Graylog2

Server deployment
# java
yum install java-1.8.0-openjdk-headless -y

# mongodb
cat << EOF >> /etc/yum.repos.d/mongodb-org-3.5.repo
[mongodb-org-3.5]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.5/x86_64/
gpgcheck=0
enabled=1
EOF

yum install mongodb-org -y
systemctl daemon-reload
systemctl enable mongod.service
systemctl start mongod.service

# elasticsearch 5.6
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

cat << EOF >> /etc/yum.repos.d/elasticsearch.repo
elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=0
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

yum install elasticsearch -y

echo cluster.name: graylog >> /etc/elasticsearch/elasticsearch.yml
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service

# Graylog 2.3
cat << EOF >> /etc/yum.repos.d/graylog2.repo
[graylog]
name=graylog
baseurl=https://packages.graylog2.org/repo/el/stable/2.3/$basearch/
enable=1
gpgcheck=0
EOF

yum install graylog-server pwgen -y

vi /etc/graylog/server/server.conf
# password_secret = pwgen -N 1 -s 96
# root_password_sha2 = echo -n yourpassword | sha256sum
# edit rest_listen_uri = http://127.0.0.1:9000/api/
# edit web_listen_uri

systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service

# nginx
yum install nginx -y
cat <> /etc/nginx/conf.d/graylog2.conf
server {
    listen 80 default_server;
    listen 443 ssl http2;
    ssl_certificate         /etc/nginx/ssl/log.crt;
    ssl_certificate_key     /etc/nginx/ssl/log.key;
    location / {
        proxy_pass  http://127.0.0.1:9000;
        proxy_redirect          off;
        proxy_connect_timeout   30;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
    }
}
EOF
systemctl enable nginx
systemctl restart nginx

Nginx connection
access_log syslog:server=192.168.1.15:514,tag=nginx combined;
error_log  syslog:server=192.168.1.15:514,tag=nginx;
Apache connection
# https://github.com/Graylog2/apache-mod_log_gelf

wget https://github.com/Graylog2/apache-mod_log_gelf/releases/download/0.2.0/libapache2-mod-gelf-0.2.0-1.x86_64.rpm
rpm -ivh libapache2-mod-gelf-0.2.0-1.x86_64.rpm

cat << EOF >> /etc/httpd/conf.modules.d/02-gelf.conf
 LoadModule log_gelf_module /usr/lib64/httpd/modules/mod_log_gelf.so
 GelfEnabled On
 GelfUrl "udp://graylog2-host:12201"
 GelfSource "app-httpd"
 GelfHeader "HTTP_CF_CONNECTING_IP"
 GelfFacility "apache-gelf"
 GelfCookie "tracking"
 GelfFields "ABDXhmsvRti"
EOF
Syslog connection
echo *.* @graylog.host:1514 >> /etc/rsyslog.conf