Use “Let’s Encrypt SSL” to install Graylog server on Ubuntu 20.04
You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatturn off
Graylog is an open source log aggregation and management tool that can be used to store, analyze and send alerts in collected logs. Graylog can be used to analyze structured and unstructured logs using ElasticSearch and MongoDB. This includes various systems, including Windows systems, Linux systems, different applications and microservices.
Graylog makes it easier to analyze and monitor these systems and applications from a single host.
Graylog has the following components:
- Graylog server
- MongoDB
- Elastic search
Let us quickly enter the Graylog server installation on the Ubuntu 20.04 host. Then, we will configure SSL using Let’sEncrypt.
For this, we need to install Nginx as a reverse proxy on the system.
prerequisites
Before we install it on your box, please make sure that your host meets the following minimum requirements:
- 4 CPU cores
- 8 GB RAM
- SSD hard disk space with high IOPS for Elasticsearch log storage
- Ubuntu 20.04 LTS has been installed and updated.
- All plans have been upgraded
With the above conditions met, let us begin the installation process.
Step 1-Install Java on Ubuntu 20.04
Graylog installation requires Java version 8 and higher. In this article, we will use open JDK 11
sudo apt update
sudo apt install -y apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen curl dirmngr
You can verify the Java version you just installed using java -version
command:
$ java -version
openjdk version "11.0.9" 2020-10-20
OpenJDK Runtime Environment (build 11.0.9+11-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.9+11-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
Step 2-Install Elasticsearch on Ubuntu 20.04
Elastic search is a tool for storing and analyzing incoming logs from external sources. It uses web-based RESTful API.
Download and install the Elasticsearch GPG signing key.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Add the Elasticsearch repository to your source list:
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-6.x.list
Install Elasticsearch:
sudo apt update
sudo apt install -y elasticsearch-oss
Configure the cluster name of Graylog.
sudo vim /etc/elasticsearch/elasticsearch.yml
Edit the cluster name to graylog
cluster.name: graylog
Add the following information in the same file
action.auto_create_index: false
Reload the daemon to start the Elasticsearch service.
sudo systemctl daemon-reload
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
You can check the service status by the following methods:
$ systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-11-08 12:36:10 UTC; 14s ago
Docs: http://www.elastic.co
Main PID: 1352139 (java)
Tasks: 15 (limit: 4582)
Memory: 1.1G
CGroup: /system.slice/elasticsearch.service
└─1352139 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Des.>
Nov 08 12:36:10 graylog.computingforgeeks.com systemd[1]: Started Elasticsearch.
Elasticsearch runs on port 9200 and can be verified by the following methods curl
command:
curl -X GET http://localhost:9200
You should see the cluster name in the output.
$ curl -X GET http://localhost:9200
{
"name" : "RQ7y68X",
"cluster_name" : "graylog",
"cluster_uuid" : "Dp948OGjT-uFz_LuOiW6ng",
"version" : {
"number" : "6.8.13",
"build_flavor" : "oss",
"build_type" : "deb",
"build_hash" : "be13c69",
"build_date" : "2020-10-16T09:09:46.555371Z",
"build_snapshot" : false,
"lucene_version" : "7.7.3",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
Step 3-Install MongoDB on Ubuntu 20.04
Download and install mongoDB from Ubuntu’s base repository.
sudo apt update
sudo apt install -y mongodb-server
Start MongoDB
sudo systemctl start mongodb
sudo systemctl enable mongodb
$ systemctl status mongodb
● mongodb.service - An object/document-oriented database
Loaded: loaded (/lib/systemd/system/mongodb.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-11-08 12:45:21 UTC; 1s ago
Docs: man:mongod(1)
Main PID: 1352931 (mongod)
Tasks: 3 (limit: 4582)
Memory: 27.9M
CGroup: /system.slice/mongodb.service
└─1352931 /usr/bin/mongod --unixSocketPrefix=/run/mongodb --config /etc/mongodb.conf
Nov 08 12:45:21 graylog.computingforgeeks.com systemd[1]: Started An object/document-oriented database.
