Based on this video and guidelines for Java, MongoDB, Elasticsearch and so on
(not yet completed, ended at Graylog running but not configured)
sudo apt-get update && sudo apt-get -y install zsh -- SO YOU DON'T WANT TO DRIVE YOURSELF CRAZY WITH PLAIN CONSOLE
chsh -s /bin/zsh -- to set Zsh as a default console
sudo apt-get update
sudo apt install default-jre
sudo apt install pwgen
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
sudo apt-get update
sudo apt-get install -y mongodb-org
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
ps aux | grep mongo
At the moment Graylog supports only Elasticsearch version 6.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo add-apt-repository "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main"
This step is apparently not really needed but belong behind previous line: | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
sudo apt-get update
sudo apt-get install elasticsearch-oss
Open elasticsearch.yml and update following configuration options
sudo nano /etc/elasticsearch/elasticsearch.yml
- update cluster name to graylog
- add as a last line action.auto_create_index: false
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl restart elasticsearch.service
ps aux | grep elasticsearch
netstat -an | grep 9200
wget https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.deb
sudo dpkg -i graylog-3.0-repository_latest.deb
sudo apt-get update
sudo apt-get install graylog-server
pwgen -N 1 -s 96
echo -n [PASSWORD] | shasum -a 256
nano /etc/graylog/server/server.conf
Start Graylog service
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
tail -f /var/log/graylog-server/server.log
__ AT THIS POINT EVERYTHING SHOULD BE UP AND RUNNING __
ifconfig
Open rsyslog.config
sudo nano /etc/rsyslog.etc
and add at the bottom this line
*.* @[YOUR PUBLIC(?) IP ADDRESS]:1514;RSYSLOG_SyslogProtocol23Format
Restart RSyslog
sudo systemctl restart rsyslog
Not sure why this needs to be done, for some security reason, graylong has no access to 514(?), 514 is redirected to 1514. Code is run under su to be able to save iptables.rules
sudo su -
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
iptables-save > /etc/iptables.rules
nano /etc/iptables.rules
Create a file that is executed after every restart to setup the rules again and change its permissions to "executable"
nano /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
Open Graylog server.config and change http_bind_address to your public ip address
sudo nano /etc/graylog/server/server.conf