Voici un tutoriel pour un serveur de log Graylog et rsyslog

  • Source : http://wiki.kogite.fr/index.php/Rsyslog-Graylog-Elasticsearch
  • Source 2 : http://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/how-to-install-graylog-on-ubuntu-16-04.html
  • Langue : Anglais
  • Etat : Terminé

How to install Graylog on Ubuntu 16.04

Graylog Logo
Graylog

Graylog (formerly known as Graylog2) is an open-source log management tool, helps you to collect, index and analyze any machine logs centrally. This guide focuses on installing Graylog on Ubuntu 16.04, as well as other essential components that make Graylog a powerful log management tool.

Components:

1. MongoDB – Acts as a database, stores the configurations and meta information.

2. Elasticsearch – It stores the log messages and offers a searching facility. It is recommended to allocate more memory and use SAS or SAN disks for Elasticsearch nodes. Here, where all your searching happens.

3. Graylog server  – Log parser, it collects the logs from various inputs and provides built-in Web Interface for managing the logs.

Prerequisites:

As you know, Elasticsearch is a java based application. Install either openJDK or Oracle JDK on your machine to proceed further.

PS: I choose to install Oracle JDK.

Verify the Java version.

Install Elasticsearch:

Elasticsearch is one of the main component which requires Graylog to run, acts as a search server, offers a real-time distributed search and analytics with the RESTful web interface. Elasticsearch stores all the logs sent by the Graylog server and displays the messages whenever user request over the built-in web interface.

This guide covers configuration settings that are required for Graylog; you can also take a look at Install Elasticsearch on CentOS 7 / Ubuntu 14.10 / Linux Mint 17.1 for detailed instruction.

Let’s install the Elasticsearch. First download and install GPG signing key.

Configure Eleasticsearch repository by running below command.

Update repository cache and install Elasticsearch.

Make Elasticsearch to start automatically on the system startup.

The only important thing is to set a cluster name as “graylog“, edit the configuration file of Elasticsearch and update it accordingly.

PS: cluster.name in elasticsearh.yml should match the value of elasticsearch_cluster_name in server.conf of graylog

Disable dynamic scripts to avoid remote execution, by adding the following lines to the server.conf.

Restart the Elasticsearch service to read the new configurations.

Wait at least a minute to let the Elasticsearch get fully restarted. Elastisearch should be now listening on 9200 for processing HTTP request, use a CURL to check the response.

Ensure that cluster name shows as “graylog

Optional:  Test the health of Elasticsearch cluster, make sure the output yields the cluster status as “green

Install MongoDB 3.2:

Download and install the latest MongoDB from the official website. Import public key on the terminal to begin.

Add mongodb repository by creating the /etc/apt/sources.list.d/mongodb-org.list file using following command.

Install MongoDB using the following command.

Start the MongoDB and enable it on the system start-up.

Install Graylog 2.0.3:

Graylog-server accepts and processes the log messages, displays it for the requests that come from graylog web interface.

Download and Install graylog 2.x repository.

Install https support and update the repository cache.

Install Graylog server using the following command.

Edit the server.conf file to begin the graylog configuration.

You must set a secret to secure the user passwords, use the pwgen command to the same.

If you get an error like “pwgen: command not found“, install pwgen using the following command.

Place the secret like below.

Next is to set a hash (sha256) password for the root user (not to be confused with the system user, root user of graylog is admin). You will need this password to login into the web interface, admin’s password can’t be changed using web interface; you must edit this variable to set.

Replace “yourpassword” with the choice of yours.

Place the hash password.

You can setup email address admin user.

Set timezone of root (admin) user.

Graylog server will try to find the Elasticsearch nodes automatically by using multicast mode. But when it comes to larger network, it is recommended to use unicast mode which is best suited one for production.

Add the following entry to graylog server.conf file, replace ipaddress with your ipaddress. You can add multiple hosts with comma separated.

Set only one master node by defining the below variable, the default setting is true.

If you add any second Graylog node, set it to false to make the node as a slave. Master node does some periodic tasks that slave nodes won’t perform.

Set the number of log messages to keep per index; it is recommended to have several smaller indices instead of larger ones.

The following parameter defines to have a total number of indices, if this number is reached old index will be deleted.

Shards setting rely on the number of nodes in the particular Elasticsearch cluster, if you have only one node, set it as 1.

This the number of replicas for your indices, if you have only one node in Elasticsearch cluster; set it as 0.

Install Graylog web interface:

From the version 2.x,  no more extra web interface component, the web interface is being served directly by Graylog server.

Configure Graylog web interface by editing the server.conf file.

Modify the below entries to let Graylog Web Interface to connect to the Graylog server.

Restart Graylog service.

Make Graylog server to start automatically on system startup.

You can check out the server startup logs; it will be useful for you to troubleshoot Graylog in case of any issue.

On the successful start of graylog-server, you should get the following message in the log file.

Access Graylog web interface:

The web interface will now be listening on port 9000, point your browser to http://ip-add-ress:9000.

Login with username “admin” and the password you configured at root_password_sha2 onserver.conf.

Install Graylog on Ubuntu 16.04 - Login Screen
Install Graylog on Ubuntu 16.04 – Login Screen

Once you logged in, you would see the getting started page.

Install Graylog on Ubuntu 16.04 - Getting Started
Install Graylog on Ubuntu 16.04 – Getting Started

Click on System/Overview to know the status of Graylog server.

Install Graylog on Ubuntu 16.04 -System Overview
Install Graylog on Ubuntu 16.04 -System Overview

Configure Graylog Inputs:

Graylog inputs need to be configured to receive the logs from the external source, i.e., Syslog or any logging system.
Click System –> Inputs –>  select Syslog UDP and then click Launch new input. Fill with the values in the screen like below.

Install Graylog on Ubuntu 16.04 - Creating Syslog Input
Install Graylog on Ubuntu 16.04 – Creating Syslog Input

Once you have created the inputs, configure rsyslog or forward any system logs to your–ip-address:1514
Following screenshot shows the logs received by Graylog (Graylog console –> Search).

Install Graylog on Ubuntu 16.04 - Syslog Messages
Install Graylog on Ubuntu 16.04 – Syslog Messages