This brief tutorial shows students and new users how to install Graylog on Ubuntu 18.04 | 16.04.
Graylog is an open source log management software which provides monitoring and analytics across network systems from a centralized server. It helps you monitor, search and analyze the vast amount of data, (especially in a larger environments) into a simple format that you can easily read and digest.
The steps below will show you how to install MongoDB to store its data, Elasticsearch to enable search function of stored data and Graylog server to parse the logs so they can easily be read and digest.
For more about Graylog, please visit its homepage.
To get started with installing Graylog, please follow the steps below:
Step 1: Install OpenJDK
In order to run Elasticsearch, you must have Java installed. That’s because it’s a Java based software.
To install the open source version of Java, run the commands below:
sudo apt update sudo apt-get install openjdk-8-jre-headless apt-transport-https uuid-runtime dirmngr
After installing Java, the commands below can be used to verify whether Java is installed.
java -version
You should see similar output as below:
Output: openjdk version "1.8.0_242" OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-0ubuntu3~18.04-b08) OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
That’s how to install OpenJDK on Ubuntu.
Step 2: Install Elasticsearch
To run Graylog, you will need to install Elasticsearch.
Now that OpenJDK 8 is installed, run the commands below to add Elasticsearch GPG key by importing it…
wget -qO - | sudo apt-key add -
After importing its GPG key, run the commands below to add its package repository to Ubuntu…
sudo sh -c 'echo "deb stable main" > /etc/apt/sources.list.d/elastic-6.x.list'
At the time of writing this post, Elasticsearch version 6.6.1 is the latest… If you prefer previous versions, you will have to update the repository package list to include previous packages…
Once the Elasticsearch repository is added and enabled, run the commands below to update apt package list and install Elasticsearch…
sudo apt update sudo apt install elasticsearch
After installing Elasticsearch package, you can use the commands below to make sure it automatically starts up when the server boots up and start it immediately…
sudo systemctl start elasticsearch.service sudo systemctl enable elasticsearch.service
To check the status of Elasticsearch, run the commands below:
sudo systemctl status elasticsearch.service
It should display something similar to the lines below:
elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-02-27 18:03:04 CST; 20s ago
Docs:
Main PID: 4524 (java)
Tasks: 52 (limit: 4666)
CGroup: /system.slice/elasticsearch.service
├─4524 /usr/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Des.networkaddres
└─4588 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Feb 27 18:03:04 ubuntu1804 systemd[1]: Started Elasticsearch.
Feb 27 18:03:04 ubuntu1804 elasticsearch[4524]: warning: Falling back to java on path. This behavior is deprecated. Specify JAVA_HOME
Elasticsearch should be installed and ready to use…
Our of the box, there’s no authentication and any one can access its portal via HTTP… It also only listen for traffic on the localhost via port # 9200
If you’re running a single host server and the client connecting from the same server, then no configuration is required… If the clients will be connecting from remote systems, then you’ll want to allow external clients…
To do that, open the elasticsearch.yml configuration file:
sudo nano /etc/elasticsearch/elasticsearch.yml
You’ll want to set the cluster name shown in the configuration file to graylog.
Then search for the line that contains network.host, un-comment it, and change the highlighted value to 0.0.0.0
# ---------------------------------- Cluster --------------------- # # Use a descriptive name for your cluster: # cluster.name: graylog # # Use a descriptive name for the node: # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 0.0.0.0 # # Set a custom port for HTTP:
Save the file and exit.
Restart Elasticsearch service by running the commands below.
sudo systemctl restart elasticsearch.service
Step 3: Install MongoDB
At this point, you should have Java, Elasticsearch installed. Now you need MongoDB.
To install MongoDB, run the commands below to add its repository key to Ubuntu.
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
After adding the key, run the commands below to add a repository for Ubuntu 18.04.
echo "deb [ arch=amd64 ] bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
For Ubuntu 16.04, run the below instead
echo "deb [ arch=amd64,arm64 ] xenial/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
Now that the repository and key have been added to Ubuntu, run the commands below to install the package.
sudo apt update sudo apt install mongodb-org
After installing MongoDB, the commands below can be used to stop, start and enable MongoDB to automatically startup when the systems boots up.
sudo systemctl stop mongod.service sudo systemctl start mongod.service sudo systemctl enable mongod.service
By default, MongoDB listens on port 27017. after installing, the local server should be able to communicate with MongoDB. to verify whether MongoDB is running and active, run the commands below:
sudo systemctl status mongod
You should see MongoDB service status page.
mongod.service - MongoDB Database Server Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-02-27 18:07:55 CST; 12s ago Docs: Main PID: 6273 (mongod) CGroup: /system.slice/mongod.service └─6273 /usr/bin/mongod --config /etc/mongod.conf Feb 27 18:07:55 ubuntu1804 systemd[1]: Started MongoDB Database Server.
