All HowTo's Cybersecurity Linux Ubuntu, Mint & Debian Linux

Installing Graylog Open on Ubuntu 22.04

This article is a walkthrough for installing “Graylog Open 6” and leverages the documentation at “https://go2docs.graylog.org/current/downloading_and_installing_graylog/ubuntu_installation.html” and “https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/”. We’re using Ubuntu 22.04 because 24.04 is not supported using the documentation linked above.

We’re starting from a fresh “standard” Ubuntu 22.04 installation. Our resources are “4GB RAM, 8 CPU Cores, 25GB Disk space”. These resources are far too low for an enterprise installation, but fine for this walkthrough. Log into the Ubuntu server as root and issue these commands.

Update your system and install a few packages:

apt update && apt upgrade
apt install gnupg curl net-tools

Set the time and get the additional packages key:

timedatectl set-timezone UTC
wget -qO- 'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf5679a222c647c87527c2f8cb00a0bd1e2c63c11' | sudo apt-key add -

Install MongoDB:

curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
apt update
apt install mongodb-org
echo "mongodb-org hold" | sudo dpkg --set-selections
echo "mongodb-org-database hold" | sudo dpkg --set-selections
echo "mongodb-org-server hold" | sudo dpkg --set-selections
echo "mongodb-mongosh hold" | sudo dpkg --set-selections
echo "mongodb-org-mongos hold" | sudo dpkg --set-selections
echo "mongodb-org-tools hold" | sudo dpkg --set-selections
systemctl enable mongod
systemctl start mongod
apt-mark hold mongodb-org

Install OpenSearch:

curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
apt update
OPENSEARCH_INITIAL_ADMIN_PASSWORD=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32) apt install opensearch
apt-mark hold opensearch

Edit the “/etc/opensearch/opensearch.yml” file and set the following values:

cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
discovery.type: single-node
network.host: 0.0.0.0
action.auto_create_index: false
plugins.security.disabled: true

Set the following two settings in “/etc/opensearch/jvm.options” (replace the ‘4’ with 50% of the installed memory):

-Xms4g
-Xmx4g

Set kernel settings and enable/start services:

sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf

systemctl daemon-reload
systemctl enable opensearch.service
systemctl start opensearch.service
systemctl status opensearch.service

Install Graylog:

wget https://packages.graylog2.org/repo/packages/graylog-6.0-repository_latest.deb
dpkg -i graylog-6.0-repository_latest.deb
apt update && apt install graylog-server 
apt-mark hold graylog-server

Modify the Graylog settings in “/etc/graylog/server/server.conf” and set the passwords.

# For password_secret - used for system hashing and salting:
tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 96
# For root_password_sha2 - the hash is stored in the config file, the password is used at admin's login time:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

So using the example above (and adding two more values), the values for the “/etc/graylog/server/server.conf” would be (but don’t copy my passwords, generate your own using the above methods):

password_secret = YnkGQJLBZxlxmjud3ReuYplcrm08ralBalH0tRoNXNeqjpsfzsEng415WwOx1GiWv095UU0Co0ONLeVljmvzmbkJfbnHxbtP
root_password_sha2 = cc04274f68adbc48d30b6e0d3c2035ac0d7f09a0806342c5d77570747ca65e0a
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://127.0.0.1:9200

Finalisation:

systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service
systemctl --type=service --state=active | grep graylog

Now visit the site:

  • Host: http://<ip-address>:9000/
  • Username: admin
  • Password: <password_secret>

The <password_secret> is what you created earlier in this walkthrough.

Finally we need to start ingesting logs. That’s where this walkthrough ends. But you can continue on with your first ingest here “https://graylog.org/post/how-to-use-graylog-as-a-syslog-server/”.

Leave a Reply

Your email address will not be published. Required fields are marked *