Graylog Install

January 16, 2020 Information Technology

Installing Graylog

Step One: Install OS. Selected Ubuntu 18.04 and installed from iso on HyperV virtual

Step Two: Install Prerequisites

sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen

Install MondoDB

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service

Install ElasticSearch

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
sudo apt-get update && sudo apt-get install elasticsearch-oss

Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog Add action.auto_create_index: false to the configuration file.

Change the system config to auto start Elasticsearch

cluster.name: graylog
action.auto_create_index: false
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service

Install Graylog

wget https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.deb
sudo dpkg -i graylog-3.1-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

Edit the graylog config. Two parameters are mandatory

password_secret and root_password_sha2

Password secret is required for salting your passwords. You can generate one using the following command.

pwgen -N 1 -s 96

The sha2 password can also be generated. This is the hashed password for the root user. This user is only necessary for initial configuration. It can only be changed by editing the config.

echo -n yourpassword | shasum -a 256

Lastly set the http_bind_address to your server’s ip

Configure graylog to start at system startup

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

Log into web based interface and finish configuration. Make sure to use port 9000 or whatever port you have selected in the config.

Note: The default user is admin. I had assume the root user was root based on the hashed password settings from the configuration file.

# Update firewall to allow port 9000
sudo ufw allow 9000/tcp

If you try to start an input on one of the privileged ports , it will only work for the “root” user. To be able to use a privileged port, you can use authbind on Debian-based systems, or you redirect the traffic with an iptables rule like this:

The input needs to be started on port 1514 in this case and will be made available on port 514 to the outside. The clients can then send data to port 514.

iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514 
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
# set time zone
sudo timedatectl set-timezone your_time_zone

Tags:

Categories