How to install Graylog on Ubuntu 18.04?

1
15597
monitoring graylog
monitoring graylog

In large corporations you have many systems and applications running at the same time making error logging a bit complicated. In order to manage these records efficiently, specialized tools are used to centralize them.

Graylog is a professional application that provides a unified and centralized system of messages from different sources: operating system, application servers, information systems with the aim of centralizing and making easier the administration of error logs or logs.

In this tutorial we are going to install a Graylog server in Ubuntu 18.04.

Let’s get to work

1.-Upgrading the system and Installing Oracle JDK

First we proceed to update the system. Open a terminal emulator and type sudo -i, after entering the password, we can now update the system.

:~# apt update && apt upgrade
1.- Upgrading the system
1.- Upgrading the system

Now we proceed to install Oracle JDK. We write for them:

:~# apt install apt-transport-https uuid-runtime pwgen openjdk-8-jre-headless
2.- Installing jdk
2.- Installing jdk

2.- Installing Elasticsearch

Graylog requires the installation of elasticsearch which is a highly scalable application that allows us to perform real time searches, in addition to storing and analyzing them.

We will then perform a basic installation of ElasticSearch so that Graylog can run. First download and install GPG signing key.

:~# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
3.- Adding GPG key
3.- Adding GPG key

Now we write:

:~# echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
4.- Adding Elasticsearch repo
4.- Adding Elasticsearch repo

Next we update the repositories and install the ElasticSearch package

:~# apt update && apt install elasticsearch
5.- Installing elasticsearch
5.- Installing elasticsearch

Then we proceed to enable the service and start it.

:~# systemctl enable elasticsearch
:~# systenctl start elasticsearch
6.- Enabling elasticsearch
6.- Enabling elasticsearch

Now we must edit the elasticsearch.yml file in order to define the name of the cluster to graylog.

:~# nano /etc/elasticsearch/elasticsearch.yml

And in the “cluster.name” and define it as graylog.

7.- Editing elasticsearch config file
7.- Editing elasticsearch config file

We must also add these lines:

script.inline: false
script.indexed: false
script.file: false
8.- Editing elasticsearch config file
8.- Editing elasticsearch config file

Finally we restart the elasticsearch service

:~# systemctl restart elasticsearch

3.- MongoDB’s turns

Now we must install mongoDB. To do this, we will first add the gpg key.

:~# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
9.- importing gpg key
9.- importing gpg key

Then we add the mongoDB repository

:~# echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
10.- Adding repository
10.- Adding repository

We update the repository cache and then install mongodb

:~# apt update && apt install mongodb-org
11.- Installing mongoDB
11.- Installing mongoDB

Now we start the service and make sure it starts with the system

:~# systemctl start mongod
:~# systemctl enable mongod
12.- Enabling mongodb service
12.- Enabling mongodb service

4.- Installing Graylog

At last it’s GRaylog’s turn, first we download the package that adds the repository.

:~#  wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb

Then we install it:

:~# dpkg -i graylog-2.4-repository_latest.deb
13.- adding graylog repository
13.- adding graylog repository

And now we install the Graylog package:

:~# apt update && apt install graylog-server
13.- adding graylog repository
14.- installing graylog package

Once the installation of the Graylog package is finished, we will have to edit the configuration file to set our password in it. in the same file, we are told that it must be 64 characters, to generate it, we will use pwgen:

:~# pwgen -N 1 -s 96
15.- Generating the password
15.- Generating the password

And we put it in the file.

16.- setting the password
16.- setting the password

Next we must generate a hash for the password.

:~# echo -n your_password | sha256sum
17.- Hashing the password
17.- Hashing the password

Place the hash password. Additionally, we can put the email address of the root user, and their time zone.

18.- Editing graylog server conf file
18.- Editing graylog server conf file

Then we must add this line to the end of the file:

elasticsearch_discovery_zen_ping_unicast_hosts = ip_server:9300

Next, in elasticsearch_shards we define the number of nodes; in our case 1. And in elasticsearch_replicas the number of replica nodes that are in our cluster. 0 in this case.

19.- editing graylog server conf file
19.- editing graylog server conf file

5.- Graylog web interface

Since version 2 of Graylog, its web interface is incorporated, we only have to edit the server.conf file to define some important parameters.

:~#  nano /etc/graylog/server/server.conf

And we edit the file with these two parameters

web_listen_uri = http://ip_server:9000/
web_listen_uri = http://ip_server:9000/

We then restart the service

:~# systemctl restart graylog-server
20.- restarting graylog
20.- restarting graylog

Now we only have to access our graylog from the web.

http://Ip_server:9000

And that’s it, we’re done, just start configuring graylog from your web interface.

21.- Accessing graylog
21.- Accessing graylog

A reminder, the password field is in the root_password_sha2 field of the server.conf file.

Please spread this article through social networks.

1 COMMENT

  1. Hi,

    Tried your guide but didn’t get elasticsearch to work, i got “Loading field information failed with statusExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS): cannot GET http://:9000/api/system/fields (500)” do you know what this is? i followed your guide to thoroughly.

    Also, what do you mean with:
    “And we edit the file with these two parameters
    web_listen_uri = http://ip_server:9000/
    web_listen_uri = http://ip_server:9000/

LEAVE A REPLY

Please enter your comment!
Please enter your name here