Graylog is an open source tool for Log Management. It consists of Elastic Search, MongoDB and Graylog. Graylog can be used to analyze logs and notify if there is any discrepancy in the logs. We can also use it to analyze conventional as well as custom logs.
In this Article we will install Graylog. You must have an account with sudo privileges or root account.
Update your system packages.
apt install -y apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen curl dirmngr apt update apt upgrade
you can verify the Java version installed using above command.
We will install Elastic Search which we will use eventually to analyze and store logs imported from different machines.
download and install Elastic Search GPG Key.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add Elastic Search repository in Ubuntu 21 sources list.
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
Use below mentioned commands for installing Elastic Search.
sudo apt update sudo apt install -y elasticsearch-oss
Add cluster name for graylog in elastic search. Open Elastic Search configuration file using the following command:
Uncomment the line “#cluster.name: my-application” by removing the # sign at the start of the line and replace “my-application” with graylog
Add the following line in the configuration file:
Reload the daemon then start and enable Elastic Search Service.
systemctl daemon-reload systemctl start elasticsearch.service systemctl enable elasticsearch.service systemctl status elasticsearch.service
Elastic Search uses port 9200 use curl command to verify Elastic Search.
curl -X GET http://localhost:9200
Now, We will install mongoDB. Graylog will use mongoDB so it is quite essential.
Use the following commands to install MongoDB.
apt update apt install dirmngr gnupg apt-transport-https ca-certificates software-properties-common wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add - add-apt-repository 'deb [arch=amd64] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse' apt install mongodb-org
Start and Enable MongoDB.
systemctl start mongod.service systemctl enable mongod.service systemctl status mongod.service
Download Garylog repository.
wget https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.deb dpkg -i graylog-4.1-repository_latest.deb
Now, Install Graylog server.
apt update apt install -y graylog-server
Graylog server is installed. Now, we will configure it.
Use pwgen command to generate a secret for secure user password.
pwgen -N 1 -s 96
Edit graylog configuration file to add above secret.
locate line “password_secret” and add the secret after “=” sign.
add the following lines in the configuration file:
rest_listen_uri = http://192.168.189.129:9000/api/ web_listen_uri = http://192.168.189.129:9000/
save and quit the file.
Now Generate a password to access graylog server web. Use the following command to do so.
echo -n admin | sha256sum
replace admin with your desired password the one you want to set in above command.
Above mentioned command will generate a hash key. enter it in configuration file “/etc/graylog/server/server.conf” in line “root_password_sha2 = “
save and quit the file.
Start and enable graylog service.
systemctl daemon-reload systemctl restart graylog-server.service systemctl enable graylog-server.service systemctl status graylog-server.service
uncomment the following line from configuration file:
http_bind_address = 0.0.0.0:9000
Open Web browser and enter http://192.168.189.129:9000/ and enter admin as username and password.
After Entering credentials you will be enter graylog server. Now you can configure accordingly to see your logs.