Install & Configure Graylog on the Ubuntu Operating System
This documentation will be useful for the security operation center community or students of cyber security analytics.
so let's start with what is Graylog.
Graylog has been successful in providing an LMS because it was built for log management from the beginning. Software that stores and analyzes log data must have a specific architecture to do it efficiently.
Graylog cannot modify saved log data. It provides the core centralized log management functionality you need to aggregate, organize, and interpret data so that you can derive meaningful insights while maintaining data integrity.
Core Features!
- Streams operate as a form of tagging for incoming messages. Streams are used to route data for storage into an index. They are also used to control access to data, and route messages for parsing, enrichment, and other modification. Streams then determine which messages to archive.
- The Graylog Search page is the interface used to search logs directly. Searches may be saved or visualized as dashboard widgets that may be added directly to dashboards from within the search screen.
- Graylog Dashboards are visualizations or summaries of information contained in log events. Each dashboard is populated by one or more widgets. Widgets visualize or summarize event log data with data derived from field values such as counts, averages, or totals. Users can create indicators, charts, graphs, and maps to visualize the data.
- Alerts are created using Event Definitions that consist of Conditions. When a given condition is met it will be stored as an Event and can be used to trigger a notification.
- Graylog’s Processing Pipelines enable the user to run a rule, or a series of rules, against a specific type of event. Tied to streams, pipelines allow routing, modification, and enrichment of messages as they flow through Graylog.
Before you begin the installation of Graylog, it's crucial to install the necessary prerequisite packages. By following these commands, you can ensure a smooth and successful installation process.
we are going to install Graylog on the Ubuntu Operating System so make sure that your system is updated so these commands work smoothly and efficiently.
- Install OpenJDK
- Install Elasticsearch
- Install MongoDB
- Install Graylog
- Access Graylog Web UI
Command :
sudo apt-get update && upgrade
Install OpenJDK
Install OpenJDK required by Elasticsearch and other dependencies.
sudo apt -y install bash-completion apt-transport-https uuid-runtime pwgen openjdk-11-jre-headless
Install Elasticsearch
Key components of Graylog’s architecture include:
OpenSearch/Elasticsearch: storing and indexing logs, enabling fast search operations.
After receiving data, Graylog proceeds to the indexing phase. It utilizes either Elasticsearch or OpenSearch (a fork of Elasticsearch with similar capabilities) for this purpose. Indexing efficiently organizes the data into optimal data structures, significantly enhancing retrieval speeds.
Import the Elasticsearch PGP signing key.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add the Elasticsearch repository.
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
Remember to update the system after the listed packages have been updated, then install Elasticsearch.
sudo apt -y install elasticsearch-oss
Edit the Elasticsearch configuration file add these two lines to the end of the file, Save and exit the file & reload the system daemon.
sudo nano /etc/elasticsearch/elasticsearch.yml
“cluster.name: graylog”
“action.auto_create_index: false”
Restart the Elasticsearch service.
sudo systemctl daemon-reload
sudo systemctl restart elasticsearchEnable Elasticsearch to run on system startup.
sudo systemctl enable elasticsearch
Install MongoDB
when log messages come in via a Graylog input, Graylog uses the settings it has stored in MongoDB to figure out how to handle the message (Settings like inputs, streams, extractors, pipelines, rules, Alerts … all stored in MongoDB) once it has finished processing the message (breaking out fields and other calculations), it sends it out to the Elasticsearch Database to store the message.
let's start the MongoDB service.
follow these steps to install MongoDB Community Edition using the apt package manager
From a terminal, install gnupg and curl if they are not already available:
sudo apt-get install gnupg curlTo import the MongoDB public GPG key, run the following command:
curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
--dearmor
Create a list file for MongoDB
Create the /etc/apt/sources.list.d/mongodb-org-7.0.list file for Ubuntu 20.04 (Focal):
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
Reload the local package database
sudo apt-get updateInstall the MongoDB packages
You can install either the latest stable version of MongoDB
sudo apt-get install -y mongodb-org
Start MongoDB.
You can start the mongod process by issuing the following command:
sudo systemctl start mongodVerify that MongoDB has started successfully.
sudo systemctl status mongod
You can optionally ensure that MongoDB will start following a system reboot by issuing the following command:
sudo systemctl enable mongod
Install Graylog
Add the Graylog repository.
wget https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.deb
Install the Graylog server package.
sudo dpkg -i graylog-4.1-repository_latest.deb
Remember to update the system after the listed packages have been updated, then install Graylog.
sudo apt -y install graylog-server
Generate a 96-character random string for Graylog and save a copy to use in the Graylog server configuration file.
< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;
“BXG6u-MWHNRG687HbJK3KxeqkVP7YyM20uzzWi-s9Op4gw9sbzzsegpRFlpTzpJWPs2PnT3fStB4UJhQT-DZ5wGbHrfnS6Cn”
Choose a strong password for your admin account and generate a 64-character hash. For example, if you choose StrongPassword:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
“e86f78a8a3caf0b60d8e74e5942aa6d86dc150cd3c03338aef25b7d2d7e3acc7”
Edit the Graylog configuration file.
sudo nano /etc/graylog/server/server.conf
Update http_bind_address as shown:
http_bind_address = 127.0.0.1:9000
Save and close the file & restart the system daemon.
sudo systemctl daemon-reload
sudo systemctl restart graylog-serverEnable the Graylog service to run on system startup & Verify the status of the Graylog server.
sudo systemctl status graylog-server
Access Graylog Web UI
Open your web browser and navigate to your server's IP address at port 9000. for example:
