All steps necessary to install Graylog on Ubuntu 18.04, specifically Hetzner.com version of Ubuntu that is missing Java and pwgen that had to be installed.

Install Graylog on Ubuntu 18.04.md

Based on this video and guidelines for Java, MongoDB, Elasticsearch and so on

(not yet completed, ended at Graylog running but not configured)

JAVA + other prerequisities

sudo apt-get update && sudo apt-get -y install zsh   -- SO YOU DON'T WANT TO DRIVE YOURSELF CRAZY WITH PLAIN CONSOLE
chsh -s /bin/zsh -- to set Zsh as a default console

sudo apt-get update
sudo apt install default-jre
sudo apt install pwgen

MongoDB

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4

echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list

sudo apt-get update

sudo apt-get install -y mongodb-org

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service

To check that MongoDB is running

ps aux | grep mongo

ELASTIC SEARCH

At the moment Graylog supports only Elasticsearch version 6.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

sudo add-apt-repository "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" 

This step is apparently not really needed but belong behind previous line: | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

sudo apt-get update
sudo apt-get install elasticsearch-oss

Open elasticsearch.yml and update following configuration options

sudo nano /etc/elasticsearch/elasticsearch.yml

• update cluster name to graylog
• add as a last line action.auto_create_index: false

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl restart elasticsearch.service

To check if Elasticsearch is running

ps aux | grep elasticsearch
netstat -an | grep 9200

GRAYLOG

wget https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.deb
sudo dpkg -i graylog-3.0-repository_latest.deb
sudo apt-get update
sudo apt-get install graylog-server

Generate password_secret with

pwgen -N 1 -s 96

Create an admin password with

echo -n [PASSWORD] | shasum -a 256

Add these configuration values to Graylog server.conf

nano /etc/graylog/server/server.conf

Start Graylog service

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

To check if Graylog is running

tail -f /var/log/graylog-server/server.log

__ AT THIS POINT EVERYTHING SHOULD BE UP AND RUNNING __

Configure Graylog to receive syslogs from the server (not necessary but it is a part of the video)

Get current IP address

ifconfig

Configure RSyslog to send logs to Graylog

Open rsyslog.config

sudo nano /etc/rsyslog.etc

and add at the bottom this line

*.* @[YOUR PUBLIC(?) IP ADDRESS]:1514;RSYSLOG_SyslogProtocol23Format

Restart RSyslog

sudo systemctl restart rsyslog

Not sure why this needs to be done, for some security reason, graylong has no access to 514(?), 514 is redirected to 1514. Code is run under su to be able to save iptables.rules

sudo su -

iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

iptables-save > /etc/iptables.rules

Check if your /etc/iptables.rules contains both lines for redirect 514 -> 1514 with

nano /etc/iptables.rules

Create a file that is executed after every restart to setup the rules again and change its permissions to "executable"

nano /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables

Make Graylog publicly accessible (if you wish)

Open Graylog server.config and change http_bind_address to your public ip address

sudo nano /etc/graylog/server/server.conf