How to install Graylog on Ubuntu 16.04

September 26, 2016

how to install Graylog

In this tutorial, we will cover how to install Graylog v1.3.x (sometimes referred to as Graylog2) on Ubuntu 14.04, and configure it to gather the syslogs of your systems in a centralized location. Graylog is a powerful log management and analysis tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, and MongoDB.

It is possible to use Graylog to gather and monitor a large variety of logs, but we will limit the scope of this tutorial to syslog gathering. Also, because we are demonstrating the basics of Graylog, we will be installing all of the components on a single linux server.

Graylog Prerequisite

  • Ubuntu 15.10 – 64bit
  • 4 GB RAM
  • Root Privileges

Install MongoDB

MongoDB is a document-oriented NoSQL database. The MongoDB document scheme is similar to JSON, it is called BSON. We will install MongoDB 3 from the MongoDB Debian repositories.

Add the repository, update and install it:


Install MongoDB with the following apt command:


Next, start mongodb and enable it to start at boot time:

Install Java

All the application that we will use in this tutorial are based on Java, so we have to install it now :). We need Java 7 or higher for the Graylog installation. Java 7 is available in ubuntu repository, so let’s install it with this apt command:


Now check the java version:


And you should get the java version:

java version “1.7.0_91”
OpenJDK Runtime Environment (IcedTea 2.6.3) (7u91-2.6.3-0ubuntu0.15.10.1)
OpenJDK 64-Bit Server VM (build 24.91-b01, mixed mode)

Install Elasticsearch

We will install elasticsearch version 1.7 in this tutorial.

Download and add the GPG key to the system:


Now add the elasticsearch repository to sources.list.d directory and run apt-get update:


Now install the elasticsearch:


And when the installation has been completed, start the Elastcisearch daemon and enable it to be started at boot time:


The Elastisearch installation is finished, and the daemon has been started. Now is time to configure it.

Edit the configuration file in the “/etc/elasticsearch/” directory with vim:


Uncomment the line “cluster.name”, and change the value to “graylog2”.

cluster.name = graylog2

Add the configuration below for production servers to disable dynamic scripts and avoid remote execution:

script.disable_dynamic: true

Save the file and exit.

Then restart Elasticsearch and test it with the curl command:


I’m testing Elasticsearch with a curl connection to port 9200:

How to install Graylog

The next step is to install the Graylog2 server. I will use Graylog 1.3.2 for this installation. Download graylog2 with wget command, extract it and then configure it.

Before we start with the installation of pwgen, we need pwgen to generate the random password.

Install pwgen:


Now generate the new password with the command:


My secret code:

GYXOjHVNjTv7EdDxUOYEvW9MFJHzqzJarjuar7bszkXr41xTA9Gb8ig8j9MbclWYdzVdis2BfggLbxGaMoxLw1FCZuPNo3Ua

and generate a new sha256 hash with command below:


This is my password:

9235b36556923005015a6c2c18bf6f08a61daf54bfad653bde0ce6404000f0b1

Next, go to the /opt/ directory and download graylog-server with the wget command:


Extract graylog-server and rename the directory to graylog2:


Graylog-server is downloaded and we use the /opt/ directory for it’s installation.

To configure graylog-server, create a new graylog directory and copy the graylog-server sample configuration fileto “server.conf”.


Edit the configuration:


Paste the password generated with pwgen on password_secret line:

password_secret :

GYXOjHVNjTv7EdDxUOYEvW9MFJHzqzJarjuar7bszkXr41xTA9Gb8ig8j9MbclWYdzVdis2BfggLbxGaMoxLw1FCZuPNo3Ua

Paste your sha256 password generated, this password is use for login to the graylog admin dashboard:

root_password_sha2 = 9235b36556923005015a6c2c18bf6f08a61daf54bfad653bde0ce6404000f0b1

Disable elasticsearch multicast search and add the unicast hosts.

elasticsearch_discovery_zen_ping_multicast_enabled = falseĀ 
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300

Change the elasticsearch shards to 1, because we install everything on this single server.

elasticsearch_shards = 1
elasticsearch_replicas = 0

Save and Exit the file.

Now start the graylog-server by executing the bin file in the graylog directory:


Now you can see the log file of the graylog-server in the log directory, watch it with tail command:


If should see this in the log file:


It means that the graylog-server has been started properly.

Install Graylog-Web

Download the graylog web interface with the wget command to the /opt/directory:


Extract the graylog web interface and rename it to “graylog-web”.


Then generate a new application secret code for graylog-web with pwgen:


This is my secret:

zHg966Be4cBBLmasLiQm4mA0ziR5HziHq6RnfmgKIsjNtLCyHUvmxBMhzRkBclaE2IWyzJPJtPaQGEiLek0iJ3CaWh6kCDAE

Go to the graylog-web directory and edit the configuration file:


On the graylog2-server.uris line, add the graylog2-server address:

graylog2-server.uris=”http://127.0.0.1:12900/

In the application.secret line, paste the secret code generated before:


Save the file and exit.

Now start graylog-web:


Graylog-web will run on port 8080.

Visit your server – http://myipaddress:8080/

Congratulation’s! You have successfully installed Graylog.

Save

Save