Graylog – open source software with a web interface for collecting and viewing logs, at the time of this writing, free of charge up to the limit of data collected is 5 GB per day.
On the test, I will install Graylog on Ubuntu Server 18.04.
First, upgrade the system and install the necessary components:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
Install the latest version of MongoDB by adding the official repository:
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl status mongod.service
You can also install Elasticsearch:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
sudo apt-get update
sudo apt-get install elasticsearch-oss
sudo nano /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl status elasticsearch.service
Now install Graylog:
wget https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.deb
sudo dpkg -i graylog-3.0-repository_latest.deb
sudo apt-get update
sudo apt-get install graylog-server
Edit the configuration file:
sudo nano /etc/graylog/server/server.conf
password_secret = ...
root_password_sha2 = ...
http_bind_address = 192.168.24.12:9000
You can create root_password_sha2 by executing the command (must contain at least 16 characters, otherwise I did not start Graylog):
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Run Graylog:
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl status graylog-server.service
In case of problems you can see the logs /var/log/graylog-server/server.log.
The web interface can be opened at the address specified in the configuration, for example, in my case 192.168.24.12:9000, the login is “admin”, the password is the one specified in the configuration file.
If you need HTTPS, then run greylog on 127.0.0.1:9000 and you can configure NGINX or Apache2 reverse proxy.