Graylog is an open-source log management software that provides monitoring and analytics across network systems from a centralized server. It helps you, monitor, search and analyze the vast amount of data, (especially in larger environments) into a simple format that you can easily read and digest. The steps below will show you how to install MongoDB to store its data, Elasticsearch to enable the search function of stored data, and Graylog server to parse the logs so they can easily be read and digested. For more about Graylog, please visit its homepage. To get started with installing Graylog, please follow the steps below:
Install OpenJDK
To run Elasticsearch, you must have Java installed. That’s because it’s Java-based software. To install the open-source version of Java, run the commands below: After installing Java, the commands below can be used to verify whether Java is installed. You should see similar output as below: That’s how to install OpenJDK on Ubuntu.
Install Elasticsearch
To run Graylog, you will need to install Elasticsearch. Now that OpenJDK 8 is installed, run the commands below to add the Elasticsearch GPG key by importing it… After importing its GPG key, run the commands below to add its package repository to Ubuntu… sudo sh -c ‘echo “deb https://artifacts.elastic.co/packages/6.x/apt stable main” > /etc/apt/sources.list.d/elastic-6.x.list’ At the time of writing this post, Elasticsearch version 6.6.1 is the latest… If you prefer previous versions, you will have to update the repository package list to include previous packages… Once the Elasticsearch repository is added and enabled, run the commands below to update the apt package list and install Elasticsearch… After installing the Elasticsearch package, you can use the commands below to make sure it automatically starts up when the server boots up and start it immediately… To check the status of Elasticsearch, run the commands below: It should display something similar to the lines below: Elasticsearch should be installed and ready to use… Out of the box, there’s no authentication and anyone can access its portal via HTTP… It also only listens for traffic on the localhost via port # 9200 If you’re running a single host server and the client connecting from the same server, then no configuration is required… If the clients will be connecting from remote systems, then you’ll want to allow external clients… To do that, open the elasticsearch.yml configuration file: You’ll want to set the cluster name shown in the configuration file to Graylog. Then search for the line that contains network.host, un-comment it, and change the highlighted value to 0.0.0.0 Save the file and exit. Restart the Elasticsearch service by running the commands below. sudo systemctl restart elasticsearch.service
Install MongoDB
At this point, you should have Java, and Elasticsearch installed. Now you need MongoDB. To install MongoDB, run the commands below to add its repository key to Ubuntu. After adding the key, run the commands below to add a repository for Ubuntu 18.04. For Ubuntu 16.04, run the below instead Now that the repository and key have been added to Ubuntu, run the commands below to install the package. After installing MongoDB, the commands below can be used to stop, start and enable MongoDB to automatically startup when the system boots up. By default, MongoDB listens on port 27017. after installing, the local server should be able to communicate with MongoDB. to verify whether MongoDB is running and active, run the commands below: You should see the MongoDB service status page. That’s how to install MongoDB.
Install Graylog
You’re now finally ready to install Graylog. Java, Elasticsearch, and MongoDB are installed and configured. Run the commands below to download and install Graylog version 3. x. After the installation, you should see a message as shown below: Next, you’ll need to set a passphrase or secret to protect your server. You will want to be a very strong passphrase. If you don’t have pwgen installed, you’ll want to install it to generate a 64 characters password. Then run the commands below to generate a password to use in the config file below: Copy the output password and use it as your password_secret in the config file. You’ll also want to generate a hash value of your password. Run the commands below to convert your admin password into a hash value. Replace your_password_here with your admin password. It should output a similar line as below: Copy it and use it as your root_password_sha2 in the config file. Open the Graylog server configuration and type in your secret passphrase as shown below: Update the highlighted lines with the secret and save the file. Besides the settings above, also include these in the config file. You can also configure other Elasticsearch settings in the file that suit your environment. Save the file and exit, then restart the Graylog server. To check the status of the Graylog service, run the commands below: It should output something similar to the lines below: Finally, open your browser and type the server hostname or IP address defined in the configuration file above, followed by port # 9000 You should then see the Graylog server portal. Login with the default admin username and the password created above. Begin setting up your environment Graylog nodes accept data via inputs. Launch or terminate as many inputs as you want from the System –> Inputs Page. The first step is to create an input. Inputs define the method by which Graylog collects logs. Out of the box, Graylog supports multiple methods to collect logs, including:
Syslog (TCP, UDP, AMQP, Kafka) GELF(TCP, UDP, AMQP, Kafka, HTTP) AWS – AWS Logs, FlowLogs, CloudTrail Beats/Logstash CEF (TCP, UDP, AMQP, Kafka) JSON Path from HTTP API Netflow (UDP) Plain/Raw Text (TCP, UDP, AMQP, Kafka
To create an Input, open the System ==> Inputs page in the top menu, click the arrow in the drop-down field, select your input type and click the green button labeled Launch new input. Usually, the default settings are correct, but you may change any that you wish. Some input types may require authentication or other information specific to that source. Conclusion: This post showed you how to install the Graylog server on Ubuntu 18.04 | 16.04. If you find any error above, please use the form below to report it. Thanks, You may also like the post below:
