How To Install Graylog Server on Debian 12/11/10

In this guide, we will chew through how to install Graylog server on Debian 12/11/10 with Let’s Encrypt SSL. But before we dive into the crux of this tool, let’s get to understand what it is all about. Graylog is a free and open open-source log management and aggregation tool used to store, analyze and send alerts from collected logs. It can be used in the analysis of both structured and unstructured data. Graylog is based on the following components:

• Java /OpenJDK– which is used as a runtime environment for ElasticSearch.
• ElasticSearch– this is the log analysis tool for the Graylog Server.
• MongoDB – it stores the data and configurations.
• Graylog Server– The sever that passes logs for visualization using the provides a built-in-web Interface.

Setup Requirements.

1. Memory above 4 GB.
2. Storage above 20 GB.
3. 4 CPU cores
4. Debian 10/11 installed and updated.
5. All packages upgraded.

With all the above requirements met, let us dive into the installation process.

Update System

It is recommended to make sure your system is up to date.

sudo apt update && sudo apt upgrade -y
sudo apt install -y apt-transport-https uuid-runtime pwgen curl dirmngr

If a reboot is required, perform it.

[ -f /var/run/reboot-required ] && sudo reboot -f

Install OpenSearch

Here OpenSearch is used to store and offer real-time analysis of logs with a RESTful web interface.

It stores data sent from the Graylog server and displays messages when requested by the user in a web interface.

Let’s add first add the OpenSearch GPG key.

curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring

Then add the OpenSearch repository

echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list

With the repository added, install OpenSearch as below.

sudo apt update && sudo apt install opensearch -y

Then do configurations to the YAML file and set the cluster name to graylog as below.

sudo apt install vim
sudo vim /etc/opensearch/opensearch.yml

Find and set the cluster name and add the lines below :

cluster.name: graylog

Also update the following fields for a minimum unsecured running state (single node).

node.name: ${HOSTNAME}
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
discovery.type: single-node
network.host: 0.0.0.0
action.auto_create_index: false
plugins.security.disabled: true

Edit JVM options and update the Xms & Xmx settings with half of the installed system memory.

$ sudo vim /etc/opensearch/jvm.options
-Xms1g
-Xmx1g

If you have small RAM you can adjust memory to 512MB.

-Xms512m
-Xmx512m

Also update kernel parameters at runtime.

sudo sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> sudo /etc/sysctl.conf

Reload daemon the start OpenSearch service.

sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service
sudo systemctl status opensearch.service

By default, OpenSearch runs on port 9200, verify this using the below cURL command.

curl -X GET http://localhost:9200

Sample output from command execution.

{
  "name" : "deb12",
  "cluster_name" : "graylog",
  "cluster_uuid" : "g-vdKJwiTACwiZNQT0MUHQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.11.0",
    "build_type" : "deb",
    "build_hash" : "4dcad6dd1fd45b6bd91f041a041829c8687278fa",
    "build_date" : "2023-10-13T02:57:02.526977318Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Install MongoDB

We will install MongoDB by adding repositories as below.

curl -fsSL https://www.mongodb.org/static/pgp/server-6.0.asc|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.gpg

Add the MongoDB repositories as below.

echo "deb http://repo.mongodb.org/apt/debian $(lsb_release -cs)/mongodb-org/6.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org.list

On Debian 12 consider installing MongoDB 7.

curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-7.gpg
echo "deb http://repo.mongodb.org/apt/debian $(lsb_release -cs)/mongodb-org/7.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org.list

Update and install MongoDB as below.

sudo apt update
sudo apt install -y mongodb-org mongodb-org-database mongodb-org-server mongodb-org-shell mongodb-org-mongos mongodb-org-tools

Then start and enable MongoDB service to run on boot.

sudo systemctl start mongod && sudo systemctl enable mongod

Verify that the service is running.

$ systemctl status mongod
● mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-11-18 09:46:27 UTC; 4s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 22633 (mongod)
     Memory: 66.9M
        CPU: 715ms
     CGroup: /system.slice/mongod.service
             └─22633 /usr/bin/mongod --config /etc/mongod.conf

Nov 18 09:46:27 deb12 systemd[1]: Started mongod.service - MongoDB Database Server.
Nov 18 09:46:27 deb12 mongod[7434]: {"t":{"$date":"2023-11-18T09:46:27.406Z"},"s":"I",  "c":"CONTROL",  "id":7484500, "ctx":"main","msg":"Environment variable MONGODB_CONFIG_OVERRIDE_NOFORK == 1, o>

Install Graylog Server

Graylog server accepts and processes the machine logs then displays them on a web interface on request.

Download and install Graylog repository package on Debian.

wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb

Update the cache repositories and install Graylog server.

sudo apt update
sudo apt install -y graylog-server

Then we will use the pwgen command below to generate a secret to secure user passwords as below.

pwgen -N 1 -s 96

Output:

98KM6k7W6CtfQPc0EFKS3EMsb3bgYK1qPwDZcNezkqx4usSOMZE1rbKtuHuRwllkzm37cAp5U07jD9Hv6hCybkk3vJdVlC38

Copy the secret code and use it below.

