Introduction

In this tutorial, we will cover the installation of Graylog2 (v0.20.2), and configure it to gather the syslogs of our systems in a centralized location. Graylog2 is a powerful log management and analysis tool that has many use cases, from monitoring SSH logins and unusual activity to debugging applications. It is based on Elasticsearch, Java, MongoDB, and Scala.

It is possible to use Graylog2 to gather and monitor a large variety of logs, but we will limit the scope of this tutorial to syslog gathering. Also, because we are demonstrating the basics of Graylog2, we will be installing all of the components on a single server.

About Graylog2 Components

Graylog2 has four main components:

• Graylog2 Server nodes: Serves as a worker that receives and processes messages, and communicates with all other non-server components. Its performance is CPU dependent
• Elasticsearch nodes: Stores all of the logs/messages. Its performance is RAM and disk I/O dependent
• MongoDB: Stores metadata and does not experience much load
• Web Interface: The user interface

Here is a diagram of the Graylog2 components (note that the messages are sent from your other servers):

For a very basic setup, all of the components can be installed on the same server. For a larger, production setup, it would be wise to set up some high-availability features because if the server, Elasticsearch, or MongoDB components experiences an outage, Graylog2 will not gather the messages generated during the outage. Continue reading Install Graylog2 And Centralize Logs On Ubuntu 14.04 →