Graylog is a free and open source, centralized log management tool based on MongoDB and Elasticsearch. Using Graylog you can easily collect and analyze your server logs.
Graylog is made up of three components Elasticsearch, MongoDB and Graylog server. Elasticsearch is used to store the logs and provide searching facilities. MongoDB stores the configuration and meta information. Graylog server collects the log messages from different inputs and provides a web interface for managing the logs.
In this tutorial we will guide you through the steps of installing Graylog on an Ubuntu 16.04 VPS
Prerequisites
Login to your VPS as user root
ssh root@IP_ADDRESS
and update the system
apt-get update && apt-get upgrade
Install Java
We need Java installed on the server for the Graylog installation. It can be installed from the official ubuntu repo:
apt-get install openjdk-7-jre
check the version
java -version openjdk version "1.8.0_131" OpenJDK Runtime Environment (build 1.8.0_131-8u131-b11-2ubuntu1.16.04.3-b11) OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)
Install MongoDB
MongoDB cannot be installed from the Ubuntu repository, so we will have to add the MongoDB repository
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10 echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.0 main" > /etc/apt/sources.list.d/mongodb-org-3.0.list apt-get update
and run the following command to install MongoDB
apt-get install mongodb-org
Once installed, start MongoDB and enable it to start on boot
systemctl start mongod systemctl enable mongod
Install Elasticsearch
Add the GPG key to the server:
wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Now add the elasticsearch repository to sources list
apt-get install apt-transport-https echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list
Update the package lists and install Elasticsearch
apt-get update && apt-get install elasticsearch
Once the installation is completed, modify the Elasticsearch configuration file, uncomment the ‘cluster.name’ name, and change it to ‘graylog’.
cluster.name: graylog
start Elastcisearch and enable it to start at boot time
systemctl start elasticsearch systemctl enable elasticsearch
Install Graylog
Download and install Graylog repository
wget https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.deb dpkg -i graylog-2.3-repository_latest.deb
Update the package lists and install Graylog
apt-get update && apt-get install graylog-server
Next, we must specify ‘root_password_sha2’ password and secret key.
Run the following command to create your password ‘root_password_sha2’, which will be password for the ‘admin’ account
echo -n PASSWORD | sha256sum 0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60 -
Replace PASSWORD with an actual password
Create a sectret key using pwgen
apt-get install pwgen pwgen -s 80 1 I2UqBbXDXcWkYTs2x7wCAPs7GDmLG4iB82AuAhhtB0ayegd5SAjlMxh1Il848Vyq5DP5Q5ZN8wJmWK4m
Edit the ‘/etc/graylog/server/server.conf’ file and insert the shasum of your desired password in the ‘root_password_sha2’ line and the secret key we created with pwgen in the ‘password_secret’ line
nano /etc/graylog/server/server.conf root_password_sha2 = 0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60 password_secret = I2UqBbXDXcWkYTs2x7wCAPs7GDmLG4iB82AuAhhtB0ayegd5SAjlMxh1Il848Vyq5DP5Q5ZN8wJmWK4m
In the same ‘server.conf’ find the following lines and change ‘IP_ADDRESS’ with your server IP address
rest_listen_uri = http://IP_ADDRESS:9000/api/ web_listen_uri = http://IP_ADDRESS:9000/
Save the changes and restart Graylog
systemctl restart graylog-server
Check if Graylog is properly started
systemctl status graylog-server
If everything is OK, you will get the following output
● graylog-server.service - Graylog server Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; disabled; vendor preset: enabled) Active: active (running) since Sat 2017-08-19 22:50:14 CDT; 54s ago Docs: http://docs.graylog.org/ Main PID: 571 (graylog-server) CGroup: /system.slice/graylog-server.service ├─571 /bin/sh /usr/share/graylog-server/bin/graylog-server └─572 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThr
Finally, you should be able to access Graylog web interface at http://IP_ADDRESS:9000 and login with user ‘admin’ and the password we created as ‘root_password_sha2’.
Please check Graylog’s official documentation for more information on how to configure and use the application. http://docs.graylog.org/en/2.2/index.html