Chirag's Technology Tutorial
*********************************************************************************
* How to Install Graylog on Ubuntu 24.04 LTS | Step-by-Step *
*********************************************************************************
What Is Graylog?
Graylog is a powerful Security Information and Event Management (SIEM) solution offering a robust log analytics platform that simplifies the collection, search, analysis, and alerting of all types of machine-generated data. It is specifically designed to capture data from diverse sources, allowing you to centralize, secure, and monitor your log data efficiently. Graylog can perform a wide range of cyber security functions, such as:
Data aggregation
Security data analytics (reports and dashboards)
Correlation and security event monitoring
Forensic analysis
Incident detection and response
Real-time event response or alerting console
Threat intelligence
User and entity behavior analytics (UEBA)
IT compliance management
https://www.youtube.com/watch?v=Ysz6L7foOMU
Steps:
1. Install OpenJDK
2. Install Elasticsearch
3. Install MongoDB
4. Install Graylog
5. Configure Nginx as a reverse proxy
6. Access Graylog web interface
7. How to add ubuntu client to graylog
8. How to add Windows client to graylog
Update the local package index
To start, log into your server and update the local package index.
sudo apt update
Step : 1 - Install OpenJDK
To install OpenJDK 11, run the command:
apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y
apt install openjdk-11-jre-headless -y
Once installed, you can confirm the version of Java installed as shown.
java -version
Step : 2 - Install Elasticsearch
First we are going to add the elasticsearch public key to the APT, and the elastic source to the sources.list.d.
To add the GPG-KEY execute the following command:
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg
To add the elastic source in the sources.list.d execute the following command:
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
Now, update the system and install the elastic search with the following commands:
sudo apt update -y
sudo apt install elasticsearch
Start and enable the elasticsearch service.
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
To check the status of the service if is up and running execute the following command:
sudo systemctl status elasticsearch
After starting the service we need to configure the cluster name for our Graylog server:
sudo nano /etc/elasticsearch/elasticsearch.yml
Enter these lines of code:
cluster.name: graylog
action.auto_create_index: false
Save the file, close it and restart the daemon along with elasticsearch service:
sudo systemctl daemon-reload
sudo systemctl restart elasticsearch
You can send a GET request to your node using the curl command-line tool to view detailed information about Elasticsearch.
curl -X GET http://localhost:9200
Step : 3 - Install MongoDB Server
In the Graylog server, the MongoDB database stores configuration information and user data. The latest version of Graylog requires MongoDB 5.x and 6.x releases. For this guide, we will install MongoDB 6.0 from the MongoDB repository.
So, add the MongoDB GPG signing key.
curl -fsSL https://pgp.mongodb.com/server-6.0.asc | \
sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-server-6.0.gpg
Next, add the MongoDB repository to the sources.list.d directory on your system.
echo "deb [ arch=amd64,arm64 signed=/etc/apt/trusted.gpg.d/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
With the repository added to your system, update the local APT cache.
sudo apt update
Then install the MongoDB database server.
sudo apt install mongodb-org -y
To verify the version installed, run the command:
mongod --version
MongoDB does not start automatically upon installation, so start it as shown.
sudo systemctl start mongod
Confirm that the MongoDB database service is running:
sudo systemctl status mongod
In addition, consider enabling the service to auto-start on boot.
sudo systemctl enable mongod
With the MongoDB database server installed, the next step is to install the Graylog server.
Step : 4 - Install Graylog Server
We are now ready to install Graylog server on Ubuntu. By default, the Graylog server package is not available on Ubuntu repositories. Therefore, we are going to install Graylog from the official Graylog repository.
So, download the Graylog Debian package.
wget https://packages.graylog2.org/repo/packages/graylog-6.0-repository_latest.deb
Next, run the dpkg command to run the package.
sudo dpkg -i graylog-6.0-repository_latest.deb
Next, update the local APT cache.
sudo apt-get update
Finally, install the Graylog server as follows.
sudo apt install graylog-server -y
Once you have installed the Graylog server, you need to generate a secret to secure the user passwords and an encrypted password for the admin user.
To generate a secret password for securing user passwords, run the following command:
< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;
The encrypted password, composed of alphanumeric characters, will be displayed on the terminal.
Next, generate an encrypted password for the Graylog admin login user.
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
When prompted, type in the password and hit ENTER. The encrypted password will be displayed on the screen.
Copy and paste the two encrypted passwords somewhere and open the Graylog configuration file.
nano /etc/graylog/server/server.conf
Update the password_secret and root_password_sha2 with the encrypted passwords generated.
password_secret = NeLy0lGbMUuD7X6NLvmj043iQAFg2DjhY9BK4vLgVPW6eS3AHwjGk0AZ10V64IzsYF2AGCoBV2Az0aXct59U-bYD037LiL9P
root_password_sha2 = 7676aaafb027c825bd9abab78b234070e702752f625b752e55e55b48e607e358
Next, specify the IP address on which the Graylog HTTP interface will listen using the http_bind_address. By default, this is set to localhost or the loopback address. nsure you set it to the IP assigned to your network interface and specify the port Graylog listens on ( port 9000 ).
http_bind_address = 127.0.0.1:9000
Save the changes and exit the configuration file. Next, reload systemd to notify the system of the changes made.
elasticsearch_hosts = http://localhost:9200
mongodb_uri = mongodb://localhost:27017/graylog
systemctl daemon-reload
Next, start the Graylog service.
systemctl start graylog-server
The Graylog daemon or service should now be running. You can confirm this as shown.
systemctl status graylog-server
Consider enabling the service to start on system startup.
systemctl enable graylog-server
Step : 5 - Configure Nginx as a reverse proxy
On its own, Graylog can act as a frontend and does not require a web server. However, you can configure a web server as a reverse proxy for port 80 to port 9000, on which Graylog listens. This also simplifies configuring an SSL certificate for Graylog.
In our case, we will use Nginx as our preferred option for a web server. To install Nginx, run the command:
apt install nginx
Once installed, create a virtual host file for Graylog.
nano /etc/nginx/sites-available/graylog.conf
Add these lines of code, and make sure to specify your server's IP for the proxy_pass attribute.
server {
listen 80;
server_name graylog.example.org;
location /
{
proxy_pass http://localhost:9000;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
}
}
Save the changes and exit the configuration file. Then, run the following command to verify that your webserver’s configuration syntax is okay.
nginx -t
Note:
if you are getting below error
"Sep 13 15:47:26 dept nginx[36217]: nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
Sep 13 15:47:26 dept nginx[36217]: nginx: configuration file /etc/nginx/nginx.conf test failed
Sep 13 15:47:26 dept systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE"
Then:
Go to /etc/nginx/sites-available/default
Disable IPV6
I just commented out the following line using # in front of the line.
listen [::]:80 default_server ipv6only=on;
then try
nginx -t
If all looks good, enable the Nginx virtual host file.
ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/
Remember to delete the default virtual host file, as this will override the newly enabled virtual host configuration.
rm -rf /etc/nginx/sites-enabled/default
To apply the changes made, restart the Nginx web service
systemctl restart nginx
And ensure that it is running as expected.
systemctl status nginx
Step : 6 - Access Graylog web interface
To access the Graylog web interface, visit the following URL on your web browser.
http://server-ip
You will see the web page shown. Log in using the username admin and the root user password you specified in plain text in step 4. Then click the Sign In button.
Step : 7 - How to add ubuntu client to graylog
Configure Input to Receive Logs
Now, you need to set up an input in Graylog to receive logs. This is where Graylog listens for log data from other servers or services.
Log in to the Graylog Web Interface and navigate to:
System > Inputs
Choose Input Type:
From the Inputs dropdown, select the type of log input you want to configure. For example, to receive logs via Syslog, choose Syslog UDP or Syslog TCP.
If using Filebeat or other beats, select Beats Input.
Configure the Input:
System -> Inputs -> Syslog UDP
Click Launch New Input.
Select the node you want to run the input on (usually the one you just set up).
For Syslog:
Set the Port (e.g., 514 for UDP/TCP).
Set the Bind address (0.0.0.0 to listen on all IPs).
Optional: Add additional parameters like setting the Global option if you want it to be available on all nodes.
Configure any other necessary parameters.
Click Save to create the input.
Start the Input:
After saving, the input should start automatically. If not, start it manually from the list of inputs.
Install Syslog on the Ubuntu client machine:
sudo apt install rsyslog -y
root@dept:/home/dept# cd /etc/rsyslog.d
root@dept:/etc/rsyslog.d# nano 01-client.conf
$template GRAYLOGRFC5424,"%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"
*.* @192.168.224.134:514;GRAYLOGRFC5424
Restart Syslog:
sudo systemctl restart rsyslog
Now, for checking log in Graylog server
goto Search Menu.
Step 8 - How to add Windows client to graylog
To send Windows Event Logs to Graylog, you'll typically follow these steps:
Prerequisites:
Graylog server running and reachable.
Graylog input configured for receiving logs (e.g., Syslog, GELF).
NXLog or Winlogbeat installed on your Windows system for log forwarding.
Using NXLog
Step 1: Install NXLog
Download and install NXLog Community Edition from the official site.
After installation, open the NXLog configuration file (nxlog.conf), typically located at:
C:\Program Files\nxlog\conf\nxlog.conf
Step 2: Configure NXLog to forward Windows Event Logs
Add or modify the following sections in the nxlog.conf file to capture and forward logs:
......................
......................
# Snare compatible example configuration
# Collecting event log
<Input in>
Module im_msvistalog
</Input>
#
# Converting events to Snare format and sending them out over TCP syslog
<Output out>
Module om_tcp
Host 192.168.1.3
Port 514
Exec to_syslog_snare();
</Output>
#
# Connect input 'in' to output 'out'
<Route 1>
Path in => out
</Route>
Step 3: Restart NXLog service
After editing the configuration file, restart NXLog service:
net stop nxlog
net start nxlog
This will start sending Windows Event Logs to your Graylog instance.
Verify Graylog Input
Ensure that Graylog is listening on the correct IP and port (514 in your case) for Syslog TCP.
Go to the Graylog web interface.
Navigate to System → Inputs.
Check if a Syslog TCP input is created and running on port 514.
If it's not running, create or start the input:
Choose Syslog TCP as the input type.
Configure it to listen on port 514.
Set the bind address to 0.0.0.0 or the specific IP (192.168.1.3) if needed.
Note : Follow the process shown in the video.
Please, Subscribe and like for more videos:
https://www.youtube.com/@chiragstutorial
Don't forget to, Follow, Like, Share &, Comment
Tutorial Link :
https://www.chirags.in/tutorials/
Thanks & Regards,
Chitt Ranjan Mahto "Chirag"
inchirags@gmail.com
_________________________________________________________________________________
Note: All scripts used in this demo will be available in our website.
Link will be available in description.
