Graylog VM Setup – Start to Finish

Follow guide here:
http://docs.graylog.org/en/latest/pages/installation/virtual_machine_appliances.html

http://docs.graylog.org/en/1.1/pages/installation/graylog_ctl.html

set ubuntu password:
passwd

Set Static IP:
sudo nano /etc/network/interfaces

auto eth0
iface eth0 inet static
address 192.168.1.200
netmask 255.255.255.0
gateway 192.168.1.1

Update Ubuntu:
sudo aptitude update && sudo aptitude upgrade

sudo graylog-ctl set-email-config [–port= –user= –password=]
sudo graylog-ctl set-admin-password
sudo graylog-ctl set-timezone
sudo graylog-ctl enforce-ssl
example: sudo graylog-ctl set-timezone America/New_York

sudo graylog-ctl reconfigure

login web interface. Add inputs. Point stuff to graylog. Install graylog collector or NX log as needed.

Grow VM disk:
df -h
fdisk -l
pvcreate /dev/sdb
lvdisplay
vgextend graylog-vg /dev/sdb
lvextend -l +100%FREE /dev/graylog-vg/root
resize2fs /dev/graylog-vg/root
df -h

set retention policy
sudo graylog-ctl set-retention –size=1 –indices=100
sudo graylog-ctl reconfigure

100gb of log space now

useful paths:
/opt/graylog/conf/

Since I have only 1 server, I’m configuring it for 1 shard and 0 replicas.
/opt/graylog/conf/graylog.conf
elasticsearch_shards = 1
elasticsearch_replicas = 0
then graylog-ctl restart

To be continued…

troubleshooting:
sudo graylog-ctl tail
watch the messages and look for something wrong

If an index gets corrupted you can manually cycle the deflector.
cron job to email status report from graylog
sudo apt-get install python-pip

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s