Question

How to Install Graylog on Ubuntu 24.04 LTS | Step-by-Step

Answer 1

Chirag's Technology Tutorial

*********************************************************************************

* How to Install Graylog on Ubuntu 24.04 LTS | Step-by-Step *

*********************************************************************************

YouTube Link:

What Is Graylog?

Graylog is a powerful Security Information and Event Management (SIEM) solution offering a robust log analytics platform that simplifies the collection, search, analysis, and alerting of all types of machine-generated data. It is specifically designed to capture data from diverse sources, allowing you to centralize, secure, and monitor your log data efficiently. Graylog can perform a wide range of cyber security functions, such as:

    Data aggregation

    Security data analytics (reports and dashboards)

    Correlation and security event monitoring

    Forensic analysis

    Incident detection and response

    Real-time event response or alerting console

    Threat intelligence

    User and entity behavior analytics (UEBA)

    IT compliance management

Technology Tutorial 10 (हिन्दी में) - How to Install Graylog on Ubuntu 24.04 Step-by-Step

https://www.youtube.com/watch?v=Ysz6L7foOMU

Technology Tutorial 10 - How to Install Graylog on Ubuntu 24.04 Step-by-Step

Steps:

1. Install OpenJDK

2. Install Elasticsearch

3. Install MongoDB

4. Install Graylog

5. Configure Nginx as a reverse proxy

6. Access Graylog web interface

7. How to add ubuntu client to graylog

8. How to add Windows client to graylog

Update the local package index

To start, log into your server and update the local package index.

sudo apt update

Step : 1 - Install OpenJDK

To install OpenJDK 11, run the command:

apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y

apt install openjdk-11-jre-headless -y

Once installed, you can confirm the version of Java installed as shown.

java -version

Step : 2 - Install Elasticsearch

First we are going to add the elasticsearch public key to the APT, and the elastic source to the sources.list.d.

To add the GPG-KEY execute the following command:

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg

To add the elastic source in the sources.list.d execute the following command:

echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Now, update the system and install the elastic search with the following commands:

sudo apt update -y

sudo apt install elasticsearch

Start and enable the elasticsearch service.

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

To check the status of the service if is up and running execute the following command:

sudo systemctl status elasticsearch

After starting the service we need to configure the cluster name for our Graylog server:

sudo nano /etc/elasticsearch/elasticsearch.yml

Enter these lines of code:

cluster.name: graylog
action.auto_create_index: false

Save the file, close it and restart the daemon along with elasticsearch service:

sudo systemctl daemon-reload
sudo systemctl restart elasticsearch

You can send a GET request to your node using the curl command-line tool to view detailed information about Elasticsearch.

curl -X GET http://localhost:9200

Step : 3 - Install MongoDB Server

In the Graylog server, the MongoDB database stores configuration information and user data. The latest version of Graylog requires MongoDB 5.x and 6.x releases. For this guide, we will install MongoDB 6.0 from the MongoDB repository.

So, add the MongoDB GPG signing key.

curl -fsSL https://pgp.mongodb.com/server-6.0.asc | \

sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-server-6.0.gpg

Next, add the MongoDB repository to the sources.list.d directory on your system.

echo "deb [ arch=amd64,arm64 signed=/etc/apt/trusted.gpg.d/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

With the repository added to your system, update the local APT cache.

sudo apt update

Then install the MongoDB database server.

sudo apt install mongodb-org -y

To verify the version installed, run the command:

mongod --version

MongoDB does not start automatically upon installation, so start it as shown.

sudo systemctl start mongod

Confirm that the MongoDB database service is running:

sudo systemctl status mongod

In addition, consider enabling the service to auto-start on boot.

sudo systemctl enable mongod

With the MongoDB database server installed, the next step is to install the Graylog server.

Step : 4 - Install Graylog Server

We are now ready to install Graylog server on Ubuntu. By default, the Graylog server package is not available on Ubuntu repositories. Therefore, we are going to install Graylog from the official Graylog repository.

So, download the Graylog Debian package.

wget https://packages.graylog2.org/repo/packages/graylog-6.0-repository_latest.deb

Next, run the dpkg command to run the package.

sudo dpkg -i graylog-6.0-repository_latest.deb

Next, update the local APT cache.

sudo apt-get update

Finally, install the Graylog server as follows.

sudo apt install graylog-server -y

Once you have installed the Graylog server, you need to generate a secret to secure the user passwords and an encrypted password for the admin user.

To generate a secret password for securing user passwords, run the following command:

< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;

The encrypted password, composed of alphanumeric characters, will be displayed on the terminal.

Next, generate an encrypted password for the Graylog admin login user.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

When prompted, type in the password and hit ENTER. The encrypted password will be displayed on the screen.

Copy and paste the two encrypted passwords somewhere and open the Graylog configuration file.

nano /etc/graylog/server/server.conf

Update the password_secret and root_password_sha2 with the encrypted passwords generated.

password_secret = NeLy0lGbMUuD7X6NLvmj043iQAFg2DjhY9BK4vLgVPW6eS3AHwjGk0AZ10V64IzsYF2AGCoBV2Az0aXct59U-bYD037LiL9P

root_password_sha2 = 7676aaafb027c825bd9abab78b234070e702752f625b752e55e55b48e607e358

Next, specify the IP address on which the Graylog HTTP interface will listen using the http_bind_address. By default, this is set to localhost or the loopback address. nsure you set it to the IP assigned to your network interface and specify the port Graylog listens on ( port 9000 ).

http_bind_address = 127.0.0.1:9000

Save the changes and exit the configuration file. Next, reload systemd to notify the system of the changes made.

elasticsearch_hosts = http://localhost:9200

mongodb_uri = mongodb://localhost:27017/graylog

systemctl daemon-reload

Next, start the Graylog service.

systemctl start graylog-server

The Graylog daemon or service should now be running. You can confirm this as shown.

systemctl status graylog-server

Consider enabling the service to start on system startup.

systemctl enable graylog-server

Step : 5 - Configure Nginx as a reverse proxy

On its own, Graylog can act as a frontend and does not require a web server. However, you can configure a web server as a reverse proxy for port 80 to port 9000, on which Graylog listens. This also simplifies configuring an SSL certificate for Graylog.

