graylog server | sidecar | filebeat | syslog udp
tested on debian10,11
some RAM for Java Elastic Search and graylog (say at least 4 G) and prevent OOM from kicking in against graylog-server
and a few packages
apt update && apt dist-upgrade apt install apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen dirmngr gnupg wget
grab the latest repository – whoops you might prefer 4.2 not 5.0 to avoid the need for the AVX cpu flag
ver=4.2
wget -qO - https://www.mongodb.org/static/pgp/server-$ver.asc | apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/$ver main" \
> /etc/apt/sources.list.d/mongodb-org.list
apt update && apt install mongodb-org
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" \
> /etc/apt/sources.list.d/elastic-7.x.list
apt update && apt install elasticsearch-oss
mv -i /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.dist
grep -vE '^#|^$' /etc/elasticsearch/elasticsearch.yml.dist > /etc/elasticsearch/elasticsearch.yml
vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog-cluster
action.auto_create_index: false
grab the latest release
wget https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.deb dpkg -i graylog-4.2-repository_latest.deb && apt update
CE
apt-get install graylog-server
EE (with Integration and Enterprise plug-ins)
apt install graylog-server \
graylog-enterprise-plugins \
graylog-integrations-plugins \
graylog-enterprise-integrations-plugins
# cluster secret pwgen -N 1 -s 96 # graylog root password hash echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 mv /etc/graylog/server/server.conf /etc/graylog/server/server.conf.dist grep -vE '^#|^$' /etc/graylog/server/server.conf.dist > /etc/graylog/server/server.conf vi /etc/graylog/server/server.conf password_secret = ... root_password_sha2 = ... http_bind_address = 0.0.0.0:9000 http_publish_uri = http://graylog-server:9000/
and check server’s nodeid
cat /etc/graylog/server/node-id
systemctl daemon-reload systemctl enable mongod.service systemctl enable elasticsearch.service systemctl enable graylog-server.service systemctl restart mongod.service systemctl restart elasticsearch.service systemctl restart graylog-server.service systemctl status mongod.service systemctl status elasticsearch.service systemctl status graylog-server.service systemctl list-unit-files | grep mongo systemctl list-unit-files | grep elastic systemctl list-unit-files | grep gray
you can now connect to the Web UI
http://graylog-server:9000/ http://graylog-server:9000/search admin / THE PASSWORD YOU HASHED
[ 1971.055116] traps: mongod[5894] trap invalid opcode ip:563d57433dfa sp:7ffef60befe0 error:0 in mongod[563d5345e000+5111000] [ 2020.756627] traps: mongod[5902] trap invalid opcode ip:5557272e8dfa sp:7ffee02b83f0 error:0 in mongod[555723313000+5111000]
==> your cpu is too old? revert back to mongodb v4.2
DEBIAN INSTALLATION https://docs.graylog.org/v1/docs/debian
INITIAL CONFIGURATION https://docs.graylog.org/v1/docs/configure
CONFIGURING GRAYLOG https://docs.graylog.org/docs/configuring-graylog
SENDING IN LOG DATA https://docs.graylog.org/v1/docs/sending-data
INGEST SYSLOG https://docs.graylog.org/v1/docs/syslog
EXTRACTORS https://docs.graylog.org/v1/docs/extractors
PROCESSING PIPELINES https://docs.graylog.org/v1/docs/processing-pipelines
https://packages.graylog2.org/packages
https://www.mongodb.com/community/forums/t/mongodb-5-0-cpu-intel-g4650-compatibility/116610
https://stackoverflow.com/questions/3758301/trap-invalid-opcode-rip-rsp