or AMQP and stores it in the database. The second part is a web interface that allows you to manage the log messages from your web browser.

They have lovely screen shots here.

The only problem with it is it has quite a few moving parts that need to be installed that are not traditionally easy to get going on CentOS.

So, here is my guide.


These steps were borrowed liberally from Joe Miller‘s blog here where he setup a previous version, as well as from each product’s documentation.

Installing ElasticSearch:

Grab and place ElasticSearch.

cd /opt
curl http://cloud.github.com/downloads/elasticsearch/elasticsearch/elasticsearch-0.18.7.tar.gz | tar zxv 
ln -s elasticsearch-0.18.7/ elasticsearch

Install the ES service wrapper.

curl -k -L http://github.com/elasticsearch/elasticsearch-servicewrapper/tarball/master | tar -xz
mv *servicewrapper*/service elasticsearch/bin/
rm -Rf *servicewrapper*
/opt/elasticsearch/bin/service/elasticsearch install

Give yourself a control script.

 
ln -s `readlink -f elasticsearch/bin/service/elasticsearch` /usr/bin/elasticsearch_ctl

Give the ES cluster a unique name.

sed -i -e 's|# cluster.name: elasticsearch|cluster.name: graylog2|' /opt/elasticsearch/config/elasticsearch.yml

Fire it up.

 
/etc/init.d/elasticsearch start

Test it out.

 
curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Installing MongoDB:

Grab MongoDB from 10Gen:

 
wget http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/RPMS/mongo-10gen-2.0.3-mongodb_1.x86_64.rpm
wget http://downloads-distro.mongodb.org/repo/redhat/os/x86_64/RPMS/mongo-10gen-server-2.0.3-mongodb_1.x86_64.rpm
rpm -Uvh *mongo*.rpm

Fire it up

 
/etc/init.d/mongod start

Setup MongoDB and auth:

mongo

Dump this into the shell (after updating the credentials as you see fit.

  
use admin
 db.addUser('admin', 'adminpass')
 db.auth('admin', 'adminpass')
use graylog2
 db.addUser('grayloguser', 'graylogpass')
 db.auth('grayloguser', 'graylogpass')
exit

Install the Graylog2 server:

Grab and place it:

 
cd /opt 
curl  http://cloud.github.com/downloads/Graylog2/graylog2-server/graylog2-server-0.9.6.tar.gz | tar zxv 
ln -s graylog2-server-0.9.6/ graylog2-server

Setup the config file and remove mongo authentication (couldn’t get it to work with auth enabled):

 
cp /opt/graylog2-server/graylog2.conf{.example,}
cd /etc
ln -s /opt/graylog2-server/graylog2.conf graylog2.conf
cd -
sed -i -e 's|mongodb_useauth = true|mongodb_useauth = false|' /opt/graylog2-server/graylog2.conf

Drop an init script:

vim /etc/init.d/graylog2-server
In it put this:

 
#!/bin/sh
#
# graylog2-server:   graylog2 message collector
#
# chkconfig: - 98 02
# description:  This daemon listens for syslog and GELF messages and stores them in mongodb
#
CMD=$1
NOHUP=`which nohup`
JAVA_HOME=/usr/java/latest
JAVA_CMD=$JAVA_HOME/bin/java
GRAYLOG2_SERVER_HOME=/opt/graylog2-server
 
start() {
    echo "Starting graylog2-server ..."
    $NOHUP $JAVA_CMD -jar $GRAYLOG2_SERVER_HOME/graylog2-server.jar > /var/log/graylog2.log 2>&1 &
}
 
stop() {
        PID=`cat /tmp/graylog2.pid`
    echo "Stopping graylog2-server ($PID) ..."
        kill $PID
}
 
restart() {
    echo "Restarting graylog2-server ..."
        stop
        start
}
 
case "$CMD" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        restart
        ;;
    *)
        echo "Usage $0 {start|stop|restart}"
        RETVAL=1
esac

Prime and load:

chmod +x /etc/init.d/graylog2-server
chkconfig --add graylog2-server
chkconfig graylog2-server on

Fire it up:

