GrayLog is a powerful, free, open-source centralized log management solution for capturing, storing, and enabling real-time analysis.

It requires at least 4 GB of RAM on the server because it runs a NoSQL database (MongoDB) and a search and analytics engine (Elasticsearch) side-by-side.


SERVER-SIDE UBUNTU 20.04

Preparing the system:

sudo apt update && sudo apt upgrade -y
sudo apt install bash-completion apt-transport-https uuid-runtime pwgen openjdk-11-jre-headless nano net-tools pwgen -y

Installing MongoDB:

sudo apt install mongodb-server -y
sudo systemctl enable mongodb && sudo systemctl start mongodb
sudo systemctl --type=service --state=active | grep mongod
sudo netstat -tulpn | grep 27017

Installing Elasticsearch:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch-oss -y

Configuring:

sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: false
EOT

Applying and testing:

sudo systemctl enable elasticsearch && sudo systemctl restart elasticsearch
sudo systemctl --type=service --state=active | grep elasticsearch
sudo netstat -tulpn | grep 9200

Installing GrayLog:

wget https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.deb
sudo dpkg -i graylog-4.2-repository_latest.deb
sudo apt update && sudo apt install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y

Generate a hash for the Password Secret:

pwgen -N 1 -s 96

Generate the hash for the Admin Password:

echo -n "Enter a STRONG Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Then edit the configuration file:

sudo nano /etc/graylog/server/server.conf

Find the following variables and apply the hashes you created:

password_secret = 7Eh8mSFuIA2BWtjBdX6Jkh8m6fVSAhRbz0ONB8rAOVQH281wXuvNeBZBBjPQtU2I3qNuH2ALPK0kFat7djAUYGq6mYfXHIHv
root_password_sha2 = 2a5d3f2d632a9969faab939ef7889efd7afd4c193c49d40b9f9f7152faec75d3
http_bind_address = 0.0.0.0:9000
sudo systemctl enable graylog-server && sudo systemctl start graylog-server
sudo tail -f /var/log/graylog-server/server.log | grep "Graylog server up and running"
sudo systemctl --type=service --state=active | grep graylog
sudo netstat -tulpn | grep 9000
curl http://127.0.0.1:9000

Use a browser to navigate to the server’s IP address on port 9000 (e.g. http://10.10.10.10:9000) and log in with the password you created:

Navigate to System > Inputs > select Syslog UDP > click Launch New Input.

Give this Local Input a meaningful name and enter the port you want it to listen on:

Wait a few seconds until it shows the green indicator confirming it is Running.

Your log server is now ready to receive log messages.

Create as many inputs as needed to cover all the requirements of your infrastructure.

Consider using a Log Relay Server depending on your network topology or other constraints.


CLIENT-SIDE: ANY LINUX HOST

Configure rsyslog to forward logs to the new Log Server (or to the nearest Log Relay Server):

sudo nano /etc/rsyslog.conf

Append this line to the configuration:

*.* @10.10.10.10:1514;RSYSLOG_SyslogProtocol23Format

Note: Use @ for UDP and @@ for TCP. Replace 10.10.10.10 with the IP address of your destination server.

Apply the changes and send a test log entry:

sudo systemctl restart rsyslog
echo "Log Event Test" | logger

NAVIGATING LOG ENTRIES

Navigate to Search and click the green Search button.

You should see the test log entries forwarded by rsyslog right away.

Select an auto-refresh frequency if you want to monitor incoming traffic in real time.

GrayLog’s search supports wildcards and RegEx. Examples:

  • T??t
    • Each question mark matches any single character.
  • T*t
    • The asterisk matches one or more characters.
  • /[3-4]/
    • Matches any character in the specified range.

BONUS

Read the post RegEx CheatSheet at [Link].

Read the post Linux Log Management and Audit [Link].