Learn how to install the Graylog server on Ubuntu 20.04 and start analyzing a large amount of data seamlessly. Every system generates lots of logs that tell us about everything running inside the server, from security to the System’s health.
If we want to keep our servers healthy, we should give special attention to these logs. Every server contains multiple kinds of logs, such as:
- System
- Application
- Database
- Security
To read these log files, we must have some system that gives a clear idea about what is going on inside it. It is where the Graylog server steps in.
Graylog server is an open-source enterprise-level log management and aggregation system that collects and analyzes large amounts of data. The process is concluded with the help of MongoDB and ElasticSearch.
For log collection, we need to install the Graylog server’s client over all the machines from where we want to collect data. And then the result can be seen over the web interface.
Graylog server has similar functionality as the Splunk and LogStash.
Through this article, we’ve summarized the installation process and usage of the Graylog server over the Ubuntu 20.04s.
Pre-Requisites
Before starting the procedure, we must prepare these specific requirements to install and run the Graylog server on Ubuntu 20.04:
- A stable, fully operational Ubuntu 20.04 system
- Minimum 4 Cores of CPU alongside 8 GB of RAM
- SSD Hard Disk (it should feature High IOPS, especially for the concerned Elasticsearch Log Storage)
- Elasticsearch utility
- The MongoDB utility
- Oracle Java SE 8 (Must Be OpenJDK 8 or above)
Step 1: Getting the Ubuntu 20.04 Repository Updated
First, we need to update the installation of Ubuntu 20.04. You can do this with the following command. What it will do is avoid any dependency issues heading forward.
$ sudo apt updateWe will go for the Java update once we have updated the Ubuntu 20.04 machine next.
Step 2: Installing Java
One of the dependencies of installing the Graylog server is Elastic search, and for this, we need to install Java (OpenJDK/Oracle Java) on the machine. Remember, we can always use any version of Java (JDK 8 or above). Here is how you can install the Java 11 utility.
Input:
It installs JDK 11 on the System (It is recommended to go for the latest version to avoid any dependency issues). Once we have installed Java, you must verify the version by the typing in the following command:
java -versionStep 3: Installing the ElasticSearch
Once we have installed Java, you can now install ElasticSearch, as the Graylog server stores all the logs.
But before moving further, don’t forget to confirm the supported versions of ElasticSearch on the Graylog server’s official site.
Now download and install the GPG key by following the command:
$ wget -q0 - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -After downloading the key, let’s set up the Elastic search on the system.
Input:
For Elastic Search update, invoke the following command:
$ sudo apt install -y elasticsearch-oss
Now the next thing is editing the Elastic search configuration file. You will have to do this in order to set the name for the Graylog server.
Input:
$ sudo nano /etc/elasticsearch/elasticsearch.ymlSet the name for Graylog (you can use whatever name).
cluster.name: myown_graylog action.auto_create_index: false
Here we start the Elastic search service to learn the new configuration:
Elastic search should listen on port 9200 (by default) after some time. To confirm, you can simply run the curl command alongside -X GET flag in the following manner:
$ curl -X GET [the dedicated host, e.g.: http://localhost:9200]
Your system will generate the output displaying the cluster name if everything goes right. And it should be the same as the one you’ve set earlier.
Step 4: Installing MongoDB
Once we are done with ElasticSearch, it’s time to install MongoDB, which stores the Graylog configuration files. We will install MongoDB from the Ubuntu base repository.
Input:
$ sudo apt update
$ sudo apt install -y MongoDB-serverOnce installed, you can start it by running the following commands:
$ sudo systemctl start MongoDB
$ sudo systemctl enable MongoDBWe can confirm the version of MongoDB by invoking the following command:
$ sudo mongod --v (or version)
Step 5: Installing Graylog Server
After installing all the essential services, now is the time to install the Graylog server. It is responsible for fetching the logs from the targeted machine and displaying it over the web interface. To install it, we have to first download the package. Doing that is pretty straightforward, just use the following command:
Once done, update the repository.
Input:
$ sudo apt updateFinally, we will install the Graylog server via the following command:
$ sudo apt install -y graylog-serverIt is essential and highly recommended to set a secret for securing the user passwords. We will do this with the help of the pwgen command as shown below.
$ pwgen -N 1 -s 96Once the secret is generated, we will copy it and enter it into the server.conf file, which can be accessed via the command below:
$ sudo nano /etc/graylog/server/server.conf
After accessing the file, enter the following parameters:
password_secret = <copied secret> <copied secret> here, we enter the value of the encrypted secret which we have generated earlier.
We will generate the sha256 hash for the root user (Graylog admin) to access the web interface. Remember, we can’t change the Graylog server’s admin password with the help of the web interface, so we need to generate it with the following command:
$ echo -n password | sha256sum
We can change the password term with our required password. Once it generates its sha256 hash, we will copy it into the server.config file the same way as earlier.
Input:
$ sudo nano /etc/graylog/server/server.conf
Step 6: Setting Up the Graylog Web Interface
We will set up the Graylog web interface to access and analyze the log data at this stage. Input:
$ sudo nano /etc/graylog/server/server.confEnter the system’s IP address from where we will access the web interface.
You can now install and update the Graylog services.
$ sudo systemctl daemon-reload
$ sudo systemctl start graylog-server
$ sudo systemctl enable graylog-serverAnd that’s basically how we install and run the Graylog server on Ubuntu 20.04. The Graylog server will be accessible on our given IP address and 9000 port if everything goes fine.
Now we need to log in using the served credentials. Post successful login, we can see the status of the Graylog server by going to the System > Overview menu.
If this guide helped you, please share it.
