This tutorial will help the users to install and use Graylog on Ubuntu 20.04 LTS server to collect and analyze systems log data centrally in one place.
Graylog is an open-source tool that offers an integrated platform for collecting, indexing, and analyzing log data. The system essentially consists of the Graylog web interface, the Graylog servers, the Elasticsearch nodes, and a Mongo database.
The nodes can be scaled as required. A system in which everything is combined in one node is sufficient for testing. The Graylog server is the central element of the architecture, which takes care of the management of the Elasticsearch indices and forms an abstraction layer. Therefore, it would be possible to swap Elasticsearch for another system that is particularly suitable for analyzing the log data.
Graylog supports various input mechanisms. By default, four different formats or protocols are supported: Syslog, GELF, JSON / REST-URLs, and RAW. syslog is a standard for the transmission of log messages and is often used by system components.
Things we require to perform this tutorial:
There are few things required by the Graylog server to be installed on Ubuntu 20.04 LTS out of them are Java, password generator along with some common ones. Run the below commands to install all of them.
First, run the system update command
Then install the following packages…
Graylog uses MongoDB to store data, hence we need to install it on our server so that later the generated logs can be saved there for further analyses.
The packages we need to install MongoDB are already available on the official repository of Ubuntu, thus simply run the below command:
Enable and start the Database Server services:
To check whether it is running properly without any error you can run:
Elasticsearch is an open-source full-text search and analytics engine. It is also highly scalable and allows users to store, search, and analyze big volumes of data quickly and in near real-time which will be helpful in Graylog to deal & analyze with a large number of logs.
This system is not available in Ubuntu 20.04’s base repo, hence we manually need to add the official Elastic Search repository.
Add GPG Key:
Add Elastic Search repository:
Command to Install ElasticSearch open-source version on Ubuntu 20.04:
Modify the Elasticsearch configuration file to set cluster name to
graylog and add
For this simply copy-paste the below given whole command block and hit Enter key.
Enable and start Elastic search service:
Download the repository of Graylog that is available as a deb package.
Now, update your system, so that it could recognize the newly added repository to download the packages for Graylog:
Finally, install it
Extra: If you also want to install the Integrations Plugins or the Enterprise Plugins, then run:
There are two password values-
root_password_sha2, we need to configure them otherwise Graylog on Ubuntu 20.04 LTS will not start at all.
These two values are present in the Graylog configuration file and what we set for them will use to secure user passwords and log in to the admin user on its web interface. But we cannot set a plain text value for them instead we have to generate a hash. So, run:
Set password_secret key
The above command will generate a secret key to secure user passwords, so copy that and edit the configuration file using:
password_secret = in the file and paste the copied secret key in front of it. As shown in the below screenshot.
Save the file by pressing Ctrl + X, Y, and hit the Enter key.
Set root_password_sha2 hash
The default username to log in Graylog web interface is admin, whereas the password needs to be set, that’s what we are doing here. Generate a hash for the password you want to set using the below-given command:
Note: Change the MyPassword in the above command with the password you want to set to login Graylog web interface.
As you hit the Enter key after using the above command, a hash sum will be generated. Copy it.
Now, again edit the configuration file:
Find the line: root_password_sha2 and paste the hash sum in front of it, as shown in the below screenshot:
Also, by default, the Graylog is only accessible using localhost IP i.e 127.0.0.1 thus in case you are planning to access its web interface remotely, then change it with your server IP address in the configuration file.
Find the line:
http_bind_address, uncomment it and change 127.0.0.1 with the IP address of your system where you are installing graylog.
Save the file– Ctrl + X, Y and hit the Enter key.
We already have done all the essential configuration, now enable this log system service to start automatically.
Check whether it is running without any error or not:
If you are planning to access the Graylog web interface remotely then also open port 9000 in the Ubuntu firewall:
Open a browser on your local system or remote that can access the Ubuntu 20.04 server Ip-address. And type the
Replace your-server-ip-address with the actual IP address of your Server where Graylog has been installed.
The default username is admin whereas the password is what you have set in step 5 of this article for root_password. For example in the command, we have used MyPassword.
Create a config file under
/etc/rsyslog.d/ to tell the system where to send the logs.
Add the following line:
Replace the your-server-ip with the IP address of the system from where you are sending the logs. If it is a host system where you have installed the Graylog then use the IP address of that.
Save the file by typing Ctrl+X, Y, and hit the Enter key.
Now, add Input for Node in Graylog.
On the Dashboard of Graylog click on the System -> Inputs.
Select Syslog UDP and hit the Launch new input button.
Select the node from the drop-down box, given some title (whatever you want) to Input and then set the port number to 5140 after that scroll down and save the configuration.
Now, click on the “Start Input” button to start the server input.
Once the Input from the server started, click on the Search given in the Graylog menu and you will start getting metrics and logs in real-time from your server. Also, you can set the frequency of metrics update.
To know more about this log management tool and other configuration tasks refer to official documentation where you will also find the way to use Nginx/Apache as a reverse proxy and HTTPS in Graylog.
Debian, Linux, Ubuntu
document.getElementById( “ak_js_1” ).setAttribute( “value”, ( new Date() ).getTime() );
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Linux Shout crafted as a part of our main portal H2S Media to publish Linux related tutorials and open source Software.