Most systems and software nowadays generate logs including web browsers, operating system, firewalls, and intrusion detection systems. A log monitoring solution is important in such an environment by acting as a watchtower to your network activities.
The log management solution offers services such as inspecting system events and storing user actions such as renaming, creating or deleting files. All these generated logs from different points, when consolidated may be really crucial not only for accountability purposes but also for keeping your organization safe. They may offer a good insight to an attack occurring or for forensic purposes, such as.knowing at what point an attack originated.
Graylog is a good log management solution that is open source and offers robust features such as analyzing logs, visualizing logs and customizing alerts and actions to be triggered
- Ubuntu VPS or Dedicated Server running Ubuntu 18.04
- A non-root user configured with sudo privileges
- You need to be conversant with the Linux environment for this tutorial
Update your Linux system packages
$ sudo apt update && sudo apt upgrade
Install additional packages
Graylog is built using java, so it can technically run anywhere, however this may require you to install the Java Development Kit which contains the Runtime Environment too. Along with this, you will need to install some other additional packages:
$ sudo apt install openjdk-8-jre pwgen uuid-runtime apt-transport-https
The NoSQL database is used to store user specific configuration data but not your log data: Here is how to go about installation and enablement:
- Get the public key used by the package manager:
$ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
- Create a MongoDB listfile
$ echo"deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
- Reload system packages db and install MongoDB
$ sudo apt update $ sudo apt install -y mongodb-org
- Start and enable MongoDB services during system start-up.
$ sudo systemctl start mongod $ sudo systemctl enable mongod
Install and Configure Elasticsearch
In order to store the log data and perform data analytic using Graylog’s custom written algorithms, installElasticsearch and configure the cluster name afterwards:
- Get the public key for the package manager usage
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
- Create a list file for MongoDB
$ echo"deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
- Install the Elasticsearch package
$ sudo apt update && sudo apt install elasticsearch
- Start and enable the Elasticsearch service
$ sudo systemctl start elasticsearch $ sudo systemctl enable elasticsearch
Go to the configuration file over at /etc/elasticsearch/elasticsearch.yml. Search for the cluster.name config entry, uncomment the line and change the my-application to Graylog.
Now, to finally install the Graylog configuration, use the following commands:
$ wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb $ sudo dpkg -i graylog-2.4-repository_latest.deb $ sudo apt update && sudo apt install graylog-server
After successful completion, you now need to generate a secret key and a root_password_sha2 (administrator account password).
To generate a root_password_sha2, use the following command while replacing the "password" with your own password.
$ echo -n password | sha256sum5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -
To generate the secret_key, you can use thepwgen command to do so.
$ pwgen -s 80 1Zb4NpK0im9I4FoWGp20o0E0EFWiGjXNZdM3miaF6bi1MqKD2zfjfiGILSlpraqYSVeoLZzXz9WcEpoE6
Open the server configuration file over at /etc/graylog/server/server.conf and make the following changes:
- Add the password_secret and the root_password_sha2 values from your generated outputs of the commands above.
- Add the web_listen_uri and the rest_listen_uri values accordingly.
The configuration file should look similar to the one below:
... # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. # Generate one by using for example: pwgen -N 1 -s 96 password_secret = Zb4NpK0im9I4FoWGp20o0E0EFWiGjXNZdM3miaF6bi1MqKD2zfjfiGILSlpraqYSVeoLZzXz9WcEpoE6 # The default root user is named 'admin' #root_username = admin # You MUST specify a hash password for the root user (which you only need to initially set up the # system and in case you lose connectivity to your authentication backend) # This password cannot be changed using the API or via the web interface. If you need to change it, # modify it in this file. # Create one by using for example: echo -n yourpassword | shasum -a 256 # and put the resulting hash value into the following line root_password_sha2 = e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 - ...
Restart the Graylog server and check status to verify whether it is working well.
$ sudo systemctl start Graylog $ sudo systemctl status Graylog●graylog-server.service-Graylogserver Loaded: loaded(/usr/lib/systemd/system/graylog-server.service;disabled;vendor preset: enabled) Active: active(running)sinceSat2018-10-2500:22:14CDT;54sago Docs: http://docs.graylog.org/ Main PID: 571(graylog-server) CGroup: /system.slice/graylog-server.service ├─571/bin/sh/usr/share/graylog-server/bin/graylog-server └─572/usr/bin/java-Xms1g-Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThr
You have successfully installed Graylog server on your Ubuntu 18.04 VPS or dedicated server, Graylog can be configured according to the size of your operations.
It may vary from configuring in the most basic way where all the three components i.e Elasticsearch, MongoDB and Graylog reside on one host OR in a multi-node environment where the components may reside on different hosts.