{"id":3062,"date":"2025-11-10T01:15:57","date_gmt":"2025-11-09T23:15:57","guid":{"rendered":"https:\/\/itsimple.info\/?p=3062"},"modified":"2025-11-10T01:15:59","modified_gmt":"2025-11-09T23:15:59","slug":"graylog-setup-guide-for-multiple-postfix-mta-servers-on-almalinux","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=3062","title":{"rendered":"Graylog Setup Guide for Multiple Postfix MTA Servers on AlmaLinux"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Architecture Overview<\/h1>\n\n\n\n<p>This guide sets up:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>1 Central Graylog Server<\/strong> (AlmaLinux) &#8211; for log collection and analysis<\/li>\n\n\n\n<li><strong>Multiple MTA Servers<\/strong> (AlmaLinux with Postfix) &#8211; forwarding logs to Graylog<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 1: Install Graylog Server (Central Server)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">System Requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AlmaLinux 8 or 9<\/li>\n\n\n\n<li>Minimum 4GB RAM (8GB+ recommended)<\/li>\n\n\n\n<li>50GB+ disk space for logs<\/li>\n\n\n\n<li>Static IP address<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Update System and Install Prerequisites<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Update system\nsudo dnf update -y\n\n# Install required tools\nsudo dnf install -y wget curl java-17-openjdk-headless pwgen\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Install MongoDB<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Add MongoDB repository\ncat &lt;&lt;EOF | sudo tee \/etc\/yum.repos.d\/mongodb-org-6.0.repo<\/code><\/pre>\n\n\n<p>[mongodb-org-6.0]<\/p>\n\n\n\n<p>name=MongoDB Repository baseurl=https:\/\/repo.mongodb.org\/yum\/redhat\/\\$releasever\/mongodb-org\/6.0\/x86_64\/ gpgcheck=1 enabled=1 gpgkey=https:\/\/www.mongodb.org\/static\/pgp\/server-6.0.asc EOF # Install MongoDB sudo dnf install -y mongodb-org # Enable and start MongoDB sudo systemctl daemon-reload sudo systemctl enable mongod sudo systemctl start mongod # Verify MongoDB is running sudo systemctl status mongod<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Install OpenSearch (Elasticsearch alternative)<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Add OpenSearch repository\ncurl -SL https:\/\/artifacts.opensearch.org\/releases\/bundle\/opensearch\/2.x\/opensearch-2.x.repo -o \/tmp\/opensearch-2.x.repo\nsudo mv \/tmp\/opensearch-2.x.repo \/etc\/yum.repos.d\/\n\n# Install OpenSearch\nsudo dnf install -y opensearch-2.11.1\n\n# Configure OpenSearch for Graylog\nsudo tee -a \/etc\/opensearch\/opensearch.yml &gt; \/dev\/null &lt;&lt;EOF\n\n# Graylog configuration\ncluster.name: graylog\nnode.name: \\${HOSTNAME}\nnetwork.host: 0.0.0.0\ndiscovery.type: single-node\naction.auto_create_index: false\nplugins.security.disabled: true\nEOF\n\n# Set JVM heap size (50% of available RAM, max 32GB)\nsudo sed -i 's\/^-Xms.*\/-Xms2g\/' \/etc\/opensearch\/jvm.options\nsudo sed -i 's\/^-Xmx.*\/-Xmx2g\/' \/etc\/opensearch\/jvm.options\n\n# Enable and start OpenSearch\nsudo systemctl daemon-reload\nsudo systemctl enable opensearch\nsudo systemctl start opensearch\n\n# Wait for OpenSearch to start\nsleep 30\n\n# Verify OpenSearch is running\ncurl -X GET \"localhost:9200\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Install Graylog Server<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Download and install Graylog repository\nsudo rpm -Uvh https:\/\/packages.graylog2.org\/repo\/packages\/graylog-5.2-repository_latest.rpm\n\n# Install Graylog server\nsudo dnf install -y graylog-server\n\n# Generate password secret (save this!)\nPASSWORD_SECRET=$(pwgen -N 1 -s 96)\necho \"Password Secret: $PASSWORD_SECRET\"\n\n# Generate admin password hash (change 'YourAdminPassword' to your desired password)\nADMIN_PASSWORD=\"YourAdminPassword\"\nADMIN_PASSWORD_SHA2=$(echo -n \"$ADMIN_PASSWORD\" | sha256sum | awk '{print $1}')\necho \"Admin Password: $ADMIN_PASSWORD\"\necho \"Admin Password Hash: $ADMIN_PASSWORD_SHA2\"\n\n# Configure Graylog\nsudo cp \/etc\/graylog\/server\/server.conf \/etc\/graylog\/server\/server.conf.backup\n\n# Update configuration\nsudo sed -i \"s\/^password_secret =.*\/password_secret = $PASSWORD_SECRET\/\" \/etc\/graylog\/server\/server.conf\nsudo sed -i \"s\/^root_password_sha2 =.