In large corporations you have many systems and applications running at the same time making error logging a bit complicated. In order to manage these records efficiently, specialized tools are used to centralize them.
Graylog is a professional application that provides a unified and centralized system of messages from different sources: operating system, application servers, information systems with the aim of centralizing and making easier the administration of error logs or logs.
In this tutorial we are going to install a Graylog server in Ubuntu 18.04.
Let’s get to work
1.-Upgrading the system and Installing Oracle JDK
First we proceed to update the system. Open a terminal emulator and type sudo -i, after entering the password, we can now update the system.
:~# apt update && apt upgrade
Now we proceed to install Oracle JDK. We write for them:
:~# apt install apt-transport-https uuid-runtime pwgen openjdk-8-jre-headless
2.- Installing Elasticsearch
Graylog requires the installation of elasticsearch which is a highly scalable application that allows us to perform real time searches, in addition to storing and analyzing them.
We will then perform a basic installation of ElasticSearch so that Graylog can run. First download and install GPG signing key.
:~# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
Now we write:
:~# echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
Next we update the repositories and install the ElasticSearch package
:~# apt update && apt install elasticsearch
Then we proceed to enable the service and start it.
:~# systemctl enable elasticsearch :~# systenctl start elasticsearch
Now we must edit the elasticsearch.yml file in order to define the name of the cluster to graylog.
:~# nano /etc/elasticsearch/elasticsearch.yml
And in the “cluster.name” and define it as graylog.
We must also add these lines:
script.inline: false script.indexed: false script.file: false
Finally we restart the elasticsearch service
:~# systemctl restart elasticsearch
3.- MongoDB’s turns
Now we must install mongoDB. To do this, we will first add the gpg key.
:~# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
Then we add the mongoDB repository
:~# echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
We update the repository cache and then install mongodb
:~# apt update && apt install mongodb-org
Now we start the service and make sure it starts with the system
:~# systemctl start mongod :~# systemctl enable mongod
4.- Installing Graylog
At last it’s GRaylog’s turn, first we download the package that adds the repository.
:~# wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb
Then we install it:
:~# dpkg -i graylog-2.4-repository_latest.deb
And now we install the Graylog package:
:~# apt update && apt install graylog-server
Once the installation of the Graylog package is finished, we will have to edit the configuration file to set our password in it. in the same file, we are told that it must be 64 characters, to generate it, we will use pwgen:
:~# pwgen -N 1 -s 96
And we put it in the file.
Next we must generate a hash for the password.
:~# echo -n your_password | sha256sum
Place the hash password. Additionally, we can put the email address of the root user, and their time zone.
Then we must add this line to the end of the file:
elasticsearch_discovery_zen_ping_unicast_hosts = ip_server:9300
Next, in elasticsearch_shards we define the number of nodes; in our case 1. And in elasticsearch_replicas the number of replica nodes that are in our cluster. 0 in this case.
5.- Graylog web interface
Since version 2 of Graylog, its web interface is incorporated, we only have to edit the server.conf file to define some important parameters.
:~# nano /etc/graylog/server/server.conf
And we edit the file with these two parameters
web_listen_uri = http://ip_server:9000/ web_listen_uri = http://ip_server:9000/
We then restart the service
:~# systemctl restart graylog-server
Now we only have to access our graylog from the web.
And that’s it, we’re done, just start configuring graylog from your web interface.
A reminder, the password field is in the root_password_sha2 field of the server.conf file.
Please spread this article through social networks.
Tried your guide but didn’t get elasticsearch to work, i got “Loading field information failed with statusExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS): cannot GET http://:9000/api/system/fields (500)” do you know what this is? i followed your guide to thoroughly.
Also, what do you mean with:
“And we edit the file with these two parameters
web_listen_uri = http://ip_server:9000/
web_listen_uri = http://ip_server:9000/“