Edit the .conf file

sudo vim /etc/graylog/server/server.conf

In the file, paste the secret as below:

password_secret = 98KM6k7W6CtfQPc0EFKS3EMsb3bgYK1qPwDZcNezkqx4usSOMZE1rbKtuHuRwllkzm37cAp5U07jD9Hv6hCybkk3vJdVlC38

Save and exit. then proceed and create a sha256 password for the administrator. The password created will be used to login into the web interface.

echo -n Str0ngPassw0rd | sha256sum

In the above command, replace “Str0ngPassw0rd” with your preferred password. Alternatively, you can set a password with the command below.

$ echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: Str0ngPassw0rd

The output will be as the below:

ab38eadaeb746599f2c1ee90f8267f31f467347462764a24d71ac1843ee77fe3

Copy this output and use it in the below step.

Edit the /etc/graylog/server/server.conf file as below.

sudo vim /etc/graylog/server/server.conf

In the file, add root_password_sha2 =”the above output” as below.

root_password_sha2 = ab38eadaeb746599f2c1ee90f8267f31f467347462764a24d71ac1843ee77fe3

Update OpenSearch address as well.

elasticsearch_hosts = http://127.0.0.1:9200

With this done, the Graylog server is now ready for use. Start and enable the service as below.

sudo systemctl daemon-reload
sudo systemctl restart graylog-server
sudo systemctl enable graylog-server

Check the log as below.

sudo tail -f /var/log/graylog-server/server.log

If the server is running successfully, you should see the output as below.

................
2023-11-24T16:19:54.983Z INFO  [ServerBootstrap] Graylog server up and running.
....................

If you want to access the Graylog Web Interface with a server IP and port, then set http_bind_address to your public hostname or public IP address as below

sudo vim /etc/graylog/server/server.conf

Then add the below line:

http_bind_address = 0.0.0.0:9000

Restart the service for the changes made to apply.

sudo systemctl restart graylog-server

With this done, you can access the Graylog server Web UI using the URL http://server_IP:9000 or http://hostname:9000

Secure Graylog with Let’s Encrypt (Optional)

This step is optional and you should only proceed after meeting the below requirements.

• Fully qualified domain name(FQDN)
• Nginx
• Let’s Encrypt certificate

Here we want to set SSL so that we can be able to access Graylog Web Interface using HTTPS. First, install and configure Nginx as below.

sudo apt install nginx

Configure the firewall if you are using ufw run:

sudo ufw allow 'Nginx Full'

Next, we will create a VirtualHost with your domain name as below.

sudo vim /etc/nginx/sites-available/graylog.domain.com.conf

In the file, add the below content replacing appropriately.

server {
  listen 80;
  server_name           logs.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/graylog_access.log combined;
  error_log             /var/log/nginx/graylog_error.log;
}

In the file, replace logs.example.com with your own FQDN.

Create a symbolic link between /etc/nginx/sites-available/graylog.yourdomain.com.conf and /etc/nginx/sites-enabled as below.

sudo ln -s /etc/nginx/sites-available/graylog.domain.com.conf /etc/nginx/sites-enabled/

Check the syntax of the created file.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now, let’s install Let’sEncrypt with certbot on Debian

sudo apt install certbot python3-certbot-nginx

Then run Certbot for Nginx as below.

sudo certbot --nginx

Output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): Enter Your Email Address

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: logs.techwizpro.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for logs.techwizpro.com
Performing the following challenges:
http-01 challenge for logs.techwizpro.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/graylog.domain.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/graylog.domain.com.conf
...............

When this is successful, you should see congratulations as below.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://logs.techwizpro.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: [email protected]).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/logs.techwizpro.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/logs.techwizpro.com/privkey.pem
   Your certificate will expire on 2021-11-24. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Next, configure reverse proxy on Nginx serving Graylog running on the same 9000 port. This is achieved by editing the .conf file created earlier as below

sudo vim /etc/nginx/sites-available/graylog.domain.com.conf

In the file add the location segment as below.

  ..................................
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }
}

Now ensure that your configuration file appears as below.

$ sudo vim /etc/nginx/sites-available/graylog.yourdomain.com.conf
server {
  server_name           logs.example.com;

  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/graylog_access.log combined;
  error_log             /var/log/nginx/graylog_error.log;
}
server {
    listen 80;
    root /var/www/html;       
     index index.html index.htm index.nginx-debian.html;
     server_name    logs.example.com;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/logs.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/logs.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }
}

Check the syntax of the file.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart the Nginx service.

sudo systemctl restart nginx

Access Graylog Web interface

We are now set to access the Graylog Web Interface using HTTPS. Use the URL https://logs.example.com replacing logs.computingforgeeks.com with your FQDN.

The default username is admin and the password is what we configured earlier in step 4. In this case, my password is “Passw0rd”.

Now you are set to start using the Graylog Web dashboard, here you have a visual representation of the logs.

Conclusion

This is the end of this guide, we have gone through how to install Graylog server on Debian 11|10 with Let’s Encrypt SSL. Now you can collect, index, and analyze logs from a centralized location. This makes it easy to monitor unusual activities and debug applications. I hope you found this guide interesting.

See more on this page.

• Install Graylog 4 with Elasticsearch 7.x on CentOS 8 / RHEL 8
• Configure Graylog Nginx proxy with Let’s Encrypt SSL
• Install Graylog Server on Ubuntu with Let’s Encrypt SSL