Skip to content

Gray Log

GreyLog is an open source log managment platform with Enterprise options.

Install

 $ sudo add-apt-repository universe
 $ sudo apt update && sudo apt upgrade
 $ sudo apt install -y apt-transport-https openjdk-<version_number>-jre-headless uuid-runtime pwgen
 # MongoDB
 $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
 $ echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
 $ sudo apt update
 $ sudo apt install -y mongodb-org
 $ sudo systemctl daemon-reload
 $ sudo systemctl enable mongod.service
 $ sudo systemctl restart mongod.service
 $ sudo systemctl --type=service --state=active | grep mongod
 # ElasticSearch
 $ wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
 $ sudo apt-key add myKey
 $ echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
 $ sudo apt-get update && sudo apt-get install elasticsearch-oss
 $ sudo tee -a /etc/elasticsearch/elasticsearch.yml 
 cluster.name: graylog 
 action.auto_create_index: false 
 $ sudo systemctl daemon-reload
 $ sudo systemctl enable elasticsearch.service
 $ sudo systemctl restart elasticsearch.service
 $ sudo systemctl --type=service --state=active | grep elasticsearch
 # GreyLog Install
 $ wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
 $ sudo dpkg -i graylog-4.3-repository_latest.deb
 $ sudo apt-get update && sudo apt-get install graylog-server

 # Notes:
 Read the instructions within the configurations file and edit as needed, located at /etc/graylog/server/server.conf. Additionally, 
 # add password_secret and root_password_sha2 as these are mandatory and Graylog will not start without them.
 # To create your root_password_sha2 run the following command:
 $ echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
 # Public access set
 http_bind_address to the public hostname

Manage Deamons

 $ sudo systemctl daemon-reload
 $ sudo systemctl enable graylog-server.service
 $ sudo systemctl start graylog-server.service
 $ sudo systemctl --type=service --state=active | grep graylog

Server.conf

 https://docs.graylog.org/docs/server-conf

Syslog

 https://www.rsyslog.com/windows-agent/
 https://www.howtoforge.com/how-to-send-ubuntu-logs-to-graylog-server/

Sidecar Install

 https://docs.graylog.org/docs/sidecar

MongoDB Replica Set

 https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set/
 https://docs.graylog.org/docs/multinode-setup

Palo Alto + Fortigate

 https://docs.graylog.org/docs/palo-alto
 https://docs.graylog.org/docs/fortigate

Plugins

 https://community.graylog.org/t/active-directory-auditing-winlogbeats-graylog-3-0-2/22889
 https://community.graylog.org/search?context=category&context_id=31&q=Palo%20alto&skip_context=true

References

 https://www.graylog.org/
 https://docs.graylog.org/docs/ubuntu
 https://docs.graylog.org/docs/sidecar
 https://kelley.jodymaroni.com/windows-filebeat-configuration-and-graylog-sidecar-the-graylog-blog/
 https://www.graylog.org/features/fault-tolerance
 https://docs.graylog.org/docs/server-conf
 https://docs.graylog.org/docs/multinode-setup
 https://www.mongodb.com/docs/manual/tutorial/deploy-replica-set/