tested on debian/buster
some RAM for Java Elastic Search and graylog (say at least 4 G) and prevent OOM from kicking in against graylog-server
and a few packages
apt update && apt dist-upgrade apt install apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen dirmngr gnupg wget
grab the latest repository – whoops you might prefer 4.2 not 5.0 to avoid the need for the AVX cpu flag
ver=4.2
wget -qO - https://www.mongodb.org/static/pgp/server-$ver.asc | apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/$ver main" \
> /etc/apt/sources.list.d/mongodb-org.list
apt update && apt install mongodb-org
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" \
> /etc/apt/sources.list.d/elastic-7.x.list
apt update && apt install elasticsearch-oss
mv -i /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.dist
grep -vE '^#|^$' /etc/elasticsearch/elasticsearch.yml.dist > /etc/elasticsearch/elasticsearch.yml
vi /etc/elasticsearch/elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
cluster.name: graylog
action.auto_create_index: false
grab the latest release
wget https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.deb dpkg -i graylog-4.2-repository_latest.deb && apt update
CE
apt-get install graylog-server
EE (with Integration and Enterprise plug-ins)
apt install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
# cluster secret pwgen -N 1 -s 96 # graylog root password hash echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 mv /etc/graylog/server/server.conf /etc/graylog/server/server.conf.dist grep -vE '^#|^$' /etc/graylog/server/server.conf.dist > /etc/graylog/server/server.conf vi /etc/graylog/server/server.conf password_secret = ... root_password_sha2 = ... http_bind_address = 0.0.0.0:9000 http_publish_uri = http://buster:9000/
systemctl daemon-reload systemctl enable mongod.service systemctl enable elasticsearch.service systemctl enable graylog-server.service systemctl restart mongod.service systemctl restart elasticsearch.service systemctl restart graylog-server.service systemctl status mongod.service systemctl status elasticsearch.service systemctl status graylog-server.service systemctl list-unit-files | grep mongo systemctl list-unit-files | grep elastic systemctl list-unit-files | grep gray
create an input method
System / Beats Beats > Launch new input Global name beats bind 0.0.0.0 port 5044
also create a Sidecar configuration to grab the log files with. change log location and target listener
System / Sidecars
New Collector Configuration
name filebeat-linux
collector filebeat on Linux
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
filebeat.inputs:
- input_type: log
paths:
- /var/log/*log
- /var/log/*/*log
type: log
output.logstash:
hosts: ["buster:5044"]
path:
data: /var/lib/graylog-sidecar/collectors/filebeat/data
logs: /var/lib/graylog-sidecar/collectors/filebeat/log
now go create a token for some collectors to reach the server
http://buster:9000/ admin / THE PASSWORD YOU HASHED System / Sidecars create token token name: sidecar-token
[ 1971.055116] traps: mongod[5894] trap invalid opcode ip:563d57433dfa sp:7ffef60befe0 error:0 in mongod[563d5345e000+5111000] [ 2020.756627] traps: mongod[5902] trap invalid opcode ip:5557272e8dfa sp:7ffee02b83f0 error:0 in mongod[555723313000+5111000]
==> your cpu is too old? revert back to mongodb v4.2
DEBIAN INSTALLATION https://docs.graylog.org/v1/docs/debian
INITIAL CONFIGURATION https://docs.graylog.org/v1/docs/configure
CONFIGURING GRAYLOG https://docs.graylog.org/docs/configuring-graylog
SENDING IN LOG DATA https://docs.graylog.org/v1/docs/sending-data
INGEST SYSLOG https://docs.graylog.org/v1/docs/syslog
EXTRACTORS https://docs.graylog.org/v1/docs/extractors
PROCESSING PIPELINES https://docs.graylog.org/v1/docs/processing-pipelines
https://packages.graylog2.org/packages
https://www.mongodb.com/community/forums/t/mongodb-5-0-cpu-intel-g4650-compatibility/116610
https://stackoverflow.com/questions/3758301/trap-invalid-opcode-rip-rsp