1. Home
  2. Linux

How to install Graylog on your Linux server

Looking for a better way to manage the logs on your Linux servers? Install Graylog. With the Graylog system, you’ll get a full-featured web dashboard that neatly organizes system logs in an elegant way.

Graylog uses a lot of underlying technologies, including Elasticsearch, Java, and MongoDB. If you’re interested in using the software, you’ll need to have a server running Ubuntu, CentOS/RedHat Enterprise Linux, or have a machine capable of hosting Oracle VirtualBox VM appliances.

Virtual Machine Instructions

If you’re mostly using virtual machines, you’ll be happy to know that the Graylog server log management tool is available as a virtual appliance for VirtualBox. To get the software working, launch a terminal and follow the step-by-step instructions to get the latest release working.

Step 1:  Before attempting to use the Graylog virtual machine, you must install VirtualBox on your VM host server (if you don’t already have it).

Ubuntu

sudo apt install virtualbox

Debian

sudo apt-get install virtualbox

Arch Linux

sudo pacman -S virtualbox

Fedora

sudo dnf install VirtualBox

OpenSUSE

sudo zypper install virtualbox

Generic Linux

Oracle’s VirtualBox supports all Linux operating systems, and the latest version of the program can be downloaded here.

Step 2: Launch VirtualBox and keep the window open. Then, head over to the Graylog OVA download page and grab the latest version of it.

Step 3: Open up your file manager and click on “Downloads.” Locate the Graylog OVA file and right-click on it to open up the file manager’s context menu. Then, select “Open with VirtualBox.”

Step 4: As you click on the “import” button on the Graylog OVA file, a VirtualBox prompt will appear and ask you if you’d like to import the appliance. Select the option to do so and go through the process of importing the Graylog to VirtualBox.

Step 5: After the VM is done importing, click “settings” in VBox and configure your network settings for the machine. Then, launch the Graylog VM, log in with the user “ubuntu” (password is also “ubuntu,”) and enter the console commands below into it.

sudo graylog-ctl set-email-config <smtp server> [--port=<smtp port> --user=<username> --password=<password>]
sudo graylog-ctl set-admin-password <password>
sudo graylog-ctl set-timezone <zone acronym>
sudo graylog-ctl reconfigure
sudo apt-get install -y open-vm-tools

Step 6: Open the HTTP URL that the Graylog VM prints on screen in a web browser to finish up the process.

Install Graylog on Ubuntu server

Looking to use Graylog on your Ubuntu server setup? You’re in luck! Ubuntu is one of the primary operating systems supported by the developers.

Before attempting to set up the software on your Ubuntu server, it’s imperative that you update Ubuntu and install the latest software patches. To update Ubuntu server, launch a terminal, SSH in and run the update and upgrade commands in the terminal.

sudo apt update
sudo apt upgrade -y

Next, use the Apt command below and install the following packages. These packages are required to install the Graylog dependencies, and the software itself.

sudo apt install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen

After setting up the base packages, you must set up the MongoDB system.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
sudo apt update
sudo apt install -y mongodb-org

Following the MongoDB installation, start up the database.

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service

Following MongoDB, you must install the Elasticsearch tool, as Graylog uses it as backend.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt update && sudo apt install elasticsearch

Modify the Elasticsearch YML file with the Nano, text editor.

sudo nano /etc/elasticsearch/elasticsearch.yml

Press Ctrl + W, write in “cluster.name:” in the search box, and press enter. Then, remove the # symbol from in front and add graylog at the end. It should look like:

cluster.name: graylog

Startup Elasticsearch:

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service

Now that Elasticsearch and MongoDB are set up, we can download Graylog and install it on Ubuntu. To install, do the following commands below.

wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb
sudo dpkg -i graylog-2.4-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

Using the pwgen tool, generate a secret key.

pwgen -N 1 -s 96

Copy the output to the clipboard. Then, open up the server.conf file in Nano and add it after “password_secret”.

sudo nano /etc/graylog/server/server.conf

After adding the password secret, save Nano with Ctrl + O and close it. Then, generate a root password for Graylog with:

Set your root password for the software with the command below. Be sure to enter a secure password!

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Once again, copy the output to the clipboard and open the server.conf file in Nano. Paste the password output after “root_password_sha2”.

The passwords are set for Graylog, but the configuration isn’t done. You must now set the default web address. Scroll down the server.conf file and locate “rest_listen_uri,” and “web_listen_uri”. Erase the defaults, and make them look like the examples below:

rest_listen_uri = http://local-ip-address-of-server:12900/
web_listen_uri = http://local-ip-address-of-server:9000/

Then, save Nano with Ctrl + O, return to the terminal and reboot Graylog.

sudo systemctl daemon-reload

sudo systemctl restart graylog-server

Access your new Graylog logging server at the following URL.

Note: login on the web is admin/admin

http://local-ip-address-of-server/

Install Graylog on CentOS/Rhel

CentOS and RHEL users! If you’re itching to try out Graylog, you’re in luck! The developers have excellent support for your operating system. To install it, you’ll need to be running CentOS 7 or the RHEL equivalent.

The first step in the installation is to get the required dependencies. Open up a terminal window and enter the Yum commands below.

sudo yum install java-1.8.0-openjdk-headless.x86_64 
sudo yum install epel-release
sudo yum install pwgen

Once you’ve got the base dependencies for Graylog, you must install the MongoDB database software. To install Mongo, add the third-party repo to your system. Then use Yum to install it.

sudo touch /etc/yum.repos.d/mongodb-org-3.6.repo

Open the repo file in Nano.

sudo nano /etc/yum.repos.d/mongodb-org-3.6.repo

Paste the code below inside:

[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc

Save Nano with Ctrl + O

Startup MongoDB with the systemctl command.

sudo chkconfig --add mongod
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl start mongod.service

Install Elasticsearch to your CentOS 7/RedHat Enterprise Linux box, as the Graylog tool needs it to work correctly.

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

sudo touch /etc/yum.repos.d/elasticsearch.repo
sudo nano  /etc/yum.repos.d/elasticsearch.repo

Paste the code below into Nano:

[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Save the code with Ctrl + O. Then, use the Yum package manager to install the latest version of Elasticsearch.

sudo yum install elasticsearch

Now that Elasticsearch is running, we must modify its configuration file. Open up elasticsearch.yml in Nano.

sudo nano /etc/elasticsearch/elasticsearch.yml

Press Ctrl + W, and write “cluster.name:” in the Search box to jump to it in the config file. Then, delete the # symbol, and add graylog at the end of the text.

Save the configuration file by pressing Ctrl + O on the keyboard. Then, startup Elasticsearch on your CentOS/Rhel box with:

sudo chkconfig --add elasticsearch
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service

All of the dependencies are up and running, and we have MongoDB and Elasticsearch working. The last piece of the puzzle in getting Graylog working on CentOS/Rhel is to install the Graylog software. Thankfully, the developers make it easy and provide a third-party software repository. To enable the repo, do:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm

Then, install Graylog with the Yum package management tool.

sudo yum install graylog-server

With Graylog installed, the next step is to generate a secret key for the server to use. Key generation is done with pwgen.

pwgen -N 1 -s 96

Take the pwgen password generation output and paste the output after the “password_secret” line in server.conf.

sudo nano /etc/graylog/server/server.conf

Save the edits to server.conf with Ctrl + O. Then, exit Nano and go through the process of generating a root password with the command below.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Like last time, take the password output text, open up server.conf in Nano and put it after “root_password_sha2”.

With the passwords set, scroll down the config file and find “rest_listen_uri,” and “web_listen_uri.” Make them look something like:

rest_listen_uri = http://local-ip-address-of-server:12900/
web_listen_uri = http://local-ip-address-of-server:9000/

When done, save the Nano text editor with Ctrl + O, return to the terminal. Then, use the following systemctl commands to load up the Graylog server on your CentOS/Rhel box.

sudo chkconfig --add graylog-server
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

If the systemd commands are successful, you’ll be able to access your Graylog server on the web at the address below.

Note: to log in to the web interface, use admin/admin

http://local-ip-address-of-server/

Leave a comment