{"id":2928,"date":"2022-05-28T00:08:28","date_gmt":"2022-05-28T00:08:28","guid":{"rendered":"https:\/\/dft.wiki\/?p=2928"},"modified":"2026-04-21T13:32:16","modified_gmt":"2026-04-21T17:32:16","slug":"setting-up-a-centralized-los-server-with-graylog-on-ubuntu","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2928","title":{"rendered":"Setting Up a Centralized Log Server with GrayLog on Ubuntu"},"content":{"rendered":"

GrayLog is a powerful free open source centralized log management solution for capturing, storing, and enabling real-time analysis.<\/p>\n

It is requires at least 4 GB of RAM on the server because it works with a NoSQL database program (MongoDB) plus a search and analytics solution (ElasticSearch) running all side-by-side.<\/p>\n

\n

SERVER-SIDE UBUNTU 20.04<\/strong><\/p>\n

Preparing the system:<\/p>\n

sudo apt update && sudo apt upgrade -y\r\nsudo apt install bash-completion apt-transport-https uuid-runtime pwgen openjdk-11-jre-headless nano net-tools pwgen -y<\/pre>\n
Installing MongoDB<\/strong>:<\/p>\n
sudo apt install mongodb-server -y\r\nsudo systemctl enable mongodb && sudo systemctl start mongodb\r\nsudo systemctl --type=service --state=active | grep mongod\r\nsudo netstat -tulpn | grep 27017<\/pre>\n
Installing ElasticSearch<\/strong>:<\/p>\n
wget -qO - https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | sudo apt-key add -\r\necho \"deb https:\/\/artifacts.elastic.co\/packages\/oss-7.x\/apt stable main\" | sudo tee -a \/etc\/apt\/sources.list.d\/elastic-7.x.list\r\nsudo apt update && sudo apt install elasticsearch-oss -y<\/pre>\n
Configuring:<\/p>\n
sudo tee -a \/etc\/elasticsearch\/elasticsearch.yml > \/dev\/null <<EOT\r\ncluster.name: graylog\r\naction.auto_create_index: false\r\nEOT<\/pre>\n
Applying and testing:<\/p>\n
sudo systemctl enable elasticsearch && sudo systemctl restart elasticsearch\r\nsudo systemctl --type=service --state=active | grep elasticsearch\r\nsudo netstat -tulpn | grep 9200<\/pre>\n
Installing GrayLog<\/strong>:<\/p>\n
wget https:\/\/packages.graylog2.org\/repo\/packages\/graylog-4.2-repository_latest.deb\r\nsudo dpkg -i graylog-4.2-repository_latest.deb\r\nsudo apt update && sudo apt install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y<\/pre>\n
Generate a hash for the Password Secret:<\/p>\n
pwgen -N 1 -s 96<\/pre>\n
Generate the hash for the Admin Password:<\/p>\n
echo -n \"Enter a STRONG Password: \" && head -1 <\/dev\/stdin | tr -d '\\n' | sha256sum | cut -d\" \" -f1<\/pre>\n
Then edit the configuration file:<\/p>\n
sudo nano \/etc\/graylog\/server\/server.conf<\/pre>\n
Find the following variables and apply the hashed that you created:<\/p>\n
password_secret = 7Eh8mSFuIA2BWtjBdX6Jkh8m6fVSAhRbz0ONB8rAOVQH281wXuvNeBZBBjPQtU2I3qNuH2ALPK0kFat7djAUYGq6mYfXHIHv<\/strong>\r\nroot_password_sha2 = 2a5d3f2d632a9969faab939ef7889efd7afd4c193c49d40b9f9f7152faec75d3<\/strong>\r\nhttp_bind_address = 0.0.0.0<\/strong>:9000<\/pre>\n
sudo systemctl enable graylog-server && sudo systemctl start graylog-server\r\nsudo tail -f \/var\/log\/graylog-server\/server.log | grep \"Graylog server up and running\"\r\nsudo systemctl --type=service --state=active | grep graylog\r\nsudo netstat -tulpn | grep 9000\r\ncurl http:\/\/127.0.0.1:9000<\/pre>\n
\n
Use the browser to navigate to the IP address of the server on port 9000 (e.g. https:\/\/10.10.10.10:9000<\/strong>) and enter the password you created previously:<\/p>\n
\"\"<\/p>\n
Navigate to System<\/strong> > Inputs<\/strong> > select Syslog UDP<\/strong> > click on Lunch New Input<\/strong>.<\/p>\n
\"\"<\/p>\n
Gibe this Local Input a meaningful name and enter the port you want it to listen on:<\/p>\n
\"\"<\/p>\n
Wait few seconds until it shows the green alert saying it is Running<\/strong>.<\/p>\n
\"\"<\/p>\n
Now your log server is ready to receive log messages.<\/p>\n
Create as many inputs as needed to cover all the needs of your infrastructure.<\/p>\n
Consider using Log Relay Server depending on the topology of the network or other constrains.<\/p>\n
\n
CLIENT-SITE ANY LINUX HOST<\/strong><\/p>\n
Configure rsyslog to send the logs to the newly created Log Server (or to the closest Log Relay Server):<\/p>\n
sudo nano \/etc\/rsyslog.conf<\/pre>\n
Append this line to the configuration:<\/p>\n
*.* @10.10.10.10<\/strong>:1514;RSYSLOG_SyslogProtocol23Format<\/pre>\n
Note:<\/strong> use @ for UDP<\/strong> and @@ for TCP<\/strong>. Replace 10.10.10.10<\/strong> with the IP address of the destination server.<\/p>\n
Applying the changes and creating a test entry to the log:<\/p>\n
sudo systemctl restart rsyslog\r\necho \"Log Event Test\" | logger<\/pre>\n
\n
NAVIGATING THROUGH THE LOG ENTRIES<\/strong><\/p>\n
Navigate to Search<\/strong> > click on the green Search Button<\/strong>.<\/p>\n
\"\"<\/p>\n
You might be able to see the test log entries forwarded by rsyslog right away.<\/p>\n
Select a frequency for auto refresh the search, if you want to see the incoming traffic.<\/p>\n
GrayLog’s search works with Wildcards and RegEx. See emaples:<\/p>\n