Graylog is an open source log management software that can be used to easily collect, index, and analyze remote system logs centrally .
Graylog is built with three components:
Elasticsearch : Receives and stores the logs from the Graylog server and offers a search facility.
MongoDB : Database to store configuration and meta information.
Graylog Server : Receives and parses the logs coming from various inputs and provides a web interface to manage those logs.
In this tutorial, we will learn how to install and configure the Graylog2 server on Ubuntu 16.04 LTS
0./ Prerequisites
– To install graylog, we will need to install those additional packages:
$ sudo apt-get update && sudo apt-get upgrade $ sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
1./ Install MongoDB
– MongoDB is available in the default CentOS repository, Install MongoDB by running the following command:
$ sudo apt-get install mongodb-server -y
– Start the MongoDB service and enable it to start on boot with the following command:
$ sudo systemctl daemon-reload $ sudo systemctl enable mongod.service $ sudo systemctl start mongod.service
2./ Install and Configure Elasticsearch
– To install Elasticsearch, we have to Import the GPG key using the following command:
$ wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
– Elasticsearch is not available in the default repositories. You will need to use the following command to create it:
echo "deb https://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list
– Now, install Elasticsearch using the follwing command:
$ sudo apt-get update && sudo apt-get install elasticsearch
– Open Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog:
$ vi /etc/elasticsearch/elasticsearch.yml cluster.name: graylog
– After you have modified the configuration, you can start Elasticsearch:
$ sudo systemctl daemon-reload $ sudo systemctl enable elasticsearch.service $ sudo systemctl restart elasticsearch.service
– Check the health of the Elasticsearch with the following command:
$ curl -XGET 'http://localhost:9200/_cluster/health?pretty=true' { "cluster_name" : "graylog", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "active_primary_shards" : 1, "active_shards" : 1, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 }
3./ Install and Configure Graylog
– We need to download and install the Graylog repository using the following command:
$ wget https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.deb $ sudo dpkg -i graylog-2.2-repository_latest.deb
– Install the Graylog server with the following command:
$ sudo apt-get update && sudo apt-get install graylog-server
– After you have installed the Graylog Server, you have to generate secret key for Graylog using the following command:
$ pwgen -N 1 -s 96 MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2
– Now create a hash password for the root user that can be used to log in to the Graylog web server using the following command:
$ echo -n Password | sha256sum e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a
– Edit the server.conf file:
$ sudo vi /etc/graylog/server/server.conf
– Make changes to the file as shown below:
password_secret= MTtPFSMZxAvoLsUiXXauggyJ761hwkGn1ZTN2ovb8wN2tO1LzyeNbaatOrpLukp96p0MxwHQosmMGPborm1YRojnnSORVvr2 root_password_sha2= e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a [email protected] root_timezone=UTC elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.1.200:9300 elasticsearch_shards=1 script.inline: false script.indexed: false script.file: false
– To enable the Graylog web interface, make changes to the file as shown below:
rest_listen_uri = http://192.168.1.200:12900/ web_listen_uri = http://192.168.1.200:9000/
-After you have modified the configuration file, you can start Graylog Service using the following commands:
$ sudo systemctl daemon-reload $ sudo systemctl enable graylog-server.service $ sudo systemctl start graylog-server.service
4./ Adjusting Firewall
You will need to set firewall rules for Graylog to work properly.
You can do this by running the following commands:
$ sudo ufw allow 9000/tcp $ sudo ufw allow 12900/tcp $ sudo ufw allow 1514/tcp
– Next, reload firewalld with the following command:
$ sudo ufw reload
5./ Access the Graylog web interface
Open your web browser and type the URL http://your_ip_address:9000. You should see the following Page:
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
20 comments
Hi, thanks,
I need to install apache2?
Hi,
You don’t need to install apache or nginx . But you can use it as proxy to connect to graylog web interface
thanks, i have a problem, i can’t send message (logs) to server in local 127.0.0.1 on udp
You have to look to this tutorial http://yallalabs.com/linux/how-to-setup-a-centralized-log-server-using-rsyslog-on-ubuntu-16-04-lts/ to understand how to configure rsyslog .
You have to open ports in the rsyslog in the configuration file /etc/rsyslog.conf
2. Under ##RULES## directive section, add the graylog server ip
[…] ##RULES## *.* @192.168.1.200:514
3./ restart the rsyalog
4./ logon to graylog web interface and Click System –> Inputs –> select Syslog UDP or tcp and then click Launch new input.
5./ Fill it with the values requested and click ok
When I tried to view the web interface I get site can’t be reached
hi,
Make sure to open the firewall ports, and check the graylog log file /var/log/graylog-server/server.log to verify if the graylog server started correctly.
Can you please tell me what is the username and password of graylog server .i am not able to access through from public ip . i got error like
(We are experiencing problems connecting to the Graylog server running on http://xxxx:12900/. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.
Do you need a hand? We can help you.
More details)
The default root user is named ‘admin’ and the password used in this tutorial is ‘Password’.Did you open the firewall ports ?
make sure to pen the firewall ports.
and make sure that you can reach the REST API url of your Graylog server
rest_listen_uri = http://your_public_ip:12900/
Can you please document install for Graylog to use HTTPS? I’m trying to do that but cannot find good guide to get it working on HTTPS.
Hi FARAMIRZA,
Thanks for your feedback hope you find our article helpful, If you’re operating a single-node setup and would like to use HTTPS for the Graylog web interface and the Graylog REST API, it’s possible to use NGINX or Apache as a reverse proxy. You can take a look to this article where we explained how to setup nginx as reverse proxy for Graylog http://yallalabs.com/linux/how-to-configure-nginx-as-reverse-proxy-for-graylog2-server/
Finally you need just only to modify the vhost file as bellow :
server
{
listen 443 ssl spdy;
server_name graylog.yallalabs.local;;
# Your SSL Settings here!
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/api;
proxy_pass http://127.0.0.1:9000;
}
}
Good Luck
cannot open graylog webpage
Hi Peter,
Make sure that the graylog deamon started correctly and check the logs to verify if everything works properly.
can you please let me know how do i enable all the servers to send logs to my graylog server.
I have made the changes in rsyslog.conf in client end and mentioned my gralog server details. But am not able to get the input method to choose the client on Graylog server WebUI.
Hi,
-Configure the rsyslog.conf like this
@your_graylog_ip_server:514;RSYSLOG_SyslogProtocol23Format
-And after that restart the rsyslog deamon
– Make sure to open the firewall ports
– create an input by selecting the
Syslog UDP
Hope u got the steps.
My graylog server running on 127.0.0.1:9000 only not on my ip 192.168.1.2:9000
Hi,
You need to set “rest_listen_uri” and ” web_listen_uri ” to your IP address in the /etc/graylog/server/server.conf file
This site can’t be reached
103.210.73.101 took too long to respond.
Search Google for 103 210 101 9000
ERR_CONNECTION_TIMED_OUT
“Please help me to resolved this issue “
Hi shared,
Make sure to configure the web_listen_uri and rest_listen_uri with the your Server Ip and to allow in the firewall the ports 9000 and 12900.
Hi LOTFI WADERNI, thanks for the nice write ups….
Could you please suggest me any solution for collecting HTTP/HTTPS URL logs from my routers to any central log server?
Regards
Naser
Hi,
Check out the graylog market place to find a lot of free cisco logs plugins : https://marketplace.graylog.org/