In this tutorial, we will cover how to install Graylog on Ubuntu 20.04 and configure it to gather the syslogs of your systems in a centralized location (v1.3.x - sometimes referred to as Graylog2). Graylog is a powerful log management and analysis tool with many use cases, from monitoring SSH logins and unusual activity to debugging applications.
It is based on Elasticsearch, Java, and MongoDB. It is possible to use Graylog to gather and monitor a large variety of logs, but we will limit the scope of this tutorial to Syslog gathering. Also, because we are demonstrating the basics of Graylog, we will be installing all of the components on a single Linux server.
Graylog Prerequisite
- Ubuntu 20.04 - 64bit
- 4 GB RAM
- Root Privileges
Install MongoDB
MongoDB is a document-oriented NoSQL database. The MongoDB document scheme is similar to JSON, which is called BSON. We will install MongoDB 3 from the MongoDB Debian repositories.
Add the repository, update and install it:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.0 main" > /etc/apt/sources.list.d/mongodb-org-3.0.list
apt-get update
Install MongoDB with the following apt command:
apt-get install mongodb-org
Next, start MongoDB and enable it to start at boot time:
systemctl start mongod
systemctl enable mongod
Install Java
All the applications we will use in this tutorial are based on Java, so we will install them now. We need Java 7 or higher for the Graylog installation. Java 7 is available in the official Ubuntu repository, so let's install it using the apt command:
apt-get install openjdk-7-jre
Now check the java version:
java -version
And you should get the java version.
Install Elasticsearch
We will install elasticsearch version 1.7 in this tutorial. Download and add the GPG key to the system:
sudo wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Now add the elasticsearch repository to the sources.list.d directory and run the apt-get update:
echo "deb http://packages.elastic.co/elasticsearch/1.7/debian stable main" > /etc/apt/sources.list.d/elasticsearch.list
apt-get update
Now install the elasticsearch:
sudo apt-get install elasticsearch
And when the installation has been completed, start the Elastcisearch daemon and enable it to be started at boot time:
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
The Elastisearch installation is finished, and the daemon has been started. Now is the time to configure it. Edit the configuration file in the "/etc/elasticsearch/" directory using the nano text editor:
nano /etc/elasticsearch/elasticsearch.yml
Uncomment the line "cluster.name", and change the value to "graylog2".
cluster.name = graylog2
Add the configuration below for production servers to disable dynamic scripts and avoid remote execution:
script.disable_dynamic: true
Save the file and exit. Then restart Elasticsearch and test it with the curl command:
systemctl restart elasticsearch
We will be testing Elasticsearch with a curl connection to port 9200:
curl -XGET 'http://localhost:9200/'
curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
How to install Graylog?
The next step is to install the Graylog2 server. I will use Graylog 1.3.2 for this installation. Download graylog2 with wget command, extract it and then configure it. Before we start with the installation of pwgen, we need pwgen to generate the random password. Install pwgen:
apt-get install pwgen
Now generate the new password with the command:
pwgen -N 1 -s 96
The secret code for this tutorial is as follows. However, you will get your very own unique code.
GYXOjHVNjTv7EdDxUOYEvW9MFJHzqzJarjuar7bszkXr41xTA9Gb8ig8j9MbclWYdzVdis2BfggLbxGaMoxLw1FCZuPNo3Ua
Now you will need to generate a new sha256 hash using the command below:
echo -n mypassword | sha256sum
This is my password:
9235b36556923005015a6c2c18bf6f08a61daf54bfad653bde0ce6404000f0b1
Next, go to the /opt/ directory and download Graylog-server with the wget command:
cd /opt/
wget https://packages.graylog2.org/releases/graylog2-server/graylog-1.3.2.tgz
Extract Graylog-server and rename the directory to graylog2:
tar -xzvf graylog-1.3.2.tgz
mv graylog-1.3.2/ graylog/
Graylog-server is downloaded, and we use the /opt/ directory for its installation. To configure Graylog-server, create a new Graylog directory and copy the Graylog-server sample configuration file to the "server.conf" file.
