Installing Graylog 5 on Debian: A Step-by-Step Guide

7 months ago

TechTutelage

4 minutes

Graylog is a robust open-source log management solution designed to simplify the process of collecting, indexing, and analyzing log data. In this step-by-step guide, we will delve into the installation of Graylog 5 on a Debian system. By the end of this tutorial, you’ll have a fully operational Graylog instance ready to streamline your log management workflow.

Step 1: Before diving into Graylog installation, ensure that your system has the required dependencies. The commands provided will install essential packages and tools needed for the subsequent steps.

sudo apt install apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen dirmngr gnupg wget

Step 2: Install MongoDB Graylog relies on MongoDB as its backend database. The commands in this step download and install MongoDB version 5.0, configure the repository, and set up the MongoDB service.

wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | sudo apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/5.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.0.list
sudo apt update
sudo apt install -y mongodb-org
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl status mongod

Step 3: Install Elasticsearch Elasticsearch serves as the storage and retrieval engine for Graylog. This step involves installing Elasticsearch version 7.x, configuring its settings, and ensuring it starts as a system service.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install elasticsearch-oss

sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null << EOT
cluster.name: graylog
action.auto_create_index: false
EOT

# OPTIONAL: Adjust JVM Memory Limits
nano /etc/elasticsearch/jvm.options

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl status elasticsearch.service

Step 4: Test Elasticsearch (Optional) Verify the correct installation and functionality of Elasticsearch by using the provided optional command. This step is crucial to ensure that Elasticsearch is running and accessible on the specified port.

apt install curl
curl http://localhost:9200/

Step 5: Install Graylog Download and install the Graylog repository, update the package list, and install the Graylog server. This step sets the foundation for the Graylog instance on your Debian system.

wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb
sudo apt update
sudo apt install graylog-server

Step 6: Configure Graylog Generate a secure password for Graylog, configure its settings, and adjust JVM memory limits if needed. This step ensures that Graylog is properly configured and secured. It also involves editing the server configuration file to bind Graylog to the specified IP address.

Generate “password_secret”.

pwgen -N 1 -s 96

Generate “root_password_sha2”, this generates hashed value of your “admin” user password.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Copy and paste the generated “password_secret” and hashed admin password “root_password_sha2” in to “server.conf”

sudo nano /etc/graylog/server/server.conf

Add the line below to “server.comf” to allow access to Graylog from hosts other than local host.

http_bind_address = 0.0.0.0

OPTIONALLY: Adjust JVM Memory Limits.

nano /etc/default/graylog-server

Ensure Graylog is running and is set to start as a system service.


sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl status graylog-server.service

Congratulations! You’ve successfully installed Graylog 5 on Debian. You can now access the Graylog web interface by navigating to http://<your-server-ip>:9000/ in your web browser. Replace <your-server-ip> with the actual IP address or hostname of your Graylog server.

Security Considerations: While Graylog is now accessible, it’s important to note that exposing services to all network interfaces may have security implications. To enhance security, it is strongly recommended to set up a reverse proxy with SSL/TLS for encrypted and secure connections.