That’s how to install MongoDB.
Step 4: Install Graylog
You’re now finally ready to install Graylog. Java, Elasticsearch and MongoDB are installed and configure.
Run the commands below to download and install Graylog version 3.x.
cd /tmp wget sudo dpkg -i graylog-3.0-repository_latest.deb sudo apt update sudo apt install graylog-server
After the installation, you should see a message as shown below:
############################################################################### Graylog does NOT start automatically! Please run the following commands if you want to start Graylog automatically on system boot: sudo systemctl enable graylog-server.service sudo systemctl start graylog-server.service ################################################################################
Next, you’ll need to set a passphrase or secret to protect your server. You will want to be a very strong passphrase.
If you don’t have pwgen installed, you’ll want to install it to generate a 64 characters password.
sudo apt install pwgen
Then run the commands below to generate a password to use in the config file below:
pwgen -N 1 -s 96
Copy the output password and use it as your password_secret in the config file.
hFvp8sWsnNgYa0WuS6ZFkq8aFfQ5tGLBrqSyhvFMTpC1DX1jGsCgzBpi02J6WVlhJN4JiF2Xi9R42q43bpvxaEJCPgAGUvB3
You’ll also want to generate a hash value of your password. Run the commands below to convert your admin password into a hash value.
Replace your_password_here with your admin password.
echo -n your_password_here | shasum -a 256
It should output similar line as below:
af65fdd1457c6e3136a14c6b3338fce31181ceaa7efb51c40a86d436fb06dafdf39234
Copy it and use it as your root_password_sha2 in the config file.
Open Graylog server configuration and type in your secret passphrase as shown below:
sudo nano /etc/graylog/server/server.conf
Update the highlighted lines with the secret and save the file.
# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. # Generate one by using for example: pwgen -N 1 -s 96 password_secret = hFvp8sWsnNgYa0WuS6ZFkq8aFfQ5tGLBrqSyhvFMTpC1DX1jGsCgzBpi02J6WVlhJN4JiF2Xi9R42q43bpvxaEJCPgAGUvB3 # The default root user is named 'admin' #root_username = admin # You MUST specify a hash password for the root user (which you only need to initially set up the # system and in case you lose connectivity to your authentication backend) # This password cannot be changed using the API or via the web interface. If you need to change it, # modify it in this file. # Create one by using for example: echo -n yourpassword | shasum -a 256 # and put the resulting hash value into the following line root_password_sha2 = af65fdd1457c6e3136a14c6b3338fce31181ceaa7efb51c40a86d436fb06dafdf39234 # The email address of the root user.
Besides the settings above, also include these in the config file.
root_email = "[email protected]" http_bind_address = 127.0.0.1:9000
You can also configure other Elasticsearch settings in the file that suit your environment.
Save the file and exit, then restart Graylog server.
sudo systemctl restart graylog-server
To check the status of Graylog service, run the commands below:
sudo systemctl status graylog-server
It should output something similar to the lines below:
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-02-27 18:14:40 CST; 13s ago
Docs:
Main PID: 8163 (graylog-server)
Tasks: 86 (limit: 4666)
CGroup: /system.slice/graylog-server.service
├─8163 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─8164 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEn
Feb 27 18:14:40 ubuntu1804 systemd[1]: Stopped Graylog server.
Feb 27 18:14:40 ubuntu1804 systemd[1]: Started Graylog server.
Finally, open your browser and type the server hostname or IP address defined in the configuration file above, followed by port # 9000
You should then see Graylog server portal. Login with the default admin username and the password created above.
Begin setting up your environment
Graylog nodes accept data via inputs. Launch or terminate as many inputs as you want from the System –> Inputs Page.
The first step is to create an input. Inputs define the method by which Graylog collects logs. Out of the box, Graylog supports multiple methods to collect logs, including:
- Syslog (TCP, UDP, AMQP, Kafka)
- GELF(TCP, UDP, AMQP, Kafka, HTTP)
- AWS – AWS Logs, FlowLogs, CloudTrail
- Beats/Logstash
- CEF (TCP, UDP, AMQP, Kafka)
- JSON Path from HTTP API
- Netflow (UDP)
- Plain/Raw Text (TCP, UDP, AMQP, Kafka
To create an Input, open the System ==> Inputs page in the top menu, click the arrow in the drop down field, select your input type and click green button labeled Launch new input.
Usually, the default settings are correct, but you may change any that you wish. Some input types may require authentication or other information specific to that source.
Conclusion:
This post showed you how to install Graylog server on Ubuntu 18.04 | 16.04. If you find any error above, please use the form below to report it.
Thanks,
You may also like the post below: