Ubuntu 14.04 Graylog2 Virtual Appliance

I have put together a Graylog2 prebuilt virtual appliance to share with the community. This appliance is built on a fresh Ubuntu 14.04 LTS x64 Server and running the latest Graylog2 v0.20.1. I hope you enjoy this and find it useful and please feel free to leave comments. You can grab the .ova torrent from here or download from here (Thanks @_lennart).

Below are the details of the appliance. Thanks to all who helped in seeding this for me, much appreciated.

FYI….SSH is not running on the appliance so if you want to run the SSH server you will need to login to the console and run the following to do so.

sudo apt-get -y install openssh-server

If you would rather install Graylog2 on your own; you can still use the auto-install script here and as well watch the video here.

Enjoy!

Details

This is a fully functional Graylog2 syslog server ready for use. This appliance is built on a fresh Ubuntu 14.04 LTS x64 server. The version of Graylog2 is v0.20.1 which is the latest at this time.

To login to the console of this appliance use the following details.
login: administrator
password: graylog2

To login to the web ui for Graylog2 use the following details. (Will also be presented on your console screen when the appliance boots up)

http://applianceIP:9000

user: admin
password: password123

Provided by @mrlesmithjr

http://everythingshouldbevirtual.com

mrlesmithjr@everythingshouldbevirtual.com

 

****UPGRADING APPLIANCE****

If you are interested in upgrading the Graylog2 version running on the appliance you can do the following to upgrade to the latest version.

From a console session logged in as administrator run the following commands.

cd ~
cd graylog2
git pull https://github.com/mrlesmithjr/graylog2
chmod +x Upgrade_Scripts/Graylog2_Appliance_Upgrade.sh
cd ~
sudo ./graylog2/Upgrade_Scripts/Graylog2_Appliance_Upgrade.sh

After this completes you should be up and running with the latest Graylog2 version.

38 thoughts on “Ubuntu 14.04 Graylog2 Virtual Appliance

  1. Great idea to use a torrent. I just downloaded the ova @ around ~2.2MB/s, which isn't bad. Thanks and I'll continue to seed as well!

  2. Appliance works excellent, thanks.. I had to put the vm on a subnet that has dhcp first to do all the self configuration magic and then give it a static IP afterwards (no big deal). I enabled firewall on mine to lock it down:

    sudo ufw enable

    sudo ufw default deny outgoing

    sudo ufw allow in 514/UDP

    sudo ufw allow in 9000/tcp

    Thinking of installing nxlog on this same vm appliance to receive Windows Event Logs; convert it to GELF and forwards it to 127.0.0.1 Graylog2. What do you think?

    I know you said the default but what is the retention default for this new version?

  3. Great! Thank you so much for the vm. And thank you for the script as well. I have learned so much over time using your script.

  4. Hi. Great work doing this, it's a quick deploy! Emails however, don't seem to work for me. I've set up it up according to one of your other posts. Is there anyway I can see what part of it is failing? It just resets the web interface every time I attempt to send a test

  5. How do we upgrade to a newer version of Graylog2 on this appliance? There are some good bug fixes in Graylog2 0.20.2 that I need in my environment.

    • @donavon I am working on an upgrade script to use with the appliance. I will let you know when it is ready for testing.

    • @Donovan – The steps to upgrade the appliance are now attached to this post. Make sure to snapshot the appliance before running the upgrade script just to be safe.

  6. Thanks for the script. It did upgrade the appliance but since it overwrites the graylog.conf file the passwords for the admin user and LDAP configuration didn't work off the bat. I reconfigured my admin account and re-did LDAP and all was fine after that. Would it be appropriate to back up the graylog.conf file and copy it back for a smooth upgrade?

  7. Hello, i tried to update the appliance but when the script asking to set the password im getting the following error message:

    Creating SymLink Graylog2-server

    Installing graylog2-server

    Enter a password to use for the admin account to login to the Graylog2 webUI: XXXXXXX

    You entered XXXXXXX (MAKE SURE TO NOT FORGET THIS PASSWORD!)

    ./graylog2/Upgrade_Scripts/Graylog2_Appliance_Upgrade.sh: line 59: pause: command not found

    how solve it ?

    Thnks

    • @Gino – Good catch. I have fixed the issue. You will need to refresh your git repo to get the updated script.

  8. Thanks mrlesmithjr, i upgraded without the error, but now im not able to log into graylog2 web interface … the error messege:

    sorry, those credentials are invalid

    what to do ?

    Thanks

    • Hopefully you took a snapshot before running the upgrade script? :) If not you should still be good to go. If you follow the upgrade instructions again and run the upgrade script after downloading the updated script you should be good to go. FYI….The script is replacing your current /etc/graylog2.conf file but it will be copied to /etc/graylog2.conf.pre-upgrade in case you need anything from it.

  9. Thanks mrlesmithjr.

    No need for mucking about with snapshots/backups, this is a test server :)

    The update worked for me, bit I do note that git complains that about the script and won’t pull unless I delete it – a trifle.

    Now all I have to do is figure out some whizzy dashboards of streams of whatever – oh yeah, I do need to figure out how to fix my sources list – the reason for me upgrading in the first place!

    Here’s a snippet of the sources list: –

    vfcount 6
    e1000e 6
    pkp 6
    disabling 6
    10.0.10.212 6
    10.0.10.111 4
    on 4
    n 4
    10.0.10.112 3
    ial 2
    ed 2
    initial 2
    timed 2
    nitial 2
    imed 2
    out 2

    Previous
    1
    Next

    Showing 35 of 35 records

  10. What's everybody using for monitoring their graylog2 server? I've come in a few times to have the server instance not running and not collecting logs. I'm suspecting I didn't give it enough RAM so I bumped it from 1GB to 4GB.

    I'm doing basic Linux server monitoring using Nagios but beyond monitoring the Graylog2 java processes, is there anything else that might indicate a failure?

  11. Pingback: Ubuntu 12.04 Graylog2 Installation | Everything Should Be Virtual

  12. Hi Larry, first of all many thanks for your time making this VM. I spent many hours without luck. Now it is workin in version 0.20.1 I tried your ugrade instructions/procedure without luck. If its possible cpuld you suggest me what is it I am doing wrong?

    administrator@graylog2:~/graylog2$ git pull https://github.com/mrlesmithjr/graylog2
    remote: Counting objects: 156, done.

    remote: Compressing objects: 100% (72/72), done.

    remote: Total 156 (delta 89), reused 149 (delta 84)

    Receiving objects: 100% (156/156), 44.28 KiB | 0 bytes/s, done.

    Resolving deltas: 100% (89/89), done.

    From https://github.com/mrlesmithjr/graylog2
    * branch HEAD -> FETCH_HEAD

    Updating 31f1069..ea8d62e

    error: Your local changes to the following files would be overwritten by merge:

    install_graylog2_20_ubuntu.sh

    Please, commit your changes or stash them before you can merge.

    Aborting

    Best regards, and thanks again.

      • Hi mrlesmithjr, first of all thanks. It worked fine without errors. It seems the scripts are probably outdated since when it finished the process the acutal version is 0.20.3 and since my research is 0.20.6. In /opt/ I found this graylog2-server-0.20.3 graylog2-web-interface-0.20.3. If you have an idea what I am doing wrong great. If not thanks again!!!!! regards, Gregorio M.

  13. I tried to run patches on the appliance and effective broke at least graylog2. I took a snapshot before I did this so recovery was not a problem. My question in all of this is what is the suggested method for applying security patches and other package updates?

    • @Scott – You should be able to do normal system updates without having any issues. Do you have some examples or anything in regards to what may have broken? I will try to duplicate the same issue myself as soon as I can however.

      • I will freely admit that I am not very familiar with Ubuntu server, I'm used to RHEL and CentOS. I ran sudo apt-get update followed by sudo apt-get upgrade. I did receive a couple of prompt about overwriting configurations, to which I did not do.

        The graylog2 services were down after the update and would not restart, I'm not sure how much else. I only poked around for a few minutes before I aborted and rolled back the snapshot.

        If you cannot reproduce it I can attempt this again and provide you with any information you need.. I am trying to minimize downtime as I'm getting about 30-million messages a week.

        • Although I did not have problems on my pre-production server the production server is still having issues. the web UI is not listening on 9000. MongoDB is running as well as the other services.

          sjenkins@graylog2:/$ netstat -ltn
          Active Internet connections (only servers)
          Proto Recv-Q Send-Q Local Address Foreign Address State
          tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
          tcp 0 0 0.0.0.0:28017 0.0.0.0:* LISTEN
          tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
          tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
          tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN
          tcp6 0 0 :::9200 :::* LISTEN
          tcp6 0 0 :::9300 :::* LISTEN
          tcp6 0 0 :::22 :::* LISTEN
          tcp6 0 0 :::514 :::* LISTEN
          tcp6 0 0 :::9350 :::* LISTEN
          tcp6 0 0 :::9000 :::* LISTEN
          sjenkins@graylog2:/$ sudo service mongodb status
          mongodb start/running, process 3737

          • Embarrassed to say that, as usual, it was a "me" issue. For reasons unknown my good friend ufw did not load as intended, or iptables-persistent did not load the rules at boot. Regardless it's working normally.

  14. Great post good sir and much appreciated. I'm only left curious about one thing, log storage. Whats the straight forward approach on managing where logs are stored? Id like to have GrayLog2 store the logs on a separate HDD attacked to the vm.

  15. Has anyone had any issue with all logs coming in from "locahost" rather than being classified by their actual source? The OVA template works great and classifies sources correctly, but using the .sh install script for 2_9_ubuntu doesn't. Could it be a difference in the /etc/rsyslog.d/32-graylog2.conf file? Any ideas would be appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>