CCNP-PRO

Based on the IT journey of Michael Rickert

Install and setup graylog2 on Ubuntu 12.04

My notes on how to install graylog2 on Ubuntu 12.04 as a syslog server, some basic knowledge of the install process/linux is recommended

graylog2serverSS

* First, install Ubuntu 12.04 server x64 and run as root:
apt-get update && apt-get upgrade

* install mongodb, add it to your apt-get sources list
echo -e "deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen\n" > /etc/apt/sources.list.d/mongodb-10gen.list

* update apt-get:
apt-get update

* install mongodb
apt-get install mongodb-10gen

* create the mongodb user:
mongo
use graylog2
db.addUser("grayloguser", "123")
exit

* install java:
apt-get install openjdk-6-jre

* wget and deb install elasticsearch:
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.20.4.deb dpkg -i elasticsearch- 0.20.4.deb

* make the graylog2 folder under /opt
mkdir -p /opt/graylog2

* download graylog2-server
wget http://download.graylog2.org/graylog2-server/graylog2-server-0.11.0.tar.gz

* unpack it
tar -xzvf graylog2-server-0.11.0.tar.gz

* move the graylog2-server files to the graylog2 folder
cp -r graylog2-server-0.11.0 /opt/graylog2/

* hop into the /opt/graylog2 folder and softlink the copied files to the higher directory:
ln -sf graylog2-server-0.11.0 graylog2-server

* copy the graylog2 config file to the /etc folder
cp graylog2-server/graylog2.conf.example /etc/graylog2.conf

* download the graylog2 server upstart script:
wget https://raw.github.com/Graylog2/graylog2-server/master/misc/upstart/graylog2-server.conf

* and sed it
sed 's#/opt/graylog2-server#/opt/graylog2/graylog2-server#' graylog2-server.conf > /etc/init/graylog2-server.conf

* start up graylog2-server
service graylog2-server start

* download the graylog2-web-interface
wget http://download.graylog2.org/graylog2-web-interface/graylog2-web-interface-0.11.0.tar.gz

* and extract it
tar -xzvf graylog2-web-interface-0.11.0.tar.gz

* copy the web interface to the /opt/graylog2/ folder
cp -r graylog2-web-interface-0.11.0 /opt/graylog2

* enter the /opt/graylog2 folder and softlink it
ln -sf graylog2-web-interface-0.11.0 graylog2-web-interface

* download and compile ruby from source (oh god why):
wget http://ftp.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p0.tar.gz
tar -xzvf ruby-2.0.0-p0.tar.gz
cp ruby-2.0.0-p0 /opt/graylog2/
cd /opt/graylog2/ruby-2.0.0-p0
./configure && make && make install

* softlink all of the ruby bin files into /usr/bin, example:
cd bin
ln -s /opt/graylog2/ruby/bin/ruby /usr/bin/ruby

* make sure ruby is working
ruby -v

* and install some extra dependancies:
build-essential libcurl4-openssl-dev libssl-dev zlib1g-dev

* install bundler
gem install bundler --no-rdoc --no-ri

* make json work and then go into the web interface folder and bundle those rubygems:
nano /opt/graylog2/graylog2-web-interface/Gemfile

* change json version to: 1.7.7 then
cd /opt/graylog2/graylog2-web-interface/
bundle install

* install apache2 services:
apt-get install apache2-mpm-prefork apache2-prefork-dev libapr1-dev libaprutil1-dev

* get passenger and make sure you pull the pre version
gem install passenger --no-rdoc --no-ri --pre

* install the passenger module
passenger-install-apache2-module

* modify apache2 so that it can run passenger, add the following to /etc/apache2/apache2.conf above ‘include sites-enabled’:
LoadModule passenger_module /var/lib/gems/2.0.0/gems/passenger-4.0.0.rc4/libout/apache2/mod_passenger.so
PassengerRoot /var/lib/gems/2.0.0/gems/passenger-4.0.0.rc4
PassengerRuby /usr/bin/ruby

* add graylog2 webserver by modifying the default site:
/etc/apache2/sites-available/default

ServerAdmin you@example.com
DocumentRoot /opt/graylog2/graylog2-web-interface/public

RailsEnv ‘production’
Allow from all
Options -MultiViews

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
* make sure the web-interface has correct permissions
chown www-data.www-data -R /opt/graylog2/graylog2-web-interface

* start up apache and make sure you can get to the server
service apache2 restart

* configure elasticsearch and other items, edit /etc/elasticsearch/elasticsearch.yml by adding
cluster.name: graylog2
node.name: "graylog2-elasticserver"
node.master: true
node.data: true

* edit /etc/graylog2-elasticsearch.yml
cluster.name: graylog2
node.name: "graylog2-server"
transport.tcp.port: 9390

* restart all services and enjoy graylog2!

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.

%d bloggers like this: