How to Install and Configure Graylog Server on Ubuntu 16.04

How to Install and Configure Graylog Server on Ubuntu 16.04

Graylog is an open source log management software that can be used to easily collect, index, and analyze remote system logs centrally .

Graylog is built with three components:
Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.
MongoDB : Database to store configuration and meta information.
Graylog Server : Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.

In this tutorial, we will learn how to install and configure the Graylog2 server on Ubuntu 16.04

0./ Prerequisites

– To install graylog, we will need to install those additional packages:

$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen

1./ Install MongoDB

– MongoDB is available in the default CentOS repository, Install MongoDB by running the following command:

$ sudo apt-get install mongodb-server -y

– Start the MongoDB service and enable it to start on boot with the following command:

$ sudo systemctl daemon-reload
$ sudo systemctl enable mongod.service
$ sudo systemctl start mongod.service

2./ Install and Configure Elasticsearch

– To install Elasticsearch, we have to Import the GPG key using the following command:

$ wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

– Elasticsearch is not available in the default repositories. You will need to use the following command to create it:

echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list

– Now, install Elasticsearch using the follwing command:

$ sudo apt-get update && sudo apt-get install elasticsearch

– Open Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog:

$ vi /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog

– After you have modified the configuration, you can start Elasticsearch:

$ sudo systemctl daemon-reload
$ sudo systemctl enable elasticsearch.service
$ sudo systemctl restart elasticsearch.service

– Check the health of the Elasticsearch with the following command:

$ curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
{
"cluster_name" : "graylog",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 1,
"active_shards" : 1,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}

3./ Install and Configure Graylog

– We need to download and install the Graylog repository using the following command:

$ wget https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.deb
$ sudo dpkg -i graylog-2.2-repository_latest.deb

– Install the Graylog server with the following command:

$ sudo apt-get update && sudo apt-get install graylog-server

– After you have installed the Graylog Server, you have to generate secret key for Graylog using the following command:

$ pwgen -N 1 -s 96 
MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2

– Now create a hash password for the root user that can be used to log in to the Graylog web server using the following command:

$ echo -n Password | sha256sum
e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a

– Edit the server.conf file:

$ sudo vi /etc/graylog/server/server.conf

– Make changes to the file as shown below:

password_secret= MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2
root_password_sha2= e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
root_email=admin@linuxmasterswiki.com
root_timezone=UTC
elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.1.200:9300
elasticsearch_shards=1
script.inline: false
script.indexed: false
script.file: false

– To enable the Graylog web interface, make changes to the file as shown below:

rest_listen_uri = http://192.168.1.200:12900/
web_listen_uri = http://192.168.1.200:9000/

-After you have modified the configuration file, you can start Graylog Service using the following commands:

$ sudo systemctl daemon-reload
$ sudo systemctl enable graylog-server.service
$ sudo systemctl start graylog-server.service

4./ Adjusting Firewall

You will need to set firewall rules for Graylog to work properly.

You can do this by running the following commands:

$ sudo ufw allow 9000/tcp
$ sudo ufw allow 12900/tcp
$ sudo ufw allow 1514/tcp

– Next, reload firewalld with the following command:

$ sudo ufw reload

5./ Access the Graylog web interface

Open your web browser and type the URL http://your_ip_address:9000. You should see the following Page:

PS. If you like this post please share it with your friends on the social networks.Thanks.

 
Enjoyed this video?
"No Thanks. Please Close This Box!"