Step 4-Install Graylog server on Ubuntu 20.04
Download and configure the Graylog repository.
wget https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.deb
sudo apt install ./graylog-3.3-repository_latest.deb
Install Graylog server:
sudo apt update
sudo apt install -y graylog-server
Generate a secret to use to protect the user password pwgen
command
pwgen -N 1 -s 96
The output should look like this:
FFP3LhcsuSTMgfRvOx0JPcpDomJtrxovlSrbfMBG19owc13T8PZbYnH0nxyIfrTb0ANwCfH98uC8LPKFb6ZEAi55CvuZ2Aum
Edit the graylog configuration file to add the secret we just created:
sudo vim /etc/graylog/server/server.conf
turn up password_secret =
OK, and then add the secret created above.
password_secret= FFP3LhcsuSTMgfRvOx0JPcpDomJtrxovlSrbfMBG19owc13T8PZbYnH0nxyIfrTb0ANwCfH98uC8LPKFb6ZEAi55CvuZ2Aum
Also add the following line to /etc/graylog/server/server.conf
file
rest_listen_uri = http://127.0.0.1:9000/api/
web_listen_uri = http://127.0.0.1:9000/
The next step is to create a hash sha256 password for the administrator. This is the password required to log in to the web interface.
echo -n Str0ngPassw0rd | sha256sum
replace “Str0ngPassw0rd” with a password of your choice.
You will get the following output:
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
edit /etc/graylog/server/server.conf
File and put the hashed password in root_password_sha2 =
sudo vi /etc/graylog/server/server.conf
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Graylog is now configured and ready to use.
Start the Graylog service:
sudo systemctl daemon-reload
sudo systemctl start graylog-server
sudo systemctl enable graylog-server
You can check whether the service has started successfully from the log:
sudo tail -f /var/log/graylog-server/server.log
Output:
2020-11-08T13:37:55.067Z INFO [ServerBootstrap] Graylog server up and running.
Step 5-Set up SSL using “Let’s Encrypt”
The next step is to configure SSL so that we can access the Graylog web interface via HTTPS.
For this, we will need the following:
- Fully Qualified Domain Name (FQDN)
- Nginx
- Let’s encrypt the certificate
Use the following steps to install and configure ngiinx.
- Update the system and install nginx
sudo apt-get update
sudo apt install nginx
2. Configure the firewall
sudo ufw allow 'Nginx Full'
3. Create a virtual host with your domain name
Create files in /etc/nginx/sites-available/
E.g
sudo vim /etc/nginx/sites-available/graylog.yourdomain.com.conf
Add the following content to the file:
server {
listen 80;
server_name graylog.yourdomain.com;
return 301 https://$host$request_uri;
access_log /var/log/nginx/graylog.yourdomain.com.access.log combined;
error_log /var/log/nginx/graylog.yourdomain.com.error.log;
}
Remember to substitute graylog.yourdomain.com With your FQDN.
4. Create a symbolic link to the file we just created /etc/nginx/sites-available
to /etc/nginx/sites-enabled
sudo ln -s /etc/nginx/sites-available/graylog.yourdomain.com.conf /etc/nginx/sites-enabled/
5. Check whether nginx configuration is correct by running nginx -t
command.
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
6. Use certbot to install Let’sEncrypt.
sudo apt install certbot python3-certbot-nginx
7. Run certbot for nginx
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: graylog.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for graylog.computingforgeeks.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/graylog.computingforgeeks.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/graylog.computingforgeeks.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://graylog.computingforgeeks.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=graylog.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/graylog.computingforgeeks.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/graylog.computingforgeeks.com/privkey.pem
Your cert will expire on 2021-02-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have successfully obtained SSL for our domain.
The next step is to configure a reverse proxy on Nginx, which will be used to serve Graylog running on the same host on port 9000.
edit /etc/nginx/sites-available/graylog.yourdomain.com.conf
File and add the following configuration below Location
section.
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://127.0.0.1:9000;
}
The final configuration file should look like this:
server {
listen 80;
server_name graylog.computingforgeeks.com;
return 301 https://$host$request_uri;
access_log /var/log/nginx/graylog.computingforgeeks.com.access.log combined;
error_log /var/log/nginx/graylog.computingforgeeks.com.error.log;
}
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name graylog.computingforgeeks.com;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/graylog.computingforgeeks.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/graylog.computingforgeeks.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://127.0.0.1:9000;
}
}
Use the following command to verify your nginx configuration nginx -t
Just to ensure that your nginx configuration is normal.
Now restart the nginx service.
sudo systemctl restart nginx
With the above operations, you should be able to access the Graylog dashboard by entering the following https://graylog.yourdomain.com
.
Remember to replace graylog.yourdomain.com
With your FQDN.
The default username of Graylog is admin, which is the password we configured in step 4 (Install Graylog server) above. In my case, this would be “Str0ngPassw0rd”
Now you can start using the Graylog web dashboard with SSL configured.
in conclusion
We have successfully installed the Graylog server, configured SSL as a reverse proxy through Nginx, and successfully logged in to the web interface.
Configuring SSL on the Graylog server is important to protect the system.
If you encounter any challenges during the setup process, please feel free to comment or ask any questions in the comments section.
Use Letsencrypt SSL to configure Graylog Nginx reverse proxy
You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatturn off