Install and Configure Log with Graylog in Ubuntu 20.04 - Step by Step Process ?

Graylog is an open-source centralized log management solution that enables real-time analysis, search, and monitoring of large amounts of machine data. It was developed in Hamburg, Germany with the purpose to deliver a more robust and easier-to-use analysis platform, faster analysis speeds, easy administration and infrastructure management.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Open Source Installation queries on Linux Systems.

In this context, we shall look into the procedure to install and configure Graylog in Ubuntu 20.04 LTS.

How to install Graylog on Ubuntu ?

To perform the Installation process, follow the steps outlined provided below.

Before proceeding with this procedure, you need to set up the following:

  • Oracle Java SE 8 (OpenJDK 8) as the Elasticsearch is a java based project.
  • Elasticsearch 6.8, and version 7 up to 7.10 as version later is not supported by Graylog.
  • MongoDB (4.0, 4.2 or 4.4).

1. Install Graylog

Now, we will install Java 8 which is required to run Elasticsearch. To do this, execute the following commands:

$ sudo apt update
$ sudo apt-get install openjdk-8-jre-headless pwgen apt-transport-https uuid-runtime

Then to verify Java installation, execute the command below:

$ java -version

Now, Let's install Elasticsearch. First, we need to add a package repository to our system package repository list using the following command.

$ wget -qO - | sudo apt-key add -
$ echo "deb stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Then, install the Elasticsearch using the apt command:

$ sudo apt update
$ sudo apt install elasticsearch-oss

Once Elasticsearch installation is complete, update the following line in the configuration file.

$ sudo vim /etc/elasticsearch/elasticsearch.yml graylog
action.auto_create_index: false

Now, enable and restart the service to apply the modification.

$ sudo systemctl daemon-reload
$ sudo systemctl restart elasticsearch.service
$ sudo systemctl enable elasticsearch.service

Next, Let's install a database for Graylog, Graylog uses MongoDB as the database to store data. First, we need to register a public GPG key for the repository using the following command.

$ sudo apt install gnupg
$ wget -qO - | sudo apt-key add -

Now download and add package repository to the system package repository list. To do so run the command:

$ echo "deb [ arch=amd64,arm64 ] focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list

Finally, install MongoDB using the apt command:

$ sudo apt update
$ sudo apt install -y mongodb-org

And, to install a specific version of the MongoDB run along with prefer version:

$ sudo apt install -y mongodb-org-mongos=4.4.6 mongodb-org=4.4.6 mongodb-org-tools=4.4.6 mongodb-org-shell=4.4.6 mongodb-org-server=4.4.6

Now, enable and restart the MongoDB using the systemctl commands:

$ sudo systemctl enable mongod
$ sudo systemctl restart mongod

Note: During run time if you get 'mongod.service: Main process exited, code=exited, status=14/n/a' execute the following commands:

$ sudo chown -R mongodb:mongodb /var/lib/mongodb
$ sudo chown mongodb:mongodb /tmp/mongodb-27017.sock
$ sudo systemctl restart mongod

Also, install the Graylog server after all prerequisite packages are installed. To install Graylog first download the deb package then parse it using the dpkg command and finally, install it:

$ wget
$ sudo dpkg -i graylog-4.1-repository_latest.deb
$ sudo apt update
$ sudo apt -y install graylog-server

Now, enabling the Graylog using systemctl command:

$ sudo systemctl enable graylog-server.service

How to Configure Graylog ?

We have installed every package that is required to run Graylog but it is not ready to run. Before we start using Graylog we need to configure the password_secret and root_password_sh2. The default path for the config file is /etc/graylog/server/server.conf and we will use the sed command to infuse the password generated by pwgen.

For password_secret we will use the pwgen command to generate a random 128 character password. To install it run the command:

$ sudo apt install pwgen

Now, we will generate a password using the following command and inject it using the sed command. To do so run the command:

$ sudo -E sed -i -e "s/password_secret =.*/password_secret = $(pwgen -s 128 1)/" /etc/graylog/server/server.conf

Next, let's generate the SHA 256 hash password for the root_password using the following command. Don’t forget to replace the your_password with the actual password:

$ sudo sed -i -e "s/root_password_sha2 =.*/root_password_sha2 = $(echo -n 'your_password' | shasum -a 256 | cut -d' ' -f1)/" /etc/graylog/server/server.conf

Also, to configure a domain for the Graylog using your preferred editor:

$ sudo vim /etc/graylog/server/server.conf

Then, find and set the value of the variable in the configuration in the following way:

http_bind_address = your_server_ip:9000
http_external_uri= http://your_server_ip or domain:9000/

Then, write and quit the file.

Once everything is set, restart the graylog-server using the systemctl command to apply the changes:

$ sudo systemctl restart graylog-server.service

How to Test the Graylog server ?

Now, everything is ready to use. When you visit your configured http_external_url you can see the web interface.

Then, authenticate using the admin username and for password use the plain text password that you used during hashing.

[Need help in Installing and configuring Firewall on Ubuntu Linux System? We can help you. ]

This article covers to install and configuren Graylog in ubuntu. With this, you can work with the log using the Graylog server. Graylog is an open-source tool that offers an integrated platform for collecting, indexing, and analyzing log data. The system essentially consists of the Graylog web interface, the Graylog servers, the Elasticsearch nodes, and a Mongo database.

How to Access Graylog Web interface ?

Open a browser on your local system or remote that can access the Ubuntu 20.04 server Ip-address. And type the http://your-server-ipaddress:9000

Replace your-server-ip-address with the actual IP address of your Server where Graylog has been installed.

Related Posts