Installing GrayLog2 on Ubuntu (quick setup)

“Graylog2 is an open source syslog implementation that stores your logs in MongoDB. It consists of a server written in Java that accepts your syslog messages via TCP or UDP and stores it in the database. The second part is a Ruby on Rails web interface that allows you to view the log messages. ” from the web site.

Here is a raw block of commands to fire for the setup of the Server and Web Interface (Ubuntu 10.10).

For details, all the step by step documentation is available here (server) and here (web interface)

1. Server


# Update requirements
apt-get install openjdk-6-jre
# Catch the software
wget --no-check-certificate$grayserver.tar.gz
tar xvfz $grayserver.tar.gz
mv $grayserver graylog2-server
cd graylog2-server
cp graylog2.conf.example /etc/graylog2.conf
echo "Edit the /etc/graylog2.conf"

Here is my /etc/graylog2.conf (changed)

# On which port (UDP) should we listen for Syslog messages? (Standard: 514)
    # Port 514 is by default used by syslogd, syslog-ng, or rsyslog (just to avoid conflict)
    # syslog_listen_port = 514
    # If you use OSSEC , don t use 1554
syslog_listen_port = 5514
syslog_protocol = udp

# MongoDB Configuration
    # mongodb_useauth = true
mongodb_useauth = false
mongodb_user = grayloguser
mongodb_password = 123
mongodb_host = localhost
#mongodb_replica_set = localhost:27017,localhost:27018,localhost:27019
mongodb_database = graylog2_production
mongodb_port = 27017
mongodb_max_connections = 500

# The (pre-allocated) size of the messages collection in bytes.. (All your syslog and GELF messages are stored here. Standard: 50000000 [~50MB])
messages_collection_size = 50000000

# Graylog Extended Log Format (GELF)
use_gelf = true
gelf_listen_port = 12201

2. Web Interface


# Update requirements
apt-get install ruby1.8 rubygems rake make libopenssl-ruby libmysqlclient-dev ruby-dev rrdtool build-essential mysql-server mongodb
# Ruby stuffs
gem install rubygems-update
ruby /var/lib/gems/1.8/bin/update_rubygems
gem install bundler
# MySQL config
mysql < GRANT ALL PRIVILEGES ON 'graylog2_production' TO 'dbadmin'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;
# Catch the software
wget --no-check-certificate$grayweb.tar.gz
tar zxf $grayweb.tar.gz
mv $grayweb graylog2-web-interface
cd graylog2-web-interface
bundle install

# You need to edit the files
echo "Edit the config/*.yml"

Config files to check are :

  • ./config/database.yml
  • ./config/general.yml
  • ./config/mongodb.yml

The general.yml (not changed)

 external_hostname: "" # Used for example to generate permalinks. Don't add 'http://' or trailing slashes.
 date_format: "%d.%m.%Y - %H:%M:%S" # (strftime syntax)

# Settings for stream subscription emails.
  subject: "[graylog2] Subscription"

# Settings for stream alarm emails.
  subject: "[graylog2] Stream alarm!"

The database.yml (changed)

  adapter: mysql2
  encoding: utf8
  reconnect: false
  # must be the same than /etc/graylog2.conf
  database: graylog2_production
  pool: 5
  username: dbadmin
  password: password

The mongo.yml (changed)

 hostname: localhost
 # database: graylog2
 database: graylog2_production
 port: 27017
 authenticate: false

#  hostname: [["localhost", 27017], ["localhost", 27018], ["localhost", 27019]]
#  database: graylog2_production
#  authenticate: false


# Start the configuration
export RAILS_ENV=production
rake db:create
rake db:migrate

3. Some trouble ?

1) MongoDB too old

Install the last MongoDB release,

echo deb 10.10 10gen >> /etc/apt/sources.list
sudo apt-key adv --keyserver --recv 7F0CEB10
apt-get update
apt-get upgrade
sudo apt-get install mongodb-stable

More info here

2) Network status

Some network status check :

#check mongo
netstat -lnp | grep 27017
# check webserver
netstat -lnp | grep 3000
#check graylogserver (depends of your settings)
netstat -lnp | grep 5514

4. Some basics commands

1) Start

export RAILS_ENV=production
# Start the Server
cd ~/graylog2-server/bin
./graylog2ctl start
# Start the Web Interface
cd ~/graylog2-web-interface
./script/rails server -d

2) Stop

cd ~/graylog2-server
./graylog2ctl stop

3) Debug

java -jar graylog2-server.jar debug

4) Purge the Mongo Database

 mongo graylog2_production
MongoDB shell version: 1.6.5
connecting to: graylog2_production
> db.dropDatabase();
{ "dropped" : "graylog2_production", "ok" : 1 }
> exit

5. Misc

The TimeZone of the application is Berlin. Edit the line “config.time_zone = ‘Berlin'” in :~/graylog2-web-interface/config/application.rb
The server web interface is available on port http://server:3000

And happy with the Web interface.

Need to feed the server now (on the correct UDP port).

Be the first to comment

Leave a Reply

Your email address will not be published.