How to install Graylog2 on Ubuntu 15.04 / 14.10
graylog2 systemd scripts

Graylog 1.3 prerequisites

Graylog 1.3 버전은 Elasticsearch 2.x 버전과 호환되지 않아 버전확인이 꼭 필요함.

Ubuntu 15 에서는 Elasticsearch 2.2 버전이 기본으로 제공되므로 Graylog 2.x 버전을 설치해야 합니다.

$ aptitude show elasticsearch
Package: elasticsearch              
State: installed
Automatically installed: no
Version: 2.2.0

Graylog 1.3 Installation

The Graylog server application has the following prerequisites:

  • Some modern Linux distribution (Debian Linux, Ubuntu Linux, or CentOS recommended)
  • Elasticsearch 1.7.3 or later (Elasticsearch 2.x is currently not supported)
  • MongoDB 2.0 or later (latest stable version is recommended)
  • Oracle Java SE 7 or later (Oracle Java SE 8 is supported, OpenJDK 7 and OpenJDK 8 also work; latest stable update is recommended)

Graylog 2.x Installation

Graylog 2.0 Installation

Graylog 2.x prerequisites

You will need to have the following services installed on either the host you are running graylog-server on or on dedicated machines:

The Graylog 2.x server application has the following prerequisites:

  • Some modern Linux distribution (Debian Linux, Ubuntu Linux, or CentOS recommended)
  • Elasticsearch 2.1.x or later
  • MongoDB 2.0 or later (latest stable version is recommended)
  • Oracle Java SE 8 or later (Oracle Java SE 7 is end of life and is no longer supported. OpenJDK 8 also works; latest stable update is recommended)

Graylog 2.x Manual Setup

Graylog 2.0 Manual Setup

Download Graylog 2.x

~$ tar xvfz graylog-2.VERSION.tgz
~$ sudo cp graylog-2.VERSION  /usr/share/graylog2-server
~$ cd /usr/share/graylog2-server
/usr/share/graylog2-server$ sudo cp graylog.conf.example /etc/graylog/server/server.conf

Configure at least the following variables in /etc/graylog/server/server.conf:

$ sudo vim /etc/graylog/server/server.conf

is_master = true
> Set only one graylog-server node as the master. This node will perform periodical and maintenance actions that slave nodes won’t. Every slave node will accept messages just as the master nodes. Nodes will fall back to slave mode if there already is a master in the cluster.

password_secret
> You must set a secret that is used for password encryption and salting here. The server will refuse to start if it’s not set. Generate a secret with for example pwgen -N 1 -s 96. If you run multiple graylog-server nodes, make sure you use the same password_secret for all of them!

root_password_sha2
> A SHA2 hash of a password you will use for your initial login. Set this to a SHA2 hash generated with echo -n yourpassword | shasum -a 256 and you will be able to log in to the web interface with username admin and password yourpassword.

elasticsearch_max_docs_per_index = 20000000
> How many log messages to keep per index. This setting multiplied with elasticsearch_max_number_of_indices results in the maximum number of messages in your Graylog setup. It is always better to have several more smaller indices than just a few larger ones.
elasticsearch_max_number_of_indices = 20
How many indices to have in total. If this number is reached, the oldest index will be deleted. Also take a look at the other retention strategies that allow you to automatically delete messages based on their age.

elasticsearch_shards = 4
> The number of shards for your indices. A good setting here highly depends on the number of nodes in your Elasticsearch cluster. If you have one node, set it to 1.

elasticsearch_replicas = 0
> The number of replicas for your indices. A good setting here highly depends on the number of nodes in your Elasticsearch cluster. If you have one node, set it to 0.

mongodb_uri = mongodb://localhost:27017/graylog2
> Enter your MongoDB connection and authentication information here.

rest_listen_uri = http://127.0.0.1:12900/
> REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.

elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300

elasticsearch_index_prefix = graylog2
> Prefix for all Elasticsearch indices and index aliases managed by Graylog.

elasticsearch_cluster_name = graylog2
> settings to be passed to elasticsearch's client (overriding those in the provided elasticsearch_config_file) all these this must be the same as for your Elasticsearch cluster

Configure elasticsearch.yml

$ sudo vim /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog2
node.master: true
node.data: true
network.host: 127.0.0.1 
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["127.0.0.1:9300"]

Graylog 2 systemd script

$ cd /lib/systemd/system
/lib/systemd/system$ sudo vim graylog2-server.service

[Unit]
Description=Graylog server daemon
BindTo=network.target
Requires=elasticsearch.service mongodb.service

[Service]
Type=simple
User=root
PIDFile=/tmp/graylog.pid
ExecStart=/usr/bin/java -Djava.library.path=/usr/share/graylog2-server/lib/sigar -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow  -jar /usr/share/graylog2-server/graylog.jar server -f /etc/graylog/server/server.conf -p /tmp/graylog.pid

[Install]
WantedBy=multi-user.target

sudo systemctl enable graylog2-server
sudo systemctl start graylog2-server
sudo systemctl status graylog2-server

http://localhost:9000

user: admin
password: yourpassword

패스워드는
/etc/graylog/server/server.conf
‘root_password_sha2’ 필드 설정때 지정한 패스워드.

Send log data to graylog2 server

Install syslog-ng for sending log data to graylog2 server

~$ sudo apt-get install  syslog-ng

Send system log and Nginx server access log to Graylog2 server

sudo vim /etc/syslog-ng/conf.d/graylog.conf

# Define TCP syslog destination.
destination d_net {
    #syslog("graylog.example.org" port(514));
    syslog("127.0.0.1" port(514));
};
source s_nginx_access {
   file("/var/log/nginx/access.log" flags(no-parse));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
    source(s_src); # Defined in the default syslog-ng configuration.
    source(s_nginx_access);
    destination(d_net);
};

Restarting syslog-ng

sudo systemctl restart  syslog-ng

Launch Syslog TCP Input on Graylog2 server

Connect Graylog2 web server:

http://localhost:9000

user: admin
password: yourpassword

Menu: System / Input

Select Syslog TCP from select box and click Launch new Input button

Port: 514

Save and then you see log messages on graylog2 server

Leave a Reply