Graylog2 is a centralized log management system. It is based on Elasticsearchand MongoDB, and are able to analyze and aggregate log messages from multiple sources.I don’t think it would be wrong to say that Graylog2 is one of the big players whenit comes to centralized log management systems.It won’t take you a long time to understand how to use Graylog2 and when you do, thenyou wouldn’t be with out it!I am using Graylog2 to pull log files from all my servers and a PfSense firewall,and my life have become much more simple afterward! It is so easy to create a stream of the exact log files you want to collect.Just to give you a example of what a stream is then i have created a streamthere is showing me Accepted/Failed SSH and OpenVPN login attempts. And one for everytime a root user is being used.Table of Content:– Step 1. Pre-requisites– Step 2.
Install & configure Elasticsearch– Step 3. Install MongoDB– Step 4. Install & Configure Graylog2– Step 5.
Install Graylog- web interface– Step 6. Create a syslog input– Step 7. Configure rsyslog (Client) to send to graylog Step 1. Pre-requisitesYou have to be root!the first thing we are gonna do is to disable Centos firewall and SeLinux as a start. (we will enable the firewall later.). Create a syslog inputWe are going to create a syslog UPD input now.Go to System - inputChoose Syslog UPD from the drop down bar and click on launch new inputChoose your Graylog2 node, give the input a title and set your Graylog2 server IPas bind address. If you have been looking at other guides and noticed they all runtheir syslog UPD input on port 514 then forget everything about that and set it to 1514.The reason to do this is that ports below 1024 have to be assigned by a root user and in this casewe don’t want that!
(Have been in touch with a Graylog2 dev.)scroll down and click on launch.Step 7. Configure rsyslog (Client) to send to graylogNow you should login to that server you want to pull the logfiles from andmake sure is installed!For Ubuntu 14.04.
Squid is capable of sending each access log line as text data to a TCP or a UDP receiver. We can use it to send logs to Graylog. The following line in the Squid configuration file squid.conf will do the job: The above assumes that a graylog.example.com server has a GELF input listener on a UDP port 12201.
Introductionis a powerful open-source log management platform. It aggregates and extracts important data from server logs, which are often sent using the Syslog protocol. It also allows you to search and visualize the logs in a web interface.In this tutorial, you'll install and configure Graylog on Ubuntu 16.04, and set up a simple input that receives system logs. PrerequisitesBefore you begin this tutorial, you'll need:. One Ubuntu 16.04 server with at least 2 GB of RAM, private networking enabled, and a non-root user.
This can be set up by following the. Oracle JDK 8 installed, which you can do by following the 'Installing the Oracle JDK' section of. Elasticsearch 2.x, which you can install by following Steps 1 and 2 of the.
Certain versions of Graylog only work with certain versions of Elasticearch. For example, Graylog 2.x does not work with Elasticsearch 5.x.
Refer to for the exact version. This tutorial uses Elasticsearch 2.4.4 and Graylog 2.2. MongoDB, which can be installed by following the.Step 1 — Configuring ElasticsearchWe need to modify the Elasticsearch configuration file so that the cluster name matches the one set in the Graylog configuration file. To keep things simple, we'll set the Elasticsearch cluster name to the default Graylog name of graylog. You may set it to whatever you wish, but make sure you update the Graylog configuration file to reflect that change.Open the Elasticsearch configuration file in your editor:. sudo nano /etc/elasticsearch/elasticsearch.ymlFind the following line.
/etc/elasticsearch/elasticsearch.yml cluster.name: graylogSave the file and exit your editor.Since we modified the configuration file, we have to restart the service for the changes to take effect. sudo systemctl restart elasticsearchNow that you have configured Elasticsearch, let's move on to installing Graylog.
Step 2 — Installing GraylogIn this step, we we'll install the Graylog server.First, download the package file containing the Graylog repository configuration. Visit the to find the current version number. We'll use version 2.2 for this tutorial. wget 2.2-repositorylatest.debNext, install the repository configuration from the.deb package file, again replacing 2.2 with the version you downloaded.
sudo dpkg -i graylog- 2.2-repositorylatest.debNow that the repository configuration has been updated, we have to fetch the new list of packages. Execute this command:. sudo apt-get updateNext, install the graylog-server package:.
sudo apt-get install graylog-serverLastly, start Graylog automatically on system boot with this command:. sudo systemctl enable graylog-server.serviceGraylog is now successfully installed, but it's not started yet. We have to configure it before it will start. Step 3 — Configuring GraylogNow that we have Elasticsearch configured and Graylog installed, we need to change a few settings in the default Graylog configuration file before we can use it. Graylog's configuration file is located at /etc/graylog/server/server.conf by default.First, we need to set the passwordsecret value. Graylog uses this value to secure the stored user passwords. We will use a randomly-generated 128-character value.We will use pwgen to generate the password, so install it if it isn't already installed:.
sudo apt install pwgenGenerate the password and place it in the Graylog configuration file. We'll use the sed program to inject the passwordsecret value into the Graylog configuration file. This way we don't have to copy and paste any values.
Execute this command to create the secret and store it in the file:. sudo -E sed -i -e 's/passwordsecret =./passwordsecret = $(pwgen -s 128 1)/' /etc/graylog/server/server.confFor more information on using sed, see.Next, we need to set the rootpasswordsha2 value. This is an of your desired password. /etc/graylog/server/server.conf.restlistenuri = yourserveripordomain:9000/api/.weblistenuri = yourserveripordomain:9000/.Save the file and exit your editor.Since we changed the configuration file, we have to restart (or start) the graylog-server service. /etc/rsyslog.d/60-graylog.conf.
@ yourserverprivateip:8514;RSYSLOGSyslogProtocol23FormatSave and exit your editor.Restart the rsyslog service so the changes take effect. sudo systemctl restart rsyslogRepeat these steps for each server you want to send logs from.You should now be able to view your logs in the web interface. Click the Sources tab in the navigation bar to view a graph of the sources. It should look something like this:You can also click the Search tab in the navigation bar to view a overview of the most recent logs.You can learn more about searches in the.
Linux Syslog
ConclusionYou now have a working Graylog server with an input source that can collect logs from other servers.Next, you might want to look into setting up dashboards, alerts, and streams. Dashboards provide a quick overview of your logs.
Send Linux Log To Graylog2 Google
Streams categorize messages, which you can monitor with alerts. To learn more about configuring the more advanced features of Graylog, you can find instructions in the.