*\/root_password_sha2 = $ADMIN_PASSWORD_SHA2\/\" \/etc\/graylog\/server\/server.conf\n\n# Set HTTP bind address (change to your server IP)\nSERVER_IP=$(hostname -I | awk '{print $1}')\nsudo sed -i \"s|^#http_bind_address = .*|http_bind_address = $SERVER_IP:9000|\" \/etc\/graylog\/server\/server.conf\nsudo sed -i \"s|^#http_publish_uri = .*|http_publish_uri = http:\/\/$SERVER_IP:9000\/|\" \/etc\/graylog\/server\/server.conf\n\n# Set Elasticsearch hosts\nsudo sed -i \"s|^#elasticsearch_hosts = .*|elasticsearch_hosts = http:\/\/127.0.0.1:9200|\" \/etc\/graylog\/server\/server.conf\n\n# Enable and start Graylog\nsudo systemctl daemon-reload\nsudo systemctl enable graylog-server\nsudo systemctl start graylog-server\n\n# Check status\nsudo systemctl status graylog-server\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Configure Firewall<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Open required ports\nsudo firewall-cmd --permanent --add-port=9000\/tcp  # Graylog web interface\nsudo firewall-cmd --permanent --add-port=1514\/tcp  # Syslog TCP input\nsudo firewall-cmd --permanent --add-port=1514\/udp  # Syslog UDP input\nsudo firewall-cmd --permanent --add-port=5044\/tcp  # Beats input (optional)\nsudo firewall-cmd --reload\n\n# Verify ports are open\nsudo firewall-cmd --list-ports\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Access Graylog Web Interface<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open browser: <code>http:\/\/YOUR_SERVER_IP:9000<\/code><\/li>\n\n\n\n<li>Login with:\n<ul class=\"wp-block-list\">\n<li>Username: <code>admin<\/code><\/li>\n\n\n\n<li>Password: (the password you set in ADMIN_PASSWORD variable)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 2: Configure Graylog to Receive Logs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create Syslog Input<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log into Graylog web interface<\/li>\n\n\n\n<li>Navigate to <strong>System \u2192 Inputs<\/strong><\/li>\n\n\n\n<li>Select <strong>Syslog TCP<\/strong> from dropdown<\/li>\n\n\n\n<li>Click <strong>Launch new input<\/strong><\/li>\n\n\n\n<li>Configure:\n<ul class=\"wp-block-list\">\n<li><strong>Title:<\/strong> <code>Postfix Syslog TCP<\/code><\/li>\n\n\n\n<li><strong>Bind address:<\/strong> <code>0.0.0.0<\/code><\/li>\n\n\n\n<li><strong>Port:<\/strong> <code>1514<\/code><\/li>\n\n\n\n<li><strong>Store full message:<\/strong> Check this<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click <strong>Save<\/strong><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create Postfix Stream<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Streams<\/strong><\/li>\n\n\n\n<li>Click <strong>Create Stream<\/strong><\/li>\n\n\n\n<li>Configure:\n<ul class=\"wp-block-list\">\n<li><strong>Title:<\/strong> <code>Postfix Logs<\/code><\/li>\n\n\n\n<li><strong>Description:<\/strong> <code>All Postfix mail server logs<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click <strong>Save<\/strong><\/li>\n\n\n\n<li>Click <strong>Manage Rules<\/strong> on the new stream<\/li>\n\n\n\n<li>Add rule:\n<ul class=\"wp-block-list\">\n<li><strong>Field:<\/strong> <code>application_name<\/code><\/li>\n\n\n\n<li><strong>Type:<\/strong> <code>match regular expression<\/code><\/li>\n\n\n\n<li><strong>Value:<\/strong> <code>postfix.*<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click <strong>Save<\/strong><\/li>\n\n\n\n<li>Click <strong>Start stream<\/strong><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 3: Configure MTA Servers to Send Logs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Option A: Using Rsyslog (Simpler, Built-in)<\/h3>\n\n\n\n<p>On <strong>each MTA server<\/strong>, run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Backup rsyslog configuration\nsudo cp \/etc\/rsyslog.conf \/etc\/rsyslog.conf.backup\n\n# Add forwarding configuration\nsudo tee \/etc\/rsyslog.d\/10-graylog.conf &gt; \/dev\/null &lt;&lt;'EOF'\n# Queue configuration for reliability\n$ActionQueueType LinkedList\n$ActionQueueFileName graylog_queue\n$ActionResumeRetryCount -1\n$ActionQueueSaveOnShutdown on\n$ActionQueueMaxDiskSpace 1g\n\n# Forward all logs to Graylog\n*.