MAS
Posts About
MAS

Contents

Install and Configure Graylog

Mehyar included in tutorial
   690 words   4 minutes 
/graylog-install/graylog-hell.png

Intro

This guide will show you how to install Graylog on Ubuntu 20.04 LTS. We will use two separated virtual machines for this setup, one for Graylog and MongoDB, and the other one for Elasticsearch. From my experience, using one virtual machine for both Graylog and Elasticsearch is not a good practice and will probably cause performance issues.

Minimum resources to start with (for each VM)

  1. 2 Cores
  2. 4 GB RAM
  3. 15 GB Storage

./graylog-diagram.png

Elasticsearch VM

  1. Before starting with anything we need to be sure that the universe repository is enabled
1

sudo add-apt-repository universe
  1. We should update the VMs:
1

sudo apt-get update && sudo apt-get upgrade
  1. Install these additional packages:
1

sudo apt-get install apt-transport-https openjdk-17-jre-headless uuid-runtime pwgen

  1. Reboot the VM

  2. Install Elasticsearch

1
2
3
4

wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
sudo apt-key add myKey
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch-oss
  1. Add these lines to /etc/elasticsearch/elasticsearch.yml:
1
2
3
4

cluster.name: graylog
network.host: 0.0.0.0 # or The IP of Elasticsearch's VM
discovery.type: single-node
action.auto_create_index: false
  1. Change the heap size in /etc/elasticsearch/jvm.options:

From 1G

1
2

-Xms1g 
-Xmx1g

To 4G

1
2

-Xms4g 
-Xmx4g
  1. Start and enable Elasticsearch:
1
2
3
4

sudo systemctl daemon-reload
sudo systemctl start elasticsearch.service
sudo systemctl enable elasticsearch.service
sudo systemctl status elasticsearch.service

Graylog VM

  1. Before starting with anything we need to be sure that the universe repository is enabled
1

sudo add-apt-repository universe
  1. We should update the VMs:
1

sudo apt-get update && sudo apt-get upgrade
  1. Install these additional packages:
1

sudo apt-get install apt-transport-https openjdk-17-jre-headless uuid-runtime pwgen

  1. Reboot the VM

  2. Install MongoDB using the official repository

1
2
3
4

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org
  1. Enable MongoDB
1
2
3
4

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl status mongod.service
  1. Install Graylog
1
2
3

wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
sudo dpkg -i graylog-4.3-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
  1. Create password
1

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

1
2

Enter Password: <Your Passowrd>
<Your passowrd as hash> # copy it
  1. Edit the config file /etc/graylog/server/server.conf
  • Copy the generated string from step 4 and paste it as password_secret:
1
2

password_secret = <Your passowrd as hash>
root_password_sha2 = <Your passowrd as hash>
  • Make graylog availble on all interfaces:

http_bind_address = 0.0.0.0:9000 # or The IP of Graylog’s VM

  • Set the IP of the Elasticsearch VM:
    elasticsearch_hosts = http://<The IP of Elasticsearch's VM>:9200
  1. Change the heap size in /etc/default/graylog-server:

From 1G

1
2

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"

to 4G

1
2

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms4g -Xmx4g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"
  1. Start and enable Graylog:
1
2
3
4

sudo systemctl daemon-reload
sudo systemctl start graylog-server.service
sudo systemctl enable graylog-server.service
sudo systemctl status graylog-server.service

Now, Graylog web interface should be available on the <The IP of Graylog’s VM>:9000

Installing Nginx on Graylog’s VM (Optional)

You need to do this only if you want to make Graylog’s web interface available on port 80 (The default HTTP port)

  1. Install Nginx
1

sudo apt install nginx
  1. Configure Nginx to reroute traffic from port 9000 to port 80
1

sudo nano /etc/nginx/sites-available/graylog

Write this in the file then save and exit

1
2
3
4
5
6

server {
    listen 80;
    location / {
      proxy_pass http://localhost:9000/;
    }
}
  1. Enable the configuration
1
2
3

cd /etc/nginx/sites-enabled/
sudo ln -s ../sites-available/graylog
sudo rm default
  1. Test if the configuration is correctly written
1

sudo nginx -t

You should get the message

1
2

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If you got an error, recheck what you wrote in step 2. There is probably a typo.

  1. Restart nginx
1

sudo systemctl restart nginx.service

Now, you should be able to access Graylog’s web using only the IP address.

Updated on 2022-07-28
Read Markdown
 graylogtutorial
Back | Home