Graylog is an open source tool for Log Management. It consists of Elastic Search, MongoDB and Graylog. Graylog can be used to analyze logs and notify if there is any discrepancy in the logs. We can also use it to analyze conventional as well as custom logs.
In this Article we will install Graylog. You must have an account with sudo privileges or root account.
Update your system packages.
apt install -y apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen curl dirmngr
apt update
apt upgrade
you can verify the Java version installed using above command.
java -version
We will install Elastic Search which we will use eventually to analyze and store logs imported from different machines.
download and install Elastic Search GPG Key.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add Elastic Search repository in Ubuntu 21 sources list.
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
Use below mentioned commands for installing Elastic Search.
sudo apt update
sudo apt install -y elasticsearch-oss
Add cluster name for graylog in elastic search. Open Elastic Search configuration file using the following command:
nano /etc/elasticsearch/elasticsearch.yml
Uncomment the line “#cluster.name: my-application” by removing the # sign at the start of the line and replace “my-application” with graylog
Add the following line in the configuration file:
action.auto_create_index: false
Reload the daemon then start and enable Elastic Search Service.
systemctl daemon-reload
systemctl start elasticsearch.service
systemctl enable elasticsearch.service
systemctl status elasticsearch.service
Elastic Search uses port 9200 use curl command to verify Elastic Search.
curl -X GET http://localhost:9200
Now, We will install mongoDB. Graylog will use mongoDB so it is quite essential.
Use the following commands to install MongoDB.
apt update
apt install dirmngr gnupg apt-transport-https ca-certificates software-properties-common
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
add-apt-repository 'deb [arch=amd64] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse'
apt install mongodb-org
Start and Enable MongoDB.
systemctl start mongod.service
systemctl enable mongod.service
systemctl status mongod.service
Install Graylog:
Download Garylog repository.
wget https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.deb
dpkg -i graylog-4.1-repository_latest.deb
Now, Install Graylog server.
apt update
apt install -y graylog-server
Graylog server is installed. Now, we will configure it.
Use pwgen command to generate a secret for secure user password.
pwgen -N 1 -s 96
Edit graylog configuration file to add above secret.
nano /etc/graylog/server/server.conf
locate line “password_secret” and add the secret after “=” sign.
add the following lines in the configuration file:
rest_listen_uri = http://192.168.189.129:9000/api/
web_listen_uri = http://192.168.189.129:9000/
save and quit the file.
Now Generate a password to access graylog server web. Use the following command to do so.
echo -n admin | sha256sum
replace admin with your desired password the one you want to set in above command.
Above mentioned command will generate a hash key. enter it in configuration file “/etc/graylog/server/server.conf” in line “root_password_sha2 = “
save and quit the file.
Start and enable graylog service.
systemctl daemon-reload
systemctl restart graylog-server.service
systemctl enable graylog-server.service
systemctl status graylog-server.service
uncomment the following line from configuration file:
http_bind_address = 0.0.0.0:9000
Open Web browser and enter http://192.168.189.129:9000/ and enter admin as username and password.
After Entering credentials you will be enter graylog server. Now you can configure accordingly to see your logs.