My story was very simple. We needed central log management as requirement for ISO 27000 certification. We tested one local product based on ES and Kibana, which was not very powerful, because used obsolete versions and was expensive for our small network. I’ve always had good knowledge of all open-source software available in the market, and Graylog was definitely in my list to try. So then we tested Graylog in OVA and released, that all required functionality is there and it has more options and nice web UI.
Installation - Ansible:
Testing of OVA was smooth, but in your environment we use CentOS as base system. Because I’m big fun of Ansible, official ansible playbook for graylog installation on CentOS environment was right choose.
Meanwhile we switched to Oracle Linux because of CentOS plans to don’t follow RHEL releases. Official ansible role doesn’t support Oracle Linux, but simple fix in line
main.yml in role’s
tasks fixed it:
(ansible_distribution in ['RedHat','CentOS', 'OracleLinux'] and ansible_distribution_version is version('7', '>=')) or
Beware also, that this official playbook doesn’t install Elastic Search, so you need to use another role, or your own. Because we used ansible playbook, configuration was very quick, so we changed only some variables.
Tip and tricks
Try to read official documentation, and don’t follow third-party howto at beginning. Best way is to quickly look complete documentation from start to end to have good overview. Than read carefully complete sections to better understanding configured section. This way you progress your configuration slower but you better understand how things works, so it is much more simpler to debug and fix problems if necessary.