Manage Logs with Graylog server on Ubuntu 18.04

This is a complete guide on How to Install and Configure Graylog 3 Server on Ubuntu 18.04 for Centralized Log management. Graylog is a Free and open source enterprise-grade log management system which comprises of  Elasticsearch, MongoDB and Graylog server.

For CentOS 7 server, we have how to Install Graylog 3 with Elasticsearch 6.x on CentOS 7.

Similar article: How To Forward Logs to Grafana Loki using Promtail

Graylog Components / Architecture

The work of Elasticsearch is to store logs data and provide powerful search capabilities to Graylog Server. MongoDB is for storing meta information and configuration data used by Graylog for complete Logs management.

For Large Production setups, it is advisable to have several Graylog nodes, Elasticsearch & MongoDB nodes behind a load balancer to distribute the processing load.

Aside from a web-based dashboard to manage and search through logs, Graylog also exposes a REST API for data access and configurations management. Below is a basic architectural overview of Graylog architecture.

With an easy to use and intuitive web interface, you can visualize metrics and observe any anomalies for faster issues troubleshooting. In this guide, you’ll learn how to install and configure Graylog 3 on Ubuntu 18.04 Server.

Step 1: Update system

It is a rule of thumb to update your system before installing any packages. This is recommended to avoid any dependency issues:

sudo apt update
sudo apt -y upgrade
sudo reboot

Step 2: Install Java / OpenJDK 8

One main component/dependency of Graylog is Elasticsearch. Elasticsearch requires Java 8 installed for it to run. You can install Oracle Java or its open source alternative – OpenJDK. Here we will install OpenJDK.

sudo apt -y install vim bash-completion apt-transport-https uuid-runtime pwgen openjdk-8-jre-headless

Once installed, proceed to step 3.

Step 3: Install ElasticSearch 6.x

As of this writing, the latest release of Graylog 3 requires Elasticsearch 6.x to work. Install ElasticSearch with the commands below.

Add ElasticSearch repository:

sudo apt update
sudo apt -y install apt-transport-https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

Install ElasticSearch 6.x on Ubuntu 18.04:

sudo apt update
sudo apt -y install elasticsearch-oss

Once the installation of Elasticsearch 6.x  is complete, set cluster name for Graylog.

sudo vim /etc/elasticsearch/elasticsearch.yml

Set on line 17

cluster.name: graylog
action.auto_create_index: false

Restart the elasticsearch service:

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service

Step 4: Install MongoDB

Use below guide to Install MongoDB on Ubuntu:

How To Install MongoDB 4 on Ubuntu

Step 5: Install Graylog on Ubuntu 18.04

Now that we have installed MongoDB and Elasticsearch, the last piece is the installation of Graylog server. Add Graylog repository and install graylog-server package using apt.

wget https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.deb
sudo dpkg -i graylog-3.1-repository_latest.deb
sudo apt update
sudo apt -y install graylog-server

Step 6: Configure Graylog 3 on Ubuntu 18.04

After installation, we need to do some configurations before you can start using Graylog.

Generate root password:

You need to generate a 256-bit hash for the for admin user password:

$ echo -n MyStrongPassword | sha256sum
7a96004f5149811c069f40146b08cf45f45087d4530d35f7d4d88d058db9612d -

Add the given password to root_password_sha2= line under /etc/graylog/server/server.conf file.

$ sudo vim /etc/graylog/server/server.conf
root_password_sha2 = 7a96004f5149811c069f40146b08cf45f45087d4530d35f7d4d88d058db9612d

Next is to generate and set password secret for securing stored user passwords.

$ sudo apt-get install pwgen
$ pwgen -N 1 -s 96
5JdTcmGgqBUNw2oip7YZEqbZxc4UV5X8461xukUHdq9PjBYiSu1wxSeiRCk0z73tVZc9FGluZ2k0c9YXdxg5Z0buzNx58tmY
$ sudo vim /etc/graylog/server/server.conf
password_secret = 5JdTcmGgqBUNw2oip7YZEqbZxc4UV5X8461xukUHdq9PjBYiSu1wxSeiRCk0z73tVZc9FGluZ2k0c9YXdxg5Z0buzNx58tmY

Please run the following commands if you want to start Graylog automatically on system boot:

sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

By default, REST API will listen on:

rest_listen_uri = http://127.0.0.1:9000/api/

and Web interface URI will be on

web_listen_uri = http://127.0.0.1:9000/

You can change it to server’s IP Address if you want to access from a network device.

Step 7: Access Graylog 3 Web Interface on Ubuntu 18.04

Access Graylog web interface using its IP Address and port 9000 – http://serverip_or_hostname:9000

Login with username admin and password set on step 6.

Step 8: Configure Nginx Proxy for Graylog

If you would like to access it using a domain, check the guide below to configure Nginx as a Graylog reverse proxy.

Configure Graylog Nginx reverse proxy with Letsencrypt SSL

A simple nginx configuration without https section is given below

$ cat /etc/nginx/conf.d/graylog.conf 
server
{
    server_name graylog.computingforgeeks.com;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/api;
      proxy_pass       http://127.0.0.1:9000;
    }
}

Start nginx after making the change

sudo systemctl restart nginx

Access web UI on http://domain.com

Login with username admin and password set on step 6.

The next step is to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.

More guides on Graylog to follow.