* @@GRAYLOG_SERVER_IP:1514;RSYSLOG_SyslogProtocol23Format\nEOF\n\n# Replace GRAYLOG_SERVER_IP with actual IP\nGRAYLOG_IP=\"192.168.1.100\"  # Change this to your Graylog server IP\nsudo sed -i \"s\/GRAYLOG_SERVER_IP\/$GRAYLOG_IP\/\" \/etc\/rsyslog.d\/10-graylog.conf\n\n# Restart rsyslog\nsudo systemctl restart rsyslog\n\n# Verify rsyslog is running\nsudo systemctl status rsyslog\n\n# Test by sending a test message\nlogger -t postfix\/test \"Test message from $(hostname) to Graylog\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Option B: Using Filebeat (More Reliable, Recommended for Production)<\/h3>\n\n\n\n<p>On <strong>each MTA server<\/strong>, run:<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Install Filebeat<\/h1>\n\n\n\n<p>sudo rpm &#8211;import https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch<br>cat &lt;&lt;EOF | sudo tee \/etc\/yum.repos.d\/elastic.repo<br>[elastic-8.x]<br>name=Elastic repository for 8.x packages<br>baseurl=https:\/\/artifacts.elastic.co\/packages\/8.x\/yum<br>gpgcheck=1<br>gpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch<br>enabled=1<br>autorefresh=1<br>type=rpm-md<br>EOF<\/p>\n\n\n\n<p>sudo dnf install -y filebeat<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Backup default configuration<\/h1>\n\n\n\n<p>sudo cp \/etc\/filebeat\/filebeat.yml \/etc\/filebeat\/filebeat.yml.backup<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Create new configuration<\/h1>\n\n\n\n<p>sudo tee \/etc\/filebeat\/filebeat.yml &gt; \/dev\/null &lt;&lt;&#8216;EOF&#8217;<br>filebeat.inputs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>type: log enabled: true paths:\n<ul class=\"wp-block-list\">\n<li>\/var\/log\/maillog<\/li>\n\n\n\n<li>\/var\/log\/maillog-*<br>fields:<br>log_type: postfix<br>server_role: mta<br>hostname: ${HOSTNAME}<br>fields_under_root: true<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>output.logstash:<br>hosts: [&#8220;GRAYLOG_SERVER_IP:5044&#8221;]<\/p>\n\n\n\n<p>logging.level: info<br>logging.to_files: true<br>logging.files:<br>path: \/var\/log\/filebeat<br>name: filebeat<br>keepfiles: 7<br>permissions: 0644<br>EOF<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Replace GRAYLOG_SERVER_IP<\/h1>\n\n\n\n<p>GRAYLOG_IP=&#8221;192.168.1.100&#8243; # Change this<br>sudo sed -i &#8220;s\/GRAYLOG_SERVER_IP\/$GRAYLOG_IP\/&#8221; \/etc\/filebeat\/filebeat.yml<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Replace HOSTNAME placeholder<\/h1>\n\n\n\n<p>sudo sed -i &#8220;s\/\\${HOSTNAME}\/$(hostname)\/&#8221; \/etc\/filebeat\/filebeat.yml<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Enable and start Filebeat<\/h1>\n\n\n\n<p>sudo systemctl enable filebeat<br>sudo systemctl start filebeat<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Check status<\/h1>\n\n\n\n<p>bash<\/p>\n\n\n\n<p><em># Install Filebeat<\/em><br>sudo rpm &#8211;import https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch<br>cat &lt;&lt;EOF | sudo tee \/etc\/yum.repos.d\/elastic.repo<br>[elastic-8.x]<br>name=Elastic repository for 8.x packages<br>baseurl=https:\/\/artifacts.elastic.co\/packages\/8.x\/yum<br>gpgcheck=1<br>gpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch<br>enabled=1<br>autorefresh=1<br>type=rpm-md<br>EOF<br><br>sudo dnf install -y filebeat<br><br><em># Backup default configuration<\/em><br>sudo cp \/etc\/filebeat\/filebeat.yml \/etc\/filebeat\/filebeat.yml.backup<br><br><em># Create new configuration<\/em><br>sudo tee \/etc\/filebeat\/filebeat.yml > \/dev\/null &lt;&lt;&#8216;EOF&#8217;<br>filebeat.inputs:<br>&#8211; type: log<br>  enabled: true<br>  paths:<br>    &#8211; \/var\/log\/maillog<br>    &#8211; \/var\/log\/maillog-*<br>  fields:<br>    log_type: postfix<br>    server_role: mta<br>    hostname: ${HOSTNAME}<br>  fields_under_root: true<br><br>output.logstash:<br>  hosts: [&#8220;GRAYLOG_SERVER_IP:5044&#8221;]<br><br>logging.level: info<br>logging.to_files: true<br>logging.files:<br>  path: \/var\/log\/filebeat<br>  name: filebeat<br>  keepfiles: 7<br>  permissions: 0644<br>EOF<br><br><em># Replace GRAYLOG_SERVER_IP<\/em><br>GRAYLOG_IP=&#8221;192.168.1.100&#8243;  <em># Change this<\/em><br>sudo sed -i &#8220;s\/GRAYLOG_SERVER_IP\/$GRAYLOG_IP\/&#8221; \/etc\/filebeat\/filebeat.yml<br><br><em># Replace HOSTNAME placeholder<\/em><br>sudo sed -i &#8220;s\/\\${HOSTNAME}\/$(hostname)\/&#8221; \/etc\/filebeat\/filebeat.yml<br><br><em># Enable and start Filebeat<\/em><br>sudo systemctl enable filebeat<br>sudo systemctl start filebeat<br><br><em># Check status<\/em><br>sudo systemctl status filebeat<\/p>\n\n\n\n<p><strong>If using Filebeat, also create Beats input in Graylog:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>System \u2192 Inputs<\/li>\n\n\n\n<li>Select <strong>Beats<\/strong> from dropdown<\/li>\n\n\n\n<li>Configure:\n<ul class=\"wp-block-list\">\n<li><strong>Title:<\/strong> <code>Filebeat Input<\/code><\/li>\n\n\n\n<li><strong>Bind address:<\/strong> <code>0.0.0.0<\/code><\/li>\n\n\n\n<li><strong>Port:<\/strong> <code>5044<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click <strong>Save<\/strong><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 4: Create Postfix Log Extractors<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Extract Common Postfix Fields<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>System \u2192 Inputs<\/strong><\/li>\n\n\n\n<li>Click <strong>Manage extractors<\/strong> on your Syslog input<\/li>\n\n\n\n<li>Create the following extractors:<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Extractor 1: Message ID<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Regular expression<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>message<\/code><\/li>\n\n\n\n<li><strong>Pattern:<\/strong> <code>.*(?:postfix[\/\\w-]*\\[\\d+\\]): ([A-F0-9]+):<\/code><\/li>\n\n\n\n<li><strong>Store as field:<\/strong> <code>postfix_message_id<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Extractor 2: Queue ID<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Grok pattern<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>message<\/code><\/li>\n\n\n\n<li><strong>Pattern:<\/strong> <code>%{POSTFIX_QUEUEID:postfix_queue_id}<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Extractor 3: From Address<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Regular expression<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>message<\/code><\/li>\n\n\n\n<li><strong>Pattern:<\/strong> <code>from=&lt;([^>]*)><\/code><\/li>\n\n\n\n<li><strong>Store as field:<\/strong> <code>mail_from<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Extractor 4: To Address<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Regular expression<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>message<\/code><\/li>\n\n\n\n<li><strong>Pattern:<\/strong> <code>to=&lt;([^>]*)><\/code><\/li>\n\n\n\n<li><strong>Store as field:<\/strong> <code>mail_to<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Extractor 5: Status<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Regular expression<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>message<\/code><\/li>\n\n\n\n<li><strong>Pattern:<\/strong> <code>status=(\\w+)<\/code><\/li>\n\n\n\n<li><strong>Store as field:<\/strong> <code>delivery_status<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 5: Create Dashboards and Reports<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Create Basic Postfix Dashboard<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Dashboards<\/strong><\/li>\n\n\n\n<li>Click <strong>Create dashboard<\/strong><\/li>\n\n\n\n<li>Name it: <code>Postfix Mail Traffic<\/code><\/li>\n\n\n\n<li>Add widgets:<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\">Widget 1: Message Count Over Time<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Area chart<\/li>\n\n\n\n<li><strong>Metric:<\/strong> Count<\/li>\n\n\n\n<li><strong>Time Range:<\/strong> Last 24 hours<\/li>\n\n\n\n<li><strong>Interval:<\/strong> 5 minutes<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Widget 2: Delivery Status Distribution<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Pie chart<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>delivery_status<\/code><\/li>\n\n\n\n<li><strong>Top values:<\/strong> 10<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Widget 3: Top Senders<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Data table<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>mail_from<\/code><\/li>\n\n\n\n<li><strong>Top values:<\/strong> 20<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Widget 4: Top Recipients<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Data table<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>mail_to<\/code><\/li>\n\n\n\n<li><strong>Top values:<\/strong> 20<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Widget 5: Messages by MTA Server<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Bar chart<\/li>\n\n\n\n<li><strong>Field:<\/strong> <code>source<\/code> or <code>hostname<\/code><\/li>\n\n\n\n<li><strong>Top values:<\/strong> 10<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Schedule Daily Reports<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>Alerts &amp; Events \u2192 Event Definitions<\/strong><\/li>\n\n\n\n<li>Click <strong>Create Event Definition<\/strong><\/li>\n\n\n\n<li>Configure:\n<ul class=\"wp-block-list\">\n<li><strong>Title:<\/strong> <code>Daily Postfix Report<\/code><\/li>\n\n\n\n<li><strong>Priority:<\/strong> Normal<\/li>\n\n\n\n<li><strong>Condition Type:<\/strong> Filter &amp; Aggregation<\/li>\n\n\n\n<li><strong>Search Query:<\/strong> <code>application_name:postfix*<\/code><\/li>\n\n\n\n<li><strong>Aggregation:<\/strong> Count<\/li>\n\n\n\n<li><strong>Time Range:<\/strong> Last 24 hours<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Add <strong>Notification<\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>Type:<\/strong> Email<\/li>\n\n\n\n<li><strong>Recipients:<\/strong> Your email address<\/li>\n\n\n\n<li><strong>Subject:<\/strong> <code>Daily Postfix Report - {event_timestamp}<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Set schedule to run daily at desired time<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 6: Useful Searches and Queries<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Common Search Queries<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># All bounced emails\ndelivery_status:bounced\n\n# Emails from specific sender\nmail_from:\"user@example.com\"\n\n# All emails to specific domain\nmail_to:*@example.com\n\n# Emails from specific MTA server\nsource:\"mta1.example.com\"\n\n# Failed deliveries in last hour\ndelivery_status:(deferred OR bounced) AND timestamp:&#91;now-1h TO now]\n\n# Large emails (over 10MB)\nsize:&gt;10485760\n\n# Emails with specific queue ID\npostfix_queue_id:\"ABC123DEF456\"\n\n# All relay denials\nmessage:*\"Relay access denied\"*\n\n# Authentication failures\nmessage:*\"authentication failed\"*\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Create Saved Searches<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Run a search query<\/li>\n\n\n\n<li>Click <strong>Save search<\/strong><\/li>\n\n\n\n<li>Name it appropriately<\/li>\n\n\n\n<li>Use for quick access or in dashboards<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 7: Maintenance and Optimization<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Index Rotation and Retention<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Navigate to <strong>System \u2192 Indices<\/strong><\/li>\n\n\n\n<li>Click <strong>Index Set<\/strong> (default)<\/li>\n\n\n\n<li>Configure:\n<ul class=\"wp-block-list\">\n<li><strong>Index Rotation:<\/strong> Daily (or based on size)<\/li>\n\n\n\n<li><strong>Index Retention:<\/strong> 30 days (adjust based on needs)<\/li>\n\n\n\n<li><strong>Max number of indices:<\/strong> 30<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Performance Tuning<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Adjust JVM heap for Graylog (50% of available RAM)\nsudo nano \/etc\/sysconfig\/graylog-server\n# Add: GRAYLOG_SERVER_JAVA_OPTS=\"-Xms4g -Xmx4g\"\n\n# Adjust OpenSearch heap\nsudo nano \/etc\/opensearch\/jvm.options\n# Change -Xms and -Xmx to 50% of available RAM (max 32g)\n\n# Restart services\nsudo systemctl restart graylog-server\nsudo systemctl restart opensearch\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Backup Configuration<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Backup Graylog configuration\nsudo cp \/etc\/graylog\/server\/server.conf \/backup\/graylog-server.conf.