Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Create the Graylog server using debian 10. Replace with your Graylog server IP below and pay attention to the echos:

# graylog server on deb10
apt-get update && apt-get upgrade -y
apt-get install apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen dirmngr curl
apt-key adv --keyserver hkp:// --recv 4B7C549A058F8B6B
echo "deb buster/mongodb-org/4.2 main" | tee /etc/apt/sources.list.d/mongodb-org-4.2.list
apt-get update && apt-get install mongodb-org -y
systemctl daemon-reload
systemctl enable mongod.service
systemctl restart mongod.service
wget -qO - | apt-key add -
echo "deb stable main" | tee -a /etc/apt/sources.list.d/elastic-6.x.list
apt-get update && apt-get install elasticsearch-oss -y
echo " graylog" >> /etc/elasticsearch/elasticsearch.yml
echo "action.auto_create_index: false" >> /etc/elasticsearch/elasticsearch.yml
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service
dpkg -i graylog-3.1-repository_latest.deb
apt-get update && apt-get install graylog-server -y
echo "for admin password as password and hash edit /etc/graylog/server/server.conf and set..."
echo "password_secret = naln41C22HRxw3hy9mJ8bipFWBo1aewKFgtXDXp22dNjNJNqEtid6uC0476zIfX5iQ3mZuRp9y7h3XcNY63inPo6vJy7FuLP"
echo "root_password_sha2 = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"
echo "http_bind_address ="
echo "http_publish_uri ="
systemctl enable graylog-server.service
systemctl start graylog-server.service

graylog webui should be up on now. create a GELF UDP input using the default port 12201.

# add fluentd on graylog server
apt-get install sudo ntp ntpdate ntpstat ruby-gelf
curl -L
systemctl daemon-reload
systemctl enable td-agent
td-agent-gem install gelf
cd /etc/td-agent/plugin
cd ../

Append to /etc/td-agent/td-agent.conf ...

type syslog
tag hostname_goes_here
<match *.*>
type copy
type gelf
port 12201
flush_interval 5s
type stdout

systemctl restart td-agent

systemctl enable td-agent

Next steps to be executed on the sipXcom or Uniteme server(s). Replace with your sipxcom or uniteme server IP, and replace with your graylog server IP on the last output.

# fluentbit on sipx/uniteme centos7
cd /etc/yum.repos.d/
nano fluentbit.repo

name = fluentbit
baseurl =

yum update
yum install td-agent-bit -y
mv /etc/td-agent-bit/td-agent-bit.conf ~/td-agent-bit.conf.orig
nano /etc/td-agent-bit/td-agent-bit.conf

Flush 5
Parsers_File parsers.conf
Plugins_File plugins.conf

Name cpu
Tag cpu.local
Interval_Sec 1

Name mem
Tag memory

Name disk
Tag disk.local
Interval_Sec 1

Name netif
Tag netif.eth0
Interval_Sec 1
Interface eth0

Name tail
Path /var/log/sipxpbx/proxy_stats.json
Refresh_Interval 1
Parser json

Name tail
Path /var/log/sipxpbx/sipXproxy.log
Refresh_Interval 1
Skip_Long_Lines off
Multiline On
Multiline_Flush 25
Parser_Firstline syslog-rfc5424
Buffer_Chunk_Size 1M
Buffer_Max_Size 1G

Name forward
Match *
Port 24224

service td-agent-bit restart

systemctl enable td-agent-bit

Grafana on deb10

echo "deb stable main" > /etc/apt/sources.list.d/grafana.list
apt-get install apt-transport-https gnupg2 -y
wget -q -O - | apt-key add -
apt-get update
apt-get install grafana

You may need to edit /etc/grafana/grafana.ini to set the address to bind to. Grafana can use the Elasticsearch input to connect to the Graylog server.

The graylog /etc/elasticsearch/elasticsearch.yml will need to be adjusted to listen to the ip and port 9200 and restarted before this will work.

root@graylog2:/etc/elasticsearch# grep -v "#" elasticsearch.yml /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200 ["", ""] graylog
action.auto_create_index: false

Also edit /etc/graylog/server/server.conf and point to the elasticsearch ip instead of the localhost ip, then restart graylog

root@graylog2:/etc/graylog/server# grep "" server.conf
elasticsearch_hosts =

  • No labels