How to Configure Graylog on Ubuntu 20

 In this tutorial, we will cover how to install Graylog on Ubuntu 20.04 and configure it to gather the syslogs of your systems in a centralized location (v1.3.x - sometimes referred to as Graylog2). Graylog is a powerful log management and analysis tool with many use cases, from monitoring SSH logins and unusual activity to debugging applications.

It is based on Elasticsearch, Java, and MongoDB. It is possible to use Graylog to gather and monitor a large variety of logs, but we will limit the scope of this tutorial to Syslog gathering. Also, because we are demonstrating the basics of Graylog, we will be installing all of the components on a single Linux server.

Graylog Prerequisite

• Ubuntu 20.04 - 64bit
• 4 GB RAM
• Root Privileges

Install MongoDB

MongoDB is a document-oriented NoSQL database. The MongoDB document scheme is similar to JSON, which is called BSON. We will install MongoDB 3 from the MongoDB Debian repositories.

Add the repository, update and install it:

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10

echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.0 main" > /etc/apt/sources.list.d/mongodb-org-3.0.list

apt-get update

Install MongoDB with the following apt command:

apt-get install mongodb-org

Next, start MongoDB and enable it to start at boot time:

systemctl start mongod

systemctl enable mongod

Install Java

All the applications we will use in this tutorial are based on Java, so we will install them now. We need Java 7 or higher for the Graylog installation. Java 7 is available in the official Ubuntu repository, so let's install it using the apt command:

apt-get install openjdk-7-jre

Now check the java version:

java -version

And you should get the java version.

Install Elasticsearch

We will install elasticsearch version 1.7 in this tutorial. Download and add the GPG key to the system:

sudo wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Now add the elasticsearch repository to the sources.list.d directory and run the apt-get update:

echo "deb http://packages.elastic.co/elasticsearch/1.7/debian stable main" > /etc/apt/sources.list.d/elasticsearch.list
apt-get update

Now install the elasticsearch:

sudo apt-get install elasticsearch

And when the installation has been completed, start the Elastcisearch daemon and enable it to be started at boot time:

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

The Elastisearch installation is finished, and the daemon has been started. Now is the time to configure it. Edit the configuration file in the "/etc/elasticsearch/" directory using the nano text editor:

nano /etc/elasticsearch/elasticsearch.yml

Uncomment the line "cluster.name", and change the value to "graylog2".

cluster.name = graylog2

Add the configuration below for production servers to disable dynamic scripts and avoid remote execution:

script.disable_dynamic: true

Save the file and exit. Then restart Elasticsearch and test it with the curl command:

systemctl restart elasticsearch

We will be testing Elasticsearch with a curl connection to port 9200:

curl -XGET 'http://localhost:9200/'
curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

How to install Graylog?

The next step is to install the Graylog2 server. I will use Graylog 1.3.2 for this installation. Download graylog2 with wget command, extract it and then configure it. Before we start with the installation of pwgen, we need pwgen to generate the random password. Install pwgen:

apt-get install pwgen

Now generate the new password with the command:

pwgen -N 1 -s 96

The secret code for this tutorial is as follows. However, you will get your very own unique code.

GYXOjHVNjTv7EdDxUOYEvW9MFJHzqzJarjuar7bszkXr41xTA9Gb8ig8j9MbclWYdzVdis2BfggLbxGaMoxLw1FCZuPNo3Ua

Now you will need to generate a new sha256 hash using the command below:

echo -n mypassword | sha256sum

This is my password:

9235b36556923005015a6c2c18bf6f08a61daf54bfad653bde0ce6404000f0b1

Next, go to the /opt/ directory and download Graylog-server with the wget command:

cd /opt/
wget https://packages.graylog2.org/releases/graylog2-server/graylog-1.3.2.tgz

Extract Graylog-server and rename the directory to graylog2:

tar -xzvf graylog-1.3.2.tgz
mv graylog-1.3.2/ graylog/

Graylog-server is downloaded, and we use the /opt/ directory for its installation. To configure Graylog-server, create a new Graylog directory and copy the Graylog-server sample configuration file to the  "server.conf" file.

mkdir -p /etc/graylog/server/
cp /opt/graylog/graylog.conf.example /etc/graylog/server/server.conf

Edit the configuration:

nano /etc/graylog/server/server.conf

Paste the password generated with pwgen on the password_secret line:

password_secret :

GYXOjHVNjTv7EdDxUOYEvW9MFJHzqzJarjuar7bszkXr41xTA9Gb8ig8j9MbclWYdzVdis2BfggLbxGaMoxLw1FCZuPNo3Ua

Paste your sha256 generated password; this password is used for logging in to the Graylog admin dashboard:

root_password_sha2 = 9235b36556923005015a6c2c18bf6f08a61daf54bfad653bde0ce6404000f0b1

Disable elasticsearch multicast search and add the unicast hosts.

elasticsearch_discovery_zen_ping_multicast_enabled = false   
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300

Change the elasticsearch shards to 1 because we install everything on this single server.

elasticsearch_shards = 1
elasticsearch_replicas = 0

Save and Exit the file. Now start the Graylog-server by executing the bin file in the Graylog directory:

cd /opt/graylog/bin/
./graylogctl start

Now you can see the log file of the Graylog-server in the log directory; watch it with the tail command:

tail -f /opt/graylog/log/

You should see this in the log file:

Started REST API at <http://127.0.0.1:12900/>
Graylog2 up and running.

If you will see the above output, it means that the Graylog-server has been started properly.

How to install Graylog-Web?

Download the Graylog web interface with the wget command to the /opt/directory:

cd /opt/
wget https://packages.graylog2.org/releases/graylog2-web-interface/graylog-web-interface-1.3.2.tgz

Extract the Graylog web interface using the tar command and rename it to "Graylog-web".

tar -xzvf graylog-web-interface-1.3.2.tgz
mv graylog-web-interface-1.3.2/ graylog-web/

Then generate a new application secret code for Graylog-web by using the pwgen command:

pwgen -N 1 -s 96

When we ran the code, we were provided with the following secret code:

zHg966Be4cBBLmasLiQm4mA0ziR5HziHq6RnfmgKIsjNtLCyHUvmxBMhzRkBclaE2IWyzJPJtPaQGEiLek0iJ3CaWh6kCDAE

Go to the Graylog-web directory and edit the configuration file:

cd graylog-web/
nano graylog

On the graylog2-server.uris line, add the graylog2-server address:

graylog2-server.uris="http://127.0.0.1:12900/"

In the application.secret line, paste the secret code generated before:

application.secret="zHg966Be4cBBLmasLiQm4mA0ziR5HziHq6RnfmgKIsjNtLCyHUvmxBMhzRkBclaE2IWyzJPJtPaQGEiLek0iJ3CaWh6kCDAE"

Save the file and exit. Now we can go ahead and start Graylog-web:

cd /opt/graylog-web/bin/
./graylog-web-interface -Dhttp.port=8080

Accessing Graylog

Graylog is properly installed on your Ubuntu 20.04 server. Now the last part is to access it via the web browser. By default, Graylog-web is running on port 8080. To access the web dashboard, enter the following in the URL search bar of your browser:

http://myipaddress:8080/

Wrapping up

This concludes the tutorial on installing Graylog on Ubuntu 20.04 server. Congratulation’s on setting up your Graylog server.

We hope you enjoyed this tutorial, and if you encounter any issues, don’t hesitate to contact us via the comment section below. You can also check out our Linux VPS selection to get yourself a brand new server to host your web applications.

People also read: 

• How to Analyse & Monitor Linux Network?
• How to monitor network traffic in Windows
• What is SSH used for?
• How to solve the SSH connection refused error?

Save Save