In our case, we will use Nginx as our preferred option for a web server. To install Nginx, run the command:

apt install nginx

Once installed, create a virtual host file for Graylog.

nano /etc/nginx/sites-available/graylog.conf

Add these lines of code, and make sure to specify your server's IP for the proxy_pass attribute.

server {
    listen 80;
    server_name graylog.example.org;

location /
    {
      proxy_pass http://localhost:9000;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/;
    }
}

Save the changes and exit the configuration file. Then, run the following command to verify that your webserver’s configuration syntax is okay.

nginx -t

Note: 

if you are getting below error 

"Sep 13 15:47:26 dept nginx[36217]: nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)

Sep 13 15:47:26 dept nginx[36217]: nginx: configuration file /etc/nginx/nginx.conf test failed

Sep 13 15:47:26 dept systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE"

Then: 

Go to /etc/nginx/sites-available/default

Disable IPV6

I just commented out the following line using # in front of the line.

listen [::]:80 default_server ipv6only=on;

then try 

nginx -t

If all looks good, enable the Nginx virtual host file.

ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/

Remember to delete the default virtual host file, as this will override the newly enabled virtual host configuration.

rm -rf /etc/nginx/sites-enabled/default

To apply the changes made, restart the Nginx web service

systemctl restart nginx

And ensure that it is running as expected.

systemctl status nginx

Step : 6 -  Access Graylog web interface

To access the Graylog web interface, visit the following URL on your web browser.

http://server-ip

You will see the web page shown. Log in using the username admin and the root user password you specified in plain text in step 4. Then click the Sign In button.

Step : 7 - How to add ubuntu client to graylog

Configure Input to Receive Logs

Now, you need to set up an input in Graylog to receive logs. This is where Graylog listens for log data from other servers or services.

    Log in to the Graylog Web Interface and navigate to:

        System > Inputs

    Choose Input Type:

        From the Inputs dropdown, select the type of log input you want to configure. For example, to receive logs via Syslog, choose Syslog UDP or Syslog TCP.

        If using Filebeat or other beats, select Beats Input.

    Configure the Input:

    System -> Inputs -> Syslog UDP

        Click Launch New Input.

        Select the node you want to run the input on (usually the one you just set up).

        For Syslog:

            Set the Port (e.g., 514 for UDP/TCP).

            Set the Bind address (0.0.0.0 to listen on all IPs).

            Optional: Add additional parameters like setting the Global option if you want it to be available on all nodes.

            Configure any other necessary parameters.

        Click Save to create the input.

    Start the Input:

        After saving, the input should start automatically. If not, start it manually from the list of inputs.

Install Syslog on the Ubuntu client machine:

sudo apt install rsyslog -y

root@dept:/home/dept# cd /etc/rsyslog.d

root@dept:/etc/rsyslog.d# nano 01-client.conf

$template GRAYLOGRFC5424,"%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @192.168.224.134:514;GRAYLOGRFC5424

Restart Syslog:

sudo systemctl restart rsyslog

Now, for checking log in Graylog server

goto Search Menu.

Step 8 - How to add Windows client to graylog

To send Windows Event Logs to Graylog, you'll typically follow these steps:

Prerequisites:

    Graylog server running and reachable.

    Graylog input configured for receiving logs (e.g., Syslog, GELF).

    NXLog or Winlogbeat installed on your Windows system for log forwarding.

    Using NXLog

Step 1: Install NXLog

    Download and install NXLog Community Edition from the official site.

    After installation, open the NXLog configuration file (nxlog.conf), typically located at:

    C:\Program Files\nxlog\conf\nxlog.conf

Step 2: Configure NXLog to forward Windows Event Logs

    Add or modify the following sections in the nxlog.conf file to capture and forward logs:

......................

......................

# Snare compatible example configuration
# Collecting event log
 <Input in>
     Module      im_msvistalog
 </Input>
# 
# Converting events to Snare format and sending them out over TCP syslog
<Output out>
     Module      om_tcp
     Host        192.168.1.3
     Port        514
     Exec        to_syslog_snare();
 </Output>
# 
# Connect input 'in' to output 'out'
 <Route 1>
     Path        in => out
 </Route>

Step 3: Restart NXLog service

After editing the configuration file, restart NXLog service:

net stop nxlog
net start nxlog

This will start sending Windows Event Logs to your Graylog instance.

Verify Graylog Input

Ensure that Graylog is listening on the correct IP and port (514 in your case) for Syslog TCP.

    Go to the Graylog web interface.

    Navigate to System → Inputs.

    Check if a Syslog TCP input is created and running on port 514.

If it's not running, create or start the input:

    Choose Syslog TCP as the input type.

    Configure it to listen on port 514.

    Set the bind address to 0.0.0.0 or the specific IP (192.168.1.3) if needed.

Note : Follow the process shown in the video.

Please, Subscribe and like for more videos:

https://www.youtube.com/@chiragstutorial

Don't forget to, Follow, Like,  Share &, Comment

Thanks & Regards,

Chitt Ranjan Mahto "Chirag"

inchirags@gmail.com

_________________________________________________________________________________

Note: All scripts used in this demo will be available in our website.

Link will be available in description.