How to Install Graylog on Ubuntu
In thisvideo, we will learn how easy it is to install Graylog in Ubuntu. We’ve editedthe video to shorten some sequences and crop some steps that will require longwaiting times.
Preparing the system
The first step is preparing the system by running all updates as well as a full upgrade. We want everything to get current with the latest Ubuntu patches out there. After the update, we need to install some additional packages such as OpenJDK for the Java side and some PW gen so we can generate some keys.
Now that we finished preparing the system, we can go ahead and install the three main components of Graylog:
Let’s start by installing MongoDB, first. We must import the key to the repository for MongoDB, and add that to the mirror list. Then we do a new upgrade and update to refresh all our sources and allow the Ubuntu installation to recognize that MongoDB is now available for install.
Once you’re done with the MongoDB install, reload the daemon and enable it through the system control service so that it will start upon boot. Now you just need to turn that service on so you can start using it. Run a PS just to check whether the service is correctly running and you’re ready for the next step.
Now that we’re done with the MongoDB install, we can go ahead and install ElasticSearch. We’re using version 6 for the licensing issues, so we need to add the new key to our repository just like we did with MongoDB. Add the sources list for ElasticSearch, and then run the install for the OSS.
After you’re finished downloading and installing it, you need to configure a couple of files. The first file can be found in:
Once inside here, we need to modify two main parameters. The first one here is the cluster name, which should be changed to Graylog. Then, we should go to the bottom of the file and add this string:
Now, save this file, then reload the daemon so it knows that ElasticSearch is there, and finally enable and start it up for the first time. You might run a process grep just to see if ElasticSearch is correctly running, and a netstat to check if it’s actually listening on port 9200. We want to keep all that traffic locally, so let’s bound it at the local level at first (you can always change this setting later from the configuration file).
Now it’s time to install the main component – Graylog. As usual, let’s add the repository so Ubuntu can download the latest Debian file with the necessary information and then do a dpackage installation. Once it's installed, you can update the sources again so the system knows that they're there and then do an installation of Graylog Server.
Once that package is installed, we do need to modify the configuration file. Go to:
First,go to the password_secret section and you will see that right above there, you will find a command called pwgen. Just hop to a shell and run the pwgen command to get a hash value that we can copy-paste back into the configuration file.
The next field that needs to be edited is just below, find the root_password_sha2 and follow the instructions in the command right above to create a new password. Once again, go back to the shell prompt, paste the command you saw before, and then hop back to the config file to add the newly generated has in the previous field. For the purposes of our example, the password is going to be admin/admin upon the first logon.
Now, you can change the time zone by editing the root_timezone string – in our example, we’re editing it for Denver. This change modifies the web UI so that all the times will be represented in your local time zone based upon this setting.
Once you’re finished, you can reload the daemon so that the system control actually knows that Graylog is there. Then enable the Graylog server service so that it starts on initial boot-up before starting the process right away. To make sure that Graylog was correctly installed, look at the server log file you can find in:
and make sure that the server status is up and running.
Setting up Graylog
Once Graylog is installed, there are a few configurations you want to set while you’re still on the command line. The first one is setting up our syslog to have all the local logs to come in this box for a test, so I can see all this data inside the Graylog interface. Go to:
And go to the very bottom of this file to add some information. The *.* command indicates that we’re gathering any log that the system is generating, and we’re pushing them to a host. Let’s find out the IP address of where these logs are going to go by running an ipconfig command and find out that our IP is 192.168.211.165.
Our string should look like this now:
We’re pointing it to port 1514 so that the process can be started underneath Graylog instead of under root. We also gave it the format 23, our pre-populated syslog protocol format which Graylog can accept and pull out the relevant fields automatically so there’s no parsing needed on the backside. Once the configuration file is modified, we can save it and then restart our syslog. From now on, any new logs will be sent to our localhost on port 1514.
Working around port 514
Don’t worry if your port 1514 is not available or you already have a lot of devices pointed on port 514. You can use the iptables command and put a forwarding rule saying to NAT anything coming in on both TCP and port 514 and redirect it all to port 1514. Create a similar rule for UDP instead of TCP, then save everything to /etc/iptables.rules.
Now you’re ready to load this configuration in your pre-routing rules by creating a file inside /etc/network/if-pre-up.d/ that will work as a startup script that tells the system to load these iptables rules upon reboot. The idea is to run underneath a shell script with an iptables-restore command pointing to the iptables.rules file that we just created. Now we need to modify the permissions on the file to make it an executable by running a chmod+x command on that file.
Checking if Graylog is working properly
If you want to test the web interface to make sure it works, you can run a curl command against the port. Graylog runs by default on port 9000, so you can curl the local address to 9000. As you can see, we’re getting a response saying that the Graylog interface is up.
Now we need to make sure that it is listening on all ports. Let’s run a netstat to validate what ports Graylog is listening on and then grep again for 9000 since that's its listening port. It looks like it's bound only locally, so nothing external would be able to connect to this box. So, let’s go back editing the server.log file, and change the bind_addresswhere it’s listening on. Go find the http_bind_address, copy that line, modify the 127.0.0.1 to the local address (in our case 192.168.211.165), and then restart the Graylog service. Just tail the Graylog server file to make sure it’s up and running.
Loading Graylog’s web console
Just launch the web console on your browser, and wait for a couple of seconds so it can compile all the Java applets in the backend for the first time. Now we can log on by typing admin as default username, and any password we set before (in our example, that was admin too). We will get to the “Search” window at first, and after a few seconds, a red number one will appear on the black nav bar on top.
Clicking on the “Search” tab we will notice that there are no logs being collected, and that’s because we still didn’t connect any input. That’s the reason why we got that red number one alert – if we click on it, we will see a large red box telling us there are no inputs running.
Setting up an input
Let’s create an input by clicking on the “System/Overview” menu and then on the “Inputs” tab. Right now this window is empty – we will start by creating a generic syslog since we already configured the localhost to output logs. Select “Syslog UDP” from the scroll down menu, and then click on “Launch new input”.
Set it up to Global – you can lock it down per node if you'd have multiple nodes. The bind address can be either a local IP address, or 0.0.0.0 if you want it to bind everywhere. Now switch the port to 1514 so that Graylog users can start it up and doesn’t have you ran as route for security purposes. You can also check some other options such as if you want to store those full messages. Now all you need is a Title – in this case we will call this something generic such as Syslog UDP.
Once you saved it, you will see that this input will be in the “starting” state for a few seconds before changing to “running.” Let’s quickly hop back to the shell and do a sudo su so we can generate a message locally that will come up in the “Search” window. Now we go back to the “Search” panel, click on the magnifying glass icon, and we can see the full log message, including where it’s going, who did it, and everything that matters.
That’s all for installing Graylog on Ubuntu. Thanks for watching this video, and happy logging!