Graylog2 1.0 requires ElasticSearch 1.3 (or up). To fulfill this requirement, you will need to install ElasticSearch - I recommend on a separate server for environment growth. IOPS on your hard disk matters here.
First, make sure your CentOS 6 is fully patched:
Then install Java 1.7:
#yum install java
Make sure that it prompts you to install Java 1.7 (look for the below text):
Set up the ElasticSearch Repositories and install Elasticsearch 1.3:
Import they key:
#rpm --import https://packages.elasticsearch.org/GPG-KEY-elasticsearch
Create a new repository file in /etc/yum.repos.d/ named elasticsearch.repo with the following contents:
name=Elasticsearch repository for 1.3.x packages
#yum install elasticsearch
Add ElasticSearch to boot process:
#chkconfig --add elasticsearch
Stop the elasticsearch service so that we can update the cluster name:
#service elasticsearch stop
Edit the /etc/elasticsearch/elasticsearch.yml file to update your cluster.name variable. Ex:
Update any additional settings needed and save the file. I recommend updating the path.data and path.logs to custom directories.
Start the elasticsearch service and set it to run on startup:
#service elasticsearch start
#chkconfig elasticsearch on
Check your logs to make sure that it started properly and joined the cluster (if there is an existing one).
For Graylog2, the recommended settings are also to increase the open file limit to at least 64000 as seen in the Configuring and tuning Elasticsearch documentation. I did this by increasing the max number of ulimit open file below.
Edit /etc/sysctl.conf and add the following line at the end:
fs.file-max = 65536
Save the file. Next edit /etc/security/limits.conf and add the following lines:
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
Save the file and restart the server.
#shutdown -r now
Once restarted, verify that the max open file ulimit has been increased.
# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 30507
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65535
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 65535
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Additional recommended settings are to increase the ES_HEAP_SIZE. I did this by editing /etc/init.d/elasticsearch and adding the following line after checkJava under start():
They recommend that you leave 50% of your memory for other system functions, and I had 4 Gig of RAM, hence the 2g setting.