Introduction

GrayLog is a leading open source log management platform, it allows you to collect, index, and analyze logs from just about any source in a centralized location. In this guide, we will be installing all of the requirements (Graylog, Elasticsearch, MongoDB)  on the same server, but for larger production environment this may not be ideal.

Requirements

Graylog requires that you have the following packages installed.

Java ( >= 8 )

Elasticsearch (5.x or 6.x)

MongoDB (3.6 or 4.0)

CPU

If you’re running all components (Graylog, Elasticsearch, MongoDB) on a single machine, a reasonably modern multi core CPU

RAM

4 GB of main memory will do if you’re running all components (Graylog, Elasticsearch, MongoDB)

Installation

ssh [email protected]
Connect to your server as the admin user via SSH from Linux, or by using Putty from Windows.
sudo apt update && sudo apt upgrade -y
Update and Upgrade the server
sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
Installing prerequisite packages 

Installing MongoDB

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt update
Adding MongoDB Repository
sudo apt install -y mongodb-org
Installing MongoDB package
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
Enable MongoDB Service

Installing Elasticsearch

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
sudo apt update
Adding Elasticsearch Repository
sudo apt install elasticsearch-oss
Installing Elasticsearch package
sudo nano /etc/elasticsearch/elasticsearch.yml
Modify the Elasticsearch configuration file and set the cluster name to graylog , as well as adding action.auto_create_index: false to the configuration file
cluster.name: graylog
action.auto_create_index: false
should look like this, Ctrl + x to save in Nano
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
Enable and start Elasticsearch service

Installing GrayLog

wget https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.deb
sudo dpkg -i graylog-3.1-repository_latest.deb
sudo apt update
Adding GrayLog Repository
sudo apt install graylog-server
Installing GrayLog package
sudo nano /etc/elasticsearch/elasticsearch.yml
Modify the Elasticsearch configuration file and set the cluster name to graylog , as well as adding action.auto_create_index: false to the configuration file
cluster.name: graylog
action.auto_create_index: false
should look like this, Ctrl + x to save in Nano

Optional: Installing GrayLog Plugins

sudo apt install graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
Install all GrayLog plugins
 pwgen -N 1 -s 96
generate and copy this password and add this to "password_secret" in your /etc/graylog/server/server.conf
copy this password and add this to "password_secret" in your /etc/graylog/server/server.conf
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Generate Sha2 Password to add to the GrayLog config for your root credentials
copy this hash and add this to "root_password_sha2" in your /etc/graylog/server/server.conf
sudo nano /etc/graylog/server/server.conf
open your GrayLog config and add the password_secret and root_password_sha2 generated with the prior commands, we will also change the http_bind_address to our servers IP
add the password_secret and root_password_sha2 generated
change the http_bind_address to our servers IP, should look like this, Ctrl + x to save in Nano
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
Enable and start GrayLog Service

Access the web interface at the http_bind_address with the username admin, and the password used to generate the hash for root_password_sha2.

Your all set, I recommend that you visit the GrayLog Documentation for more information.