Graylog Ubuntu Install

Hello all, I know it been a while (and I am aware I am mainly talking to myself here!) what with life and work, it’s been over 2 months since I posted. I also had a server die on me which meant quite a lengthy process of server replacement and data retrieval, but enough about that!

I’ve been trying to find a good logging solution to run along side Security Onion to give as much visibility as possible, and the two I chose were Splunk and Graylog, with Graylog install and setup being covered here.

All the official documentation for Graylog can be found here: Graylog Docs

Ubuntu is still my favourite flavour of Linux so we will be starting with the base install of Server version 16.04.

Let’s get started, as always we start by updating the repository

sudo apt-get update

And if required upgrade your install. (If you are starting with a fresh install  but didn’t tick “download updates from the internet” you will need to do this)

sudo apt-get upgrade

Now we are running up to date let’s start with installing the dependencies. First up are these 4 packages, make sure you do all these steps in order or it will not work.

sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen

If you get no errors when installing we move on to installing mongodb from the official repository.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.6.list
sudo apt-get update
sudo apt-get install -y mongodb-org

If again you receive no errors, we move on to enabling it on start up.

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service

Graylog recommends using Elasticsearch version 5. You can find the installation guide here if you need to refer to it, but you can install using the following. (This is not the latest version)

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt-get update && sudo apt-get install elasticsearch

Before we can configure and start Elasticsearch we need to edit the configuration file which is located at “/etc/elasticsearch/elasticsearch.xml”

We cd to the correct directory

cd /etc/elasticsearch

Then open the file

sudo nano elasticsearch.xml

then find the following line, remove the ‘#’ to uncomment the line and set the cluster.name property to “graylog” as shown below.

cluster.name: graylog

Now start Elasticsearch, and enable it at startup.

sudo systemctl daemon-reload 
sudo systemctl enable elasticsearch.service 
sudo systemctl restart elasticsearch.service

Now we are ready to install Graylog. First we install the repository.

wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb

Then we unpack and install graylog

sudo dpkg -i graylog-2.4-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

Now don’t get carried away, because there is still a bit of work to do before graylog will start.

All the instructions we are contained in the following file “/etc/graylog/server/server.conf”

we can open it directly using the following;

sudo nano /etc/graylog/server/server.conf

Take the time to read through the instructions, it will help you to understand a little of what you are doing. With that in mind, let’s continue. Close the server.conf file and run the following from the command line, copy them into a text file and then paste them once you have generated both hashes.

Firstly to create our “password_secret”

secret pwgen -N 1 -s 96

then we create our “root_password_sha2” (Remember this as you will need it to login to graylog later on)

echo -n yourpasswordhere | shasum -a 256

Copy and paste these into the server.conf file after the “password_secret” , and “root_password_sha2” entries.

OK, so now we will be connecting to graylog over http, to be able to use https we need to configure a proxy server which wont be covered here, so always connect over a vpn if in production and you are not using https. Don’t make the web interface externally available. To configure https have a look at the docs here

Also you should enable the host firewall to only allow ports 22, 9000, and 8514, however don’t enable it yet. Get it setup and confirmed as working, then enable your firewall.

To configure the web interface we need to set two further options in the server.conf file. These options are; “rest_listen_uri” and “web_listen_uri”

Get the IP of your server with the ifconfig cmd, then paste it into the two options as previously mentioned, and make sure the two lines don’t have a ‘#’ at the start of the line meaning they are commented out. If the ‘#’ is there remove it.

rest_listen_uri = http://yourIPaddress:9000/api

(text removed.....)

web_listen_uri =  http://yourIPaddress:9000/

Save and close the file. If you want more information on configuring the web interface see the documentation here

All that’s left to do is start and configure graylog to enable at startup

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

That’s it, give your server a restart with the following

sudo shutdown now -r

Browse to “yourIPaddress:9000/” and you should be greeted with the following login box. If not, try manually restarting all the services (mongobd, graylog and elasticsearch) using the steps through this guide and see if that resolves it. If not, you’ve done something else wrong!

 

The next blog will show how to configure your first input into graylog.