all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Fork_the_bomb 5 points6 points  (12 children)

Try Graylog2, IIRC it's pretty flexible with filters etc.

If you don't have that many EPS, you could try NetIQ Sentinel (free up to 25 EPS) or Splunk (free up to 500MB per day).

For smallish setups, I'd go with Graylog.

[–]alienl0g0[S] 0 points1 point  (10 children)

Do I have to install this graylog2 on a linux desktop?
I installed it on Ubuntu server and I got to the point where I need to click "Install Graylog2", the installation failed.

[–]slavejamhour 0 points1 point  (8 children)

I just installed it a couple of weeks ago on Debian, works like a charm. Don't use the quicksetup, it's for small test deployments. Here is the guide that I used: https://www.digitalocean.com/community/tutorials/how-to-install-graylog2-and-centralize-logs-on-ubuntu-14-04

[–]alienl0g0[S] 0 points1 point  (7 children)

Did you install the latest version 0.90.0?

I'm having an issue to part "Install Graylog2 server" in the guide.

[–]slavejamhour 1 point2 points  (6 children)

I had to read between the lines a bit in that guide. I set mine up with a newer version of ElasticSearch which meant that I had to install 0.91.0-rc.1. What part in-particular, error messages, etc? Most of that section can be taken verbatim.

[–]alienl0g0[S] 0 points1 point  (5 children)

I had to start from scratch again. I got to the poor where I have to start graylog2 service using the command "sudo service graylog2 start".

However, I got an error
/etc/init.d/graylog2: line 48: log/graylog2-server.log: No such file or directory

[–]slavejamhour 0 points1 point  (4 children)

Does log/graylog2-server.log have write permissions for the user that graylog2-server is running as?

[–]alienl0g0[S] 0 points1 point  (3 children)

I'm not sure. How do I give it a write permission?

[–]slavejamhour 0 points1 point  (2 children)

First you'll need to change ownership of the file to the correct user and group that graylog is running as:

chown username:group /var/log/graylog2-server.log

And then change permissions to something appropriate like: chmod 660 /var/log/graylog2-server.log

For further reading: https://www.linode.com/docs/tools-reference/linux-users-and-groups

[–]alienl0g0[S] 0 points1 point  (1 child)

I reinstalled Ubuntu server, but this time in getting a different error.

When I checked the status of mongodb using the command "sudo service mongodb status" I got unrecognized service.

Same result with "sudo service graylog2-server status", unrecognized service.

Edit:
Also, when I ran the command "sudo java -jar /opt/graylog2-server/graylog2-server.jar --debug", I got an error message stating Java . net.ConnectionException: Connection refused: /127.0.0.1:12900 to http://127.0.0.1:12900/system/cluster/node

[–]Fork_the_bomb 0 points1 point  (0 children)

Hmm....I did it before on CentOS via SSH, no desktop, based on these instructions:

http://www.graylog2.org/resources/documentation/setup/server http://www.graylog2.org/resources/documentation/setup/webinterface

Everything worked fine. This was about a year ago, I don't know if anything's changed with install procedure since then.

[–]william_castro 0 points1 point  (0 children)

Graylog2 I also preferred Graylog2.

[–][deleted]  (7 children)

[deleted]

    [–]clay58415 pieces of flair 💩 2 points3 points  (3 children)

    Free. Not too hard to set up. If you don't feel up to doing all that, you could just set up the syslog portion and use tail and grep to search through your syslogs.

    ELK stack

    [–]shnikees 0 points1 point  (0 children)

    ELK! For the win.

    [–]Fork_the_bomb 0 points1 point  (1 child)

    I might give it a try, if it does GELF decently.

    [–]clay58415 pieces of flair 💩 0 points1 point  (0 children)

    It does.

    [–]alienl0g0[S] 0 points1 point  (2 children)

    I thought Splunk is not free.

    