We need to install following softwares:
- One Ubuntu 16.04 server with at least 2 GB of RAM, private networking enabled, and a non-root user. This can be set up by following the Initial Server Setup with Ubuntu 16.04.
- Oracle JDK 8 installed, which you can do by following the “Installing the Oracle JDK” section of this Java installation article.
- Elasticsearch 2.x, which you can install by following Steps 1 and 2 of the Elasticsearch installation tutorial. Certain versions of Graylog only work with certain versions of Elasticearch. For example, Graylog 2.x does not work with Elasticsearch 5.x. Refer to this Greylog-Elasticsearch version comparison table for the exact version. This tutorial uses Elasticsearch 2.4.4 and Graylog 2.2.
- MongoDB, which can be installed by following the MongoDB tutorial.
Step 1 — Configuring Elasticsearch
We need to modify the Elasticsearch configuration file so that the cluster name matches the one set in the Graylog configuration file. To keep things simple, we’ll set the Elasticsearch cluster name to the default Graylog name of graylog. You may set it to whatever you wish, but make sure you update the Graylog configuration file to reflect that change.
Open the Elasticsearch configuration file in your editor:
sudo vi /etc/elasticsearch/elasticsearch.yml
Find the following line:
cluster.name: <CURRENT CLUSTER NAME>
Change the cluster.name value to graylog:
Save the file and exit your editor.
Since we modified the configuration file, we have to restart the service for the changes to take effect.
sudo systemctl restart elasticsearch
Now that you have configured Elasticsearch, let’s move on to installing Graylog.
Step 2 — Installing Graylog
In this step, we we’ll install the Graylog server.
First, download the package file containing the Graylog repository configuration. Visit the Graylog download page to find the current version number. We’ll use version 2.2 for this tutorial.
Next, install the repository configuration from the .deb package file, again replacing 2.2 with the version you downloaded.
sudo dpkg -i graylog-2.2-repository_latest.deb
Now that the repository configuration has been updated, we have to fetch the new list of packages. Execute this command:
sudo apt-get update
Next, install the graylog-server package:
sudo apt-get install graylog-server
Lastly, start Graylog automatically on system boot with this command:
sudo systemctl enable graylog-server.service
Graylog is now successfully installed, but it’s not started yet. We have to configure it before it will start.
Step 3 — Configuring Graylog
Now that we have Elasticsearch configured and Graylog installed, we need to change a few settings in the default Graylog configuration file before we can use it. Graylog’s configuration file is located at /etc/graylog/server/server.conf by default.
First, we need to set the password_secret value. Graylog uses this value to secure the stored user passwords. We will use a randomly-generated 128-character value.
We will use pwgen to generate the password, so install it if it isn’t already installed:
sudo apt install pwgen
Generate the password and place it in the Graylog configuration file. We’ll use the sed program to inject the password_secret value into the Graylog configuration file. This way we don’t have to copy and paste any values. Execute this command to create the secret and store it in the file:
sudo -E sed -i -e "s/password_secret =.*/password_secret = $(pwgen -s 128 1)/" /etc/graylog/server/server.conf
For more information on using sed, see this DigitalOcean sed tutorial.
Next, we need to set the root_password_sha2 value. This is an SHA-256 hash of your desired password. Once again, we’ll use the sed command to modify the Graylog configuration file so we don’t have to manually generate the SHA-256 hash using shasum and paste it into the configuration file.
Execute this command, but replace password below with your desired default administrator password:
Note: There is a leading space in the command, which prevents your password from being stored as plain text in your Bash history.
sudo sed -i -e "s/root_password_sha2 =.*/root_password_sha2 = $(echo -n 'password' | shasum -a 256 | cut -d' ' -f1)/" /etc/graylog/server/server.conf
Now, we need to make a couple more changes to the configuration file. Open the Graylog configuration file with your editor:
sudo vi /etc/graylog/server/server.conf
Find and change the following lines, uncommenting them and replacing graylog_public_ip with the public IP of your server. This can be an IP address or a fully-qualified domain name.
root_timezone = Australia/Melbourne rest_listen_uri = http://192.168.10.112:12900 rest_transport_uri = http://192.168.10.112:12900 web_enable = true # Web interface listen URI. # If you want to use port 80, you need extra configuration, which will be mentioned later. web_listen_uri = http://your_server_ip_or_domain::9000/ elasticsearch_shards = 1 elasticsearch_replicas = 0 elasticsearch_index_prefix = graylog elasticsearch_cluster_name = graylog elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300 elasticsearch_http_enabled = false mongodb_uri = mongodb://localhost/graylog
Add following at the end of the configuration file:
Save the file and exit your editor.
Since we changed the configuration file, we have to restart (or start) the graylog-server service. The restart command will start the server even if it is currently stopped.
sudo systemctl restart graylog-server
Next, check the status of the server.
sudo systemctl status graylog-server
Bind the port 80 to Java:
Since running as graylog ( Java software) user can’t open ports < 1024, we have to solutions to this:
Allow java open ports < 1024:
First, we need to find the Java bin file:
sudo update-alternatives --config java
The output will look something like the following. In this case, this is what the output will look like with all Java versions installed.
There are 5 choices for the alternative java (providing /usr/bin/java). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 auto mode 1 /usr/lib/jvm/java-6-oracle/jre/bin/java 1 manual mode 2 /usr/lib/jvm/java-7-oracle/jre/bin/java 2 manual mode 3 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 manual mode 4 /usr/lib/jvm/java-8-oracle/jre/bin/java 3 manual mode 5 /usr/lib/jvm/java-9-oracle/bin/java 4 manual mode Press <enter> to keep the current choice[*], or type selection number:
Note down the Path with star mark * , issue the command:
sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
So the solution is:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000
or for all interfaces
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000
How to install graylog 2 on Ubuntu 16.04 LTS : https://www.digitalocean.com/community/tutorials/how-to-manage-logs-with-graylog-2-on-ubuntu-16-04
Configure Web interface : http://docs.graylog.org/en/2.0/pages/configuration/web_interface.html