Introduction
Graylog is an open-source, web-based log management and aggregation system used to analyze large amounts of data. It stores and analyzes logs collected from the server and sends alerts. It uses Elasticsearch for indexing logs data with MongoDB for storing meta information. This article explains how to install Graylog on Ubuntu 20.04 server.
Prerequisites
- Deploy a fully updated Rcs Ubuntu 20.04 Server with at least 4 GB of RAM.
- Create a non-root user with sudo access.
1. Install OpenJDK
Install OpenJDK required by Elasticsearch and other dependencies.
$ sudo apt -y install bash-completion apt-transport-https uuid-runtime pwgen openjdk-11-jre-headless
2. Install Elasticsearch
Import the Elasticsearch PGP signing key.
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add the Elasticsearch repository.
$ echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
Update the system.
$ sudo apt update
Install Elasticsearch.
$ sudo apt -y install elasticsearch-oss
Edit the Elasticsearch configuration file.
$ sudo nano /etc/elasticsearch/elasticsearch.yml
Add these two lines to the end of the file.
cluster.name: graylog action.auto_create_index: false
Save and exit the file.
Reload the system daemon.
$ sudo systemctl daemon-reload
Restart Elasticsearch service.
$ sudo systemctl restart elasticsearch
Enable Elasticsearch to run on system startup.
$ sudo systemctl enable elasticsearch
3. Install MongoDB
Install the MongoDB server.
$ sudo apt install mongodb-server -y
Start the MongoDB service.
$ sudo systemctl start mongodb
Enable MongoDB service to start at system startup.
$ sudo systemctl enable mongodb
4. Install Graylog
Add the Graylog repository.
$ wget https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.deb
Install the Graylog server package.
$ sudo dpkg -i graylog-4.1-repository_latest.deb
Update the system.
$ sudo apt update
Install Graylog.
$ sudo apt -y install graylog-server
Generate a 96-character random string for Graylog and save a copy to use in the Graylog server configuration file.
$ pwgen -N 1 -s 96
Choose a strong password for your admin account and generate a 64-character hash. For example, if you choose
StrongPassword
:$ echo -n StrongPassword | sha256sum
The hash is:
05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
Edit the Graylog configuration file.
$ sudo nano /etc/graylog/server/server.conf
Update
password_secret
with the 96-character random string you generated earlier. For example:password_secret = E2oSBW5rFhN6q6zguM7ve7KH1e7WfkAnqy64WR2E4U673ryQmSSDtCSBCfnVoCrLgISiYkPvBam1h0EKfIxGCFhpVX78gz7l
Update
root_password_sha2
with the 64-character hash of your admin password. For example:root_password_sha2 = 05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
Update
http_bind_address
as shown:http_bind_address = 0.0.0.0:9000
Save and close the file.
Restart the system daemon.
$ sudo systemctl daemon-reload
Restart the Graylog service.
$ sudo systemctl restart graylog-server
Enable the Graylog service to run on system startup.
$ sudo systemctl enable graylog-server
Verify the status of the Graylog server.
$ sudo systemctl status graylog-server
5. Access Graylog Web UI
Open your web browser and navigate to your servers IP address at port 9000. for example:
http://192.0.2.10:9000
Log in with username
admin
and the password you chose to access the Graylog dashboard.
More Information
For more information on Graylog, please visit the official documentation.