I recently required a syslog server that was easy to use with a web interface to monitor some customers firewalls. I had been looking at Splunk but due to the price of this product it was not a viable option for what I required.
After a little searching I came across Graylog2 which is an open source alternative to Splunk and is totally free! You only need to pay if you would like support from them.
So here is how I setup the server and got it working on my CentOS Server.
Install & Configure Elastic Search
Download and install the Public Signing Key:
rpm --import https://packages.elasticsearch.org/GPG-KEY-elasticsearch
Create the following file
[elasticsearch-1.4] name=Elasticsearch repository for 1.4.x packages baseurl=http://packages.elasticsearch.org/elasticsearch/1.4/centos gpgcheck=1 gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled=1
And your repository is ready for use. You can install it with :
yum install elasticsearch
Configure Elasticsearch to automatically start during boot:
chkconfig --add elasticsearch
To configure ElasticSearch for use with Graylog2 edit
cluster.name: graylog2 node.data: true bootstrap.mlockall: true ES_HEAP_SIZE: 2048 discovery.zen.ping.multicast.enabled: false discovery.zen.ping.unicast.hosts: ["127.0.0.1", "IP_ADDR"]
Start the ElasticSearch service:
service elasticsearch start
Install & Graylog2 Server and Web Client
Get the latest RPM for Graylog2 here and run changing to the correct url:
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog2-x.xx-repository-el6_latest.rpm
Install Graylo2-Server and Graylog2-Web:
yum install graylog2-server graylog2-web
Edit the file
/etc/graylog2.conf and change only the below:
password_secret = root_password_sha2 = elasticsearch_discovery_zen_ping_multicast_enabled = false elasticsearch_discovery_zen_ping_unicast_hosts = IP_ADDR:9300
Edit the file /etc/graylog2/web/graylog2-web-interface.conf and change only the below:
graylog2-server.uris="" application.secret="" timezone="Europe/London"
Set Services to start at boot:
chkconfig --add graylog2-server chkconfig --add graylog2-web
Start the services:
service graylog2-server start service graylog2-web start
Logs are stored in the following locations:
any errors in here should be quite easy to resolve. if you have any issues please let me know and I will assist where possible.