 
/etc/init.d/graylog2-server start

Grab the Web Interface:

 
cd /opt
curl  http://cloud.github.com/downloads/Graylog2/graylog2-web-interface/graylog2-web-interface-0.9.6.tar.gz | tar zxv 
ln -s graylog2-web-interface-0.9.6 graylog2-web-interface

Install RVM with Ruby 1.9.2:

 
sudo yum install -y gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel curl-devel
echo insecure >> ~/.curlrc
bash -s stable < <(curl -s -k https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
rvm install 1.9.2

Setup a Graylog2 user:

 
useradd graylog2 -d /opt/graylog2-web-interface -G rvm
chown -R graylog2:graylog2 /opt/graylog2-web-interface*

Give root RVM access:

 
usermod -G rvm root

Bundle:

 
rvm use 1.9.2
cd /opt/graylog2-web-interface
gem install bundler
bundle install

Setup the web interface’s mongo config:

vim /opt/graylog2-web-interface/config/mongoid.yml

Make sure the production setting looks like this:

 
production:
  host: localhost
  port: 27017
  username:
  password:
  database: graylog2

Fire it up and set a password:

 
su - graylog2
rvm use 1.9.2
RAILS_ENV=production script/rails server

Browse to http://$HOSTNAME:3000 and setup your first user.

Once done, CTRL-C to stop the server, then CTRL-D to go back to root.

Install and configure Passenger:

 
yum -y install curl-devel
rvm use 1.9.2
gem install passenger
gem install file-tail

Drop an init script:

vim /etc/init.d/graylog2-web
In it put this:

 
#!/bin/bash
#
# graylog2-web:   graylog2 web interface
#
# chkconfig: - 98 02
# description:  Starts graylog2-web-interface using passenger-standalone. \
#       Uses RVM to use switch to a specific ruby version.
#
# config
USER=graylog2
APP_DIR=/opt/graylog2-web-interface
RVM_RUBY=1.9.2
ADDR=0.0.0.0
PORT=3000
ENVIRONMENT=production
LOG_FILE=/var/log/graylog2-web-interface.log
 
# --

if [ ! -d $APP_DIR/tmp ]; then
   mkdir $APP_DIR/tmp
fi

if [ ! -d $APP_DIR/log ]; then
   mkdir $APP_DIR/log
fi

chown -R $USER:$USER $APP_DIR/{log,tmp}
chmod -R 777 $APP_DIR/{log,tmp}

CMD_START="cd $APP_DIR; rvm use $RVM_RUBY; passenger start -d \
                    -a $ADDR \
                    -p $PORT \
                    -e $ENVIRONMENT \
                    --user $USER"
CMD_STOP="cd $APP_DIR; rvm use $RVM_RUBY; passenger stop -p $PORT"
 
CMD_STATUS="cd $APP_DIR; rvm use $RVM_RUBY; passenger status -p $PORT"
 
. /lib/lsb/init-functions
case "$1" in
  start)
    echo "Starting graylog2-web-interface"
    su - $USER -c "$CMD_START"
    ;;
  stop)
    echo "Stopping graylog2-web-interface"
    su - $USER -c "$CMD_STOP"
    ;;
  status)
   su - $USER -c "$CMD_STATUS"
   ;;
  *)
    echo "Usage: $0 start|stop|status"
    exit 3
    ;;
esac

Prime and load:

chmod +x /etc/init.d/graylog2-web
chkconfig --add graylog2-web
chkconfig graylog2-web on

Fire it up:

 
/etc/init.d/graylog2-web start

First time it runs it’ll grab some stuff for passenger, but will be fine every time after.

Share
  • Luke Tislow

    On cent 5.8 for the first elastic box, curl wouldn’t work, wget / tar -xvf did though.

  • Luke Tislow

    su – graylog2
    rvm use 1.9.2
    RAILS_ENV=production script/rails server
    This won’t work either.

    • Anonymous

       I think it should be:

      su – graylog2
      rvm use 1.9.2
      RAILS_ENV=production
      script/rails server

    • Amitabh

       cd /usr/local
      chmod -R g+x

      will fix this problem.

      • Amitabh

         Run chmod -R g+w rvm
        again after gem install file-tail, otherwise
        you will get errors when you run “RAILS_ENV=production script/rails server”.

        This is on RHEL.

    • James Eaton

       Did you close the terminal and then re-open it? It will fix the issue.

  • http://twitter.com/hypervisor_fr raphael schitz

    Thanks a lot for this great howto, i only had to open a new putty session to get rvm in the path

  • Robin Bowes

    I just ran through this install, without using rvm and instead using kbs’s ruby 1.8.7 repo. Seems to work fine, or rather, it seems to install fine. I’ve not yet started throwing any data into it!

  • Kenton

    I just installed this in CentOS 6 using this guide and here are a few things I discovered that were different (or problems).

    The current version of Mongo DB is 2.0.4 so it errors when using your command line.
    I had to add bind_ip = 127.0.0.1 to the mongod.conf file (this is more secure anyway).
    You need to give root rvm access before doing >rvm install 1.9.2
    I also had to change the location of Java in the startup script for graylog server as that is different in the version of CentOS I am running.

    This was the first post where everything pretty much worked, thanks for doing it.

    • James Eaton

       If you remove the version of Java that CentOS 6 comes with and install the version from Oracle, it will use the /usr/java/latest

  • Chris Bragg

    if you get an error starting graylog for first time

    Curl development headers with SSL support… not found

    ensure these RPMs are installed…. zlib-devele2fsprogs-develkrb5-devel

  • Zemariano

    Hi, I added the link of your post to this one: http://camelandjava.blogspot.com/2012/05/karaf-and-graylog2-log4j-appenders-in.html
    It contains some useful tips to have a bundle logging to Graylog within Karaf and servicemix

  • Sathish

     Is there any way to store log message data to mongoDB? because we need it.

  • Sharmith

    Please check the below link for integrating Syslog-ng, Logstash along with Graylog2 for collecting logs from Network devices.
    http://sharmith.blogspot.in/2012/05/network-device-syslog-ng-logstash.html

  • http://twitter.com/fcamblor Frédéric Camblor

    Note that it seems latest vers of elasticsearch wrapper is not compatible with version 0.18.7 of elasticsearch.
    I tried with 0.19.3 and it solved the problem.

    Another thing to note : after having downloaded the elasticsearch wrapper, don’t forget to edit the elasticsearch.conf file allowing to locate the set.default.ES_HOME env variable.

  • James Eaton

    I have installed greylog2 using this guide: 
    http://eromang.zataz.com/2011/06/22/howto-install-graylog2-log-management-solution-under-centos/ and unfortunately it makes no mention of installing elasticsearch, and at the end I get “Could not connect to ElasticSearch” on the main page.

    So a retarded question, do you NEED to install elasticsearch for greylog2 to work?

    • James Eaton

       OK, I have got everything working now, although it still says “It seems like your Graylog2 server is not running.”

      The problem I have now is getting data into it… what is the best way of getting it to use all of the syslog from rsyslog? (or everything in /var/log/messages)

  • James Eaton

    I can confirm that version 18.7 of elasticsearch does NOT work on Centos 6.3. I have tried version 19.8 and it works fine.

  • JR

    Thank you!
    I used these notes to get my first Graylog2 server setup.

  • Matthew Keller

    Just linking to the image: http://theoatmeal.com/comics/semicolon

  • Ivan

    Worked on CentOS 6.2, just with some minor changes. Great job.

    • Jon Ross

      hi Ivam, im trying to get this working on centos 6.3 – could you tell  me what changes you had to make please?

      Cheers.

  • http://twitter.com/JaimeGagoTech Jaime Gago

    Couple of things for following this tutorial step by step on CentOS 6.3:

    -The install of RVM is missing a couple of steps (or at least didn’t work for me without them) even though they come later on (this has already been pointed out on another comment so just confirming):
    useradd -G rvm root
    usermod -g rvm root
    source /etc/profile.d/rvm.sh

    -As pointed in another comment the default JAVA install (if you do a yum install java) is not the one used in the graylog2-server init script (/etc/init.d/graylog2-server), rather than installing Oracle I switched to JAVA_HOME=/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/ in the init script and it worked.

    -I modified the curl/wget commands to get the current latest versions of ElasticSearch (0.20.2) and MongoDB (2.2.2) and everything worked fine.

    Thanks for the step by step Nathan!

  • Jonathan

    I hacked together a quick script (rhel 6.3 tested) that does the above steps:
    http://pastebin.com/XTN6Ssx0