How to monitor log files with Graylog v3.1 on Debian 10

How to monitor log files with Graylog v3.1 on Debian 10

Graylog is a free open source log management tool based on Java, ElasticSearch and MongoDB. Graylog can be used to collect, index, and analyze any server log from a centralized or distributed location. We can use Graylog to easily monitor any abnormal activity to debug applications and logs. Graylog provides a powerful query language, alert functions, processing pipelines for data transformation, and more. We can also extend the functionality of Graylog through REST APIs and add-ons.

Currently there is no official guide for Graylog v3.1 on Debian 10.

The process of installing Graylog v3.1 on Debian 10 is divided into 9 steps:

  • Step 1: Update your system with Debian Backport
  • Step 2: Install some assistants
  • Step 3: Install headless JAVA runtime v11.00
  • Step 4: Install MongoDB v4.2, which is used to store configuration and meta information.
  • Step 5: Install Elasticsearch-OSS 6.x: It stores all incoming messages and provides search tools.
  • Step 6: Install Graylog v3.1-It receives and logs from various inputs and provides a web interface for analysis and monitoring.
  • Step 7: Configure Graylog
  • Step 8: Test Graylog
  • Step 9: Log in to Graylog

prerequisites

  • The smallest Debian 10 version. We can refer to this tutorial.
  • At least 4 GB of RAM, 2 core CPUs, and 20GB disks
  • Default password: KataLaluan
  • Default Secret: Secret RahsiaSecreta
  • use”su-“, Debian recently changed the behavior of the su command. Now ‘su‘Command does not replace PATH. Adopt ”su-“.

Step 1: Update the system with Debian Backport

Configure the system to use the Debian backports repository

cat > /etc/apt/sources.list << EOFdeb http://ftp.debian.org/debian/ buster main contrib non-freedeb http://security.debian.org/debian-security buster/updates main contrib non-freedeb http://ftp.debian.org/debian/ buster-updates main contrib non-freedeb http://ftp.debian.org/debian buster-backports main contrib non-freeEOFapt -y updateapt -y dist-upgrade

Step 2-Install Headless Java Runtime v11.00

Graylog and Elasticsearch are Java-based applications. Therefore, we need to install Java into your system. By default, the latest version of Java is available in the Debian 10 default repository. We can install it by running:

apt -y install apt-transport-https default-jdk

Step 3-install some assistants

In the process, we need to install some useful tools as auxiliary tools:

  • Implementation of GnuPG-OpenPGP standard, which helps key management system
  • wget-a tool to retrieve files using HTTP, HTTPS and FTP (most widely used Internet protocol)
apt -y install gnupg wget

Step 4-Install MongoDB v4.2

By default, MongoDB is not available in the Debian 10 default repository. Therefore, we need to add the MongoDB repository to the system:

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 4B7C549A058F8B6Becho "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main" | tee /etc/apt/sources.list.d/latest-mongodb.listapt -y updateapt install -y mongodb-org

Enable and restart the MongoDB service:

systemctl enable mongod.servicesystemctl start mongod.service

Step 5: Install Elasticsearch-OSS 6.x

Currently, Graylog v3.1 does not yet support Elasticsearch-OSS 7.x

We will add Elasticsearch keys and repositories to Debian. Using the elasticsearch repository provided by elastic.co, we can install Elasticsearch by running the following command:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | tee -a /etc/apt/sources.list.d/latest-elastic-6.x.listapt -y updateapt -y install elasticsearch-oss

Configure Elasticsearch for the cluster name

sed -i "s/#cluster.name: my-application/cluster.name: graylog-application/g" /etc/elasticsearch/elasticsearch.yml

Enable and restart the Elasticsearch service:

systemctl enable elasticsearch.servicesystemctl start elasticsearch.service

Step 6: Install Graylog v3.1

We will download a simple Graylog package that will help add Graylog keys and configure the Greylog repository

cd /tmp/wget https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.debdpkg -i graylog-3.1-repository_latest.debapt -y update

Install Graylog by running the following command:

apt -y install graylog-server

Step 7: Configure Graylog

Hash the password, and then copy the hash. "Catararuan"" Is the currently selected password.

echo 'KataLaluan' | tr -d 'n' | sha256sum | cut -d" " -f1

Add hashed password in Graylog configuration file

sed -i "s/^root_password_sha2 =$/root_password_sha2 = a25d2f6605c9e27f182d39b66a8b527eb7f2360e52b2ccc7614f8ac24e472bef/g" /etc/graylog/server/server.conf

Add a secret to the Graylog configuration file with a minimum length of 16 characters.

sed -i "s/^password_secret =$/password_secret = SecretRahsiaSecreta/g" /etc/graylog/server/server.conf

Allow external access to Graylog

sed -i "s/^#http_bind_address = 127.0.0.1:9000/http_bind_address = 0.0.0.0:9000/g" /etc/graylog/server/server.conf

Change time zone to location

sed -i "s/#root_timezone = UTC/root_timezone = Asia/Kuala_Lumpur/g" /etc/graylog/server/server.conf

Enable and restart the Graylog service:

systemctl enable graylog-server.servicesystemctl start graylog-server.service

If Graylog is behind the router, the IP address of the router's WAN must be set to the Graylog configuration. Can also be an A record of DNS pointing to the same IP address

sed -i '/http_publish_uri =/chttp_publish_uri = http://graylog.howtoforge.com:9000/' /etc/graylog/server/server.conf

Step 8: Test Graylog

Let's test Graylog using some original commands

apt -y install netcat curl

Here are some example commands to log.

echo "Hello Graylog, let's be friends." | nc -w 1 -u 127.0.0.1 9099

Here are some example commands to get the status of the Graylog server API.

curl -X GET http://localhost:9200curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Here are some example commands to get the Graylog server logs.

tail -f /var/log/graylog-server/server.log

Step 9: Log in to Graylog

Let's use WebGUI. The URL can be:

  • http: //: 9000 /
  • http: //: 9000 /
  • http: //: 9000 /

URL samples

  • http://192.168.0.3:9000/
  • http://104.26.2.165:9000/
  • http: //graylog.howtoforge: 9000 /

After entering the URL in the browser, we should see the following login page. The default username is administratorAnd the selected password is Katara al

How to monitor log files with Graylog v3.1 on Debian 10

After logging in, we should see the following Graylog page:

How to monitor log files with Graylog v3.1 on Debian 10

in conclusion

Upon completion, we have successfully installed and configured Graylog 3.1 server on Debian 10. We can now easily view logs and analyze system logs in a central location. Get more information from it Graylog documentation page. If you have any questions, please leave a comment and feedback.

I wish you a happy login.

Source

Sidebar