$(date +%Y%m%d)\n\n# Backup MongoDB (Graylog metadata)\nsudo mongodump --out=\/backup\/mongodb-$(date +%Y%m%d)\n\n# Backup OpenSearch indices (optional, large)\ncurl -X PUT \"localhost:9200\/_snapshot\/backup_repo\" -H 'Content-Type: application\/json' -d'\n{\n  \"type\": \"fs\",\n  \"settings\": {\n    \"location\": \"\/backup\/opensearch\"\n  }\n}'\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Part 8: Troubleshooting<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Check Graylog Logs<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tail -f \/var\/log\/graylog-server\/server.log\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Check if Logs are Being Received<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># On Graylog server\nsudo tcpdump -i any -n port 1514\n\n# On MTA server - test connectivity\ntelnet GRAYLOG_SERVER_IP 1514\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify Services are Running<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl status mongod\nsudo systemctl status opensearch\nsudo systemctl status graylog-server\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Check OpenSearch Health<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -X GET \"localhost:9200\/_cluster\/health?pretty\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Common Issues<\/h3>\n\n\n\n<p><strong>Issue:<\/strong> Graylog web interface not accessible<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Solution:<\/strong> Check firewall rules, verify http_bind_address in config<\/li>\n<\/ul>\n\n\n\n<p><strong>Issue:<\/strong> No logs appearing in Graylog<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Solution:<\/strong> Check input status, verify MTA can reach Graylog port, check rsyslog\/filebeat logs<\/li>\n<\/ul>\n\n\n\n<p><strong>Issue:<\/strong> High memory usage<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Solution:<\/strong> Reduce JVM heap sizes, configure index retention, add more RAM<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Summary<\/h2>\n\n\n\n<p>You now have:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 Central Graylog server collecting logs from multiple MTAs<\/li>\n\n\n\n<li>\u2705 Real-time log analysis and search capabilities<\/li>\n\n\n\n<li>\u2705 Automated daily reports<\/li>\n\n\n\n<li>\u2705 Custom dashboards for mail traffic visualization<\/li>\n\n\n\n<li>\u2705 Long-term log retention and archival<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Fine-tune extractors for your specific Postfix configuration<\/li>\n\n\n\n<li>Create additional dashboards for different reporting needs<\/li>\n\n\n\n<li>Set up alerting for critical events (queue buildups, high bounce rates)<\/li>\n\n\n\n<li>Configure TLS encryption for log transmission (optional but recommended)<\/li>\n\n\n\n<li>Implement user access controls for team members<\/li>\n<\/ol>\n\n\n\n<p><strong>Documentation Resources:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Graylog Official Docs: https:\/\/docs.graylog.org\/<\/li>\n\n\n\n<li>Postfix Log Format: http:\/\/www.postfix.org\/postconf.5.html<\/li>\n\n\n\n<li>OpenSearch Docs: https:\/\/opensearch.org\/docs\/<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Architecture Overview This guide sets up: Part 1: Install Graylog Server (Central Server) System Requirements Step 1: Update System and Install Prerequisites Step 2: Install MongoDB name=MongoDB Repository baseurl=https:\/\/repo.mongodb.org\/yum\/redhat\/\\$releasever\/mongodb-org\/6.0\/x86_64\/ gpgcheck=1 enabled=1 gpgkey=https:\/\/www.mongodb.org\/static\/pgp\/server-6.0.asc EOF # Install MongoDB sudo dnf install -y mongodb-org # Enable and start MongoDB sudo systemctl daemon-reload sudo systemctl enable mongod sudo systemctl [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,13,21,12],"tags":[],"class_list":["post-3062","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux","category-operating-systems","category-tutorials"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/3062","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3062"}],"version-history":[{"count":2,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/3062\/revisions"}],"predecessor-version":[{"id":3064,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/3062\/revisions\/3064"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3062"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3062"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3062"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}