mkdir -p /etc/graylog/server/
cp /opt/graylog/graylog.conf.example /etc/graylog/server/server.conf
Edit the configuration:
nano /etc/graylog/server/server.conf
Paste the password generated with pwgen on the password_secret line:
password_secret :
GYXOjHVNjTv7EdDxUOYEvW9MFJHzqzJarjuar7bszkXr41xTA9Gb8ig8j9MbclWYdzVdis2BfggLbxGaMoxLw1FCZuPNo3Ua
Paste your sha256 generated password; this password is used for logging in to the Graylog admin dashboard:
root_password_sha2 = 9235b36556923005015a6c2c18bf6f08a61daf54bfad653bde0ce6404000f0b1
Disable elasticsearch multicast search and add the unicast hosts.
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
Change the elasticsearch shards to 1 because we install everything on this single server.
elasticsearch_shards = 1
elasticsearch_replicas = 0
Save and Exit the file. Now start the Graylog-server by executing the bin file in the Graylog directory:
cd /opt/graylog/bin/
./graylogctl start
Now you can see the log file of the Graylog-server in the log directory; watch it with the tail command:
tail -f /opt/graylog/log/
You should see this in the log file:
Started REST API at <http://127.0.0.1:12900/> Graylog2 up and running.
If you will see the above output, it means that the Graylog-server has been started properly.
How to install Graylog-Web?
Download the Graylog web interface with the wget command to the /opt/directory:
cd /opt/
wget https://packages.graylog2.org/releases/graylog2-web-interface/graylog-web-interface-1.3.2.tgz
Extract the Graylog web interface using the tar command and rename it to "Graylog-web".
tar -xzvf graylog-web-interface-1.3.2.tgz
mv graylog-web-interface-1.3.2/ graylog-web/
Then generate a new application secret code for Graylog-web by using the pwgen command:
pwgen -N 1 -s 96
When we ran the code, we were provided with the following secret code:
zHg966Be4cBBLmasLiQm4mA0ziR5HziHq6RnfmgKIsjNtLCyHUvmxBMhzRkBclaE2IWyzJPJtPaQGEiLek0iJ3CaWh6kCDAE
Go to the Graylog-web directory and edit the configuration file:
cd graylog-web/
nano graylog
On the graylog2-server.uris line, add the graylog2-server address:
graylog2-server.uris="http://127.0.0.1:12900/"
In the application.secret line, paste the secret code generated before:
application.secret="zHg966Be4cBBLmasLiQm4mA0ziR5HziHq6RnfmgKIsjNtLCyHUvmxBMhzRkBclaE2IWyzJPJtPaQGEiLek0iJ3CaWh6kCDAE"
Save the file and exit. Now we can go ahead and start Graylog-web:
cd /opt/graylog-web/bin/
./graylog-web-interface -Dhttp.port=8080
Accessing Graylog
Graylog is properly installed on your Ubuntu 20.04 server. Now the last part is to access it via the web browser. By default, Graylog-web is running on port 8080. To access the web dashboard, enter the following in the URL search bar of your browser:
http://myipaddress:8080/
Wrapping up
This concludes the tutorial on installing Graylog on an Ubuntu 20.04 server. Congratulations on successfully setting up your Graylog server!
We hope you found this tutorial helpful. If you encounter any issues, don’t hesitate to contact us via the comment section below. If you're looking to explore more, you might be interested in setting up a VPS Ubuntu server, which offers a reliable environment for hosting your applications. Additionally, for those needing remote access, consider setting up Ubuntu Server RDP to manage your server from anywhere. You can also check out our Linux VPS selection to get yourself a brand-new server to host your web applications.
People also read:
- How to Analyse & Monitor Linux Network?
- How to monitor network traffic in Windows
- What is SSH used for?
- How to solve the SSH connection refused error?