How To Install Graylog On Ubuntu 20.04

Graylog is an open-source log management tool that helps you store and analyse machine logs centrally. Graylog set-up consists of three components Graylog server, Elasticsearch, and MongoDB.

This is a fresh install of Ubuntu 20.04, as I'm installing Graylog in a demo lab environment I won't be covering security settings in this guide! Please ensure the Graylog server is not publicly exposed and follows security best practices. Please see the following documentation Securing Graylog.

Let's start by updating the package sources list to get the latest list of available packages and their versions, and then install any newer versions of the packages.

πŸ’‘
ubuntu@ubuntu sudo apt update
ubuntu@ubuntu sudo apt upgrade

Configure a static IP address, and make sure you get the indentation right.

πŸ’‘
sudo nano /etc/netplan/00-installer-config.yaml

Apply the changes. Β 

πŸ’‘
sudo netplan apply

Verify with the IP address is correct and make sure you can ping the internet.

πŸ’‘
ip addr

Now I can SSH to the server on 10.10.3.51 using an SSH client, I've enabled the root account on the server, it's not required but I find it helpful in my lab environment. Just in case you want to do the same here's a link.

I'm going to change the hostname of the server, you will need to exit the SSH session and reconnect to see the new hostname.

πŸ’‘
hostnamectl set-hostname graylog04-eve

Verify the current timezone and list time zones.

πŸ’‘
timedatectl
timedatectl list-timezones

Configure the correct timezone and verify.

πŸ’‘
timedatectl set-timezone Europe/London

Now onto the fun bit!

Install Java

πŸ’‘
sudo apt update
sudo apt install -y apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen curl dirmngr

Verify the Java version.

πŸ’‘
java -version

Install Elasticsearch

Download and install the GPG signing key.

πŸ’‘
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Set up the Elasticsearch repository on your system by running the below command.

πŸ’‘
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Update the repository cache and then install the Elasticsearch package.

πŸ’‘
sudo apt update
sudo apt install -y elasticsearch-oss

Now we need to edit the Elasticsearch configuration file to set the cluster name for the Graylog set-up, and also add an additional string to the bottom of the file.

πŸ’‘
sudo nano /etc/elasticsearch/elasticsearch.yml

Let's start the Elasticsearch service to allow the new configurations to be read.

πŸ’‘
sudo systemctl daemon-reload
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Allow 30 seconds to a minute for the Elasticsearch service to start up and then issue the following curl command.

πŸ’‘
curl -X GET http://localhost:9200

You should get this output, ensure you can see the cluster name of "graylog"

Install MongoDB

MongoDB acts as a database for storing Graylog’s configuration. Graylog requires MongoDB v3.6, 4.0 or 4.2.

Unfortunately, MongoDB official repository doesn’t have the required MongoDB versions for Ubuntu 20.04. So, we will install MongoDB v3.6 from the Ubuntu base repository

πŸ’‘
sudo apt update
sudo apt install -y mongodb-server

Let's start the MongoDB and make sure the service starts on the system start-up.

πŸ’‘
sudo systemctl start mongodb
sudo systemctl enable mongodb

Install Graylog Server

Graylog Server reads data from Elasticsearch for search queries coming from users and then displays it for them through the Graylog web interface.

I'm going to install graylog-4.2 in my lab

Download and install the Graylog 4.2 repository configuration package.

πŸ’‘
wget https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.deb

Install the graylog package.

πŸ’‘
sudo dpkg -i graylog-4.2-repository_latest.deb

Update the repository cache.

πŸ’‘
sudo apt update

Install the Graylog server

πŸ’‘
sudo apt install -y graylog-server

Now we have to generate a secret to secure the user passwords by using the pwgen command.

πŸ’‘
pwgen -N 1 -s 96

Copy the output to your clipboard and use nano to edit the Graylog server.conf look for Β "password_secret" and paste the text with a space after the equal sign.

πŸ’‘
sudo nano /etc/graylog/server/server.conf

Now we need to generate a hash for the Graylog admin user, this will be used to log into the Graylog Web-UI.

πŸ’‘
echo -n yourpassword | sha256sum

Use nano to open the server.conf again and add the text to "root_password_sha2" line with a space after the equals.

Setup the Graylog Web-UI

For the last time (I promise) Β open the Graylog server. conf using nano and edit the "http_bind_address" to use your server's IP address.

πŸ’‘
sudo nano /etc/graylog/server/server.conf

While editing the /etc/graylog/server/server.conf change to your correct timezone.

Now for the moment of truth, star and enable the Graylog service.

πŸ’‘
sudo systemctl daemon-reload
sudo systemctl start graylog-server
sudo systemctl enable graylog-server

Check for the Graylog server logs for any issues.

πŸ’‘
sudo tail -f /var/log/graylog-server/server.log

Browse to the Graylog Web Interface

πŸ’‘
http://x.x.x.x:900

Log in with username admin and the password you configured at root_password_sha2 on server.conf file.

And voila! we have Graylog up and running. In my next Graylog article I will cover how to send Syslog from Palo Alto Network devices to the Graylog server.