Graylog2 on Debian Wheezy

Posted on by

Graylog2 is about Open Source Log Management, more info at http://graylog2.org.

Install the requirements, mongodb and java 7 runtime enviroment:

 apt-get install mongodb-server openjdk-7-jre-headless uuid-runtime

Download and install deb files graylog2-server, graylog2-stream-dashboard and graylog2-web from http://finja.brachium-system.net/~jonas/packages/graylog2/, and Elasticsearch 0.9 from http://www.elasticsearch.org/downloads/

UPDATE: Find latest graylog deb packages at: http://docs.graylog.org/en/latest/pages/installation/operating_system_packages.html

Enable graylog2 server and webserver in /etc/default/graylog2-server, /etc/default/graylog2-web by setting “RUN=yes”.

Edit /etc/graylog2/server/server.conf, set passwords and settings for the web interface/stream dashboard:

password_secret=<output of "mkpasswd -m sha-512 mypass">
root_password_sha2=<output of "echo -n mypass | shasum -a 256">
rest_listen_uri = http://<graylog2-server-ip>:12900/
rest_transport_uri = http://<graylog2-server-ip>:12900/
rest_enable_cors = true

Edit /etc/graylog2/web/graylog2-web-interface.conf:

graylog2-server.uris="http://<graylog2-server-ip>:12900/"
application.secret="<password_secret>"
elasticsearch_cluster_name = elasticsearch
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = <elastic-search-server-ip>:9300
elasticsearch_network_publish_host = <elastic-search-server-ip>

Start services:

service elasticsearch start
service graylog2-server start
service graylog2-web start

Add rsyslog input, create /etc/rsyslog.d/graylog.conf and restart rsyslog service:

# Forward all logs to Graylog2
*.*     @<graylog2-server-ip>:1514 #udp forwarding, using port >1000 instead of 514, otherwise we need root rights on graylog2

Launch web interface at http://graylog2-server-ip:9000
Go to System -> Inputs -> Launch New Input “Syslog UDP”, Port 1514 on your graylog2-server-ip. You should see message flowing in …

The stream-dashboard sources at /usr/share/graylog2-stream-dashboard can be accessed directly (Modern browser like Chrome recommended) or via an alias in your webserver, on the dashboard connect to http://graylog2-server-ip:12900 with your username and pass.

For debugging see /var/log/graylog2-server/console.log and /var/log/graylog2-web/console.log

Graylog2 Docs http://support.torch.sh/help/kb