How to monitor log files with Graylog v3.1 on Debian 10
Graylog is a free open source log management tool based on Java, ElasticSearch and MongoDB. Graylog can be used to collect, index, and analyze any server log from a centralized or distributed location. We can use Graylog to easily monitor any abnormal activity to debug applications and logs. Graylog provides a powerful query language, alert functions, processing pipelines for data transformation, and more. We can also extend the functionality of Graylog through REST APIs and add-ons.
Currently there is no official guide for Graylog v3.1 on Debian 10.
The process of installing Graylog v3.1 on Debian 10 is divided into 9 steps:
- Step 1: Update your system with Debian Backport
- Step 2: Install some assistants
- Step 3: Install headless JAVA runtime v11.00
- Step 4: Install MongoDB v4.2, which is used to store configuration and meta information.
- Step 5: Install Elasticsearch-OSS 6.x: It stores all incoming messages and provides search tools.
- Step 6: Install Graylog v3.1-It receives and logs from various inputs and provides a web interface for analysis and monitoring.
- Step 7: Configure Graylog
- Step 8: Test Graylog
- Step 9: Log in to Graylog
- The smallest Debian 10 version. We can refer to this tutorial.
- At least 4 GB of RAM, 2 core CPUs, and 20GB disks
- Default password: KataLaluan
- Default Secret: Secret RahsiaSecreta
- use”su-“, Debian recently changed the behavior of the su command. Now ‘su‘Command does not replace PATH. Adopt ”su-“.
Step 1: Update the system with Debian Backport
Configure the system to use the Debian backports repository
cat > /etc/apt/sources.list << EOFdeb http://ftp.debian.org/debian/ buster main contrib non-freedeb http://security.debian.org/debian-security buster/updates main contrib non-freedeb http://ftp.debian.org/debian/ buster-updates main contrib non-freedeb http://ftp.debian.org/debian buster-backports main contrib non-freeEOFapt -y updateapt -y dist-upgrade
Step 2-Install Headless Java Runtime v11.00
Graylog and Elasticsearch are Java-based applications. Therefore, we need to install Java into your system. By default, the latest version of Java is available in the Debian 10 default repository. We can install it by running:
apt -y install apt-transport-https default-jdk
Step 3-install some assistants
In the process, we need to install some useful tools as auxiliary tools:
- Implementation of GnuPG-OpenPGP standard, which helps key management system
- wget-a tool to retrieve files using HTTP, HTTPS and FTP (most widely used Internet protocol)
apt -y install gnupg wget
Step 4-Install MongoDB v4.2
By default, MongoDB is not available in the Debian 10 default repository. Therefore, we need to add the MongoDB repository to the system:
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 4B7C549A058F8B6Becho "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | tee /etc/apt/sources.list.d/latest-mongodb.listapt -y updateapt install -y mongodb-org
Enable and restart the MongoDB service:
systemctl enable mongod.servicesystemctl start mongod.service
Step 5: Install Elasticsearch-OSS 6.x
Currently, Graylog v3.1 does not yet support Elasticsearch-OSS 7.x
We will add Elasticsearch keys and repositories to Debian. Using the elasticsearch repository provided by elastic.co, we can install Elasticsearch by running the following command:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | tee -a /etc/apt/sources.list.d/latest-elastic-6.x.listapt -y updateapt -y install elasticsearch-oss
Configure Elasticsearch for the cluster name
sed -i "s/#cluster.name: my-application/cluster.name: graylog-application/g" /etc/elasticsearch/elasticsearch.yml
Enable and restart the Elasticsearch service:
systemctl enable elasticsearch.servicesystemctl start elasticsearch.service
Step 6: Install Graylog v3.1
We will download a simple Graylog package that will help add Graylog keys and configure the Greylog repository
cd /tmp/wget https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.debdpkg -i graylog-3.1-repository_latest.debapt -y update
Install Graylog by running the following command:
apt -y install graylog-server
Step 7: Configure Graylog
Hash the password, and then copy the hash. "Catararuan"" Is the currently selected password.
echo 'KataLaluan' | tr -d 'n' | sha256sum | cut -d" " -f1
Add hashed password in Graylog configuration file
sed -i "s/^root_password_sha2 =$/root_password_sha2 = a25d2f6605c9e27f182d39b66a8b527eb7f2360e52b2ccc7614f8ac24e472bef/g" /etc/graylog/server/server.conf
Add a secret to the Graylog configuration file with a minimum length of 16 characters.
sed -i "s/^password_secret =$/password_secret = SecretRahsiaSecreta/g" /etc/graylog/server/server.conf
Allow external access to Graylog
sed -i "s/^#http_bind_address = 127.0.0.1:9000/http_bind_address = 0.0.0.0:9000/g" /etc/graylog/server/server.conf
Change time zone to location
sed -i "s/#root_timezone = UTC/root_timezone = Asia/Kuala_Lumpur/g" /etc/graylog/server/server.conf
Enable and restart the Graylog service:
systemctl enable graylog-server.servicesystemctl start graylog-server.service
If Graylog is behind the router, the IP address of the router's WAN must be set to the Graylog configuration. Can also be an A record of DNS pointing to the same IP address
sed -i '/http_publish_uri =/chttp_publish_uri = http://graylog.howtoforge.com:9000/' /etc/graylog/server/server.conf
Step 8: Test Graylog
Let's test Graylog using some original commands
apt -y install netcat curl
Here are some example commands to log.
echo "Hello Graylog, let's be friends." | nc -w 1 -u 127.0.0.1 9099
Here are some example commands to get the status of the Graylog server API.
curl -X GET http://localhost:9200curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
Here are some example commands to get the Graylog server logs.
tail -f /var/log/graylog-server/server.log
Step 9: Log in to Graylog
Let's use WebGUI. The URL can be:
- http: //
: 9000 /
- http: //
: 9000 /
- http: //
: 9000 /
After entering the URL in the browser, we should see the following login page. The default username is administratorAnd the selected password is Katara al
After logging in, we should see the following Graylog page:
Upon completion, we have successfully installed and configured Graylog 3.1 server on Debian 10. We can now easily view logs and analyze system logs in a central location. Get more information from it Graylog documentation page. If you have any questions, please leave a comment and feedback.
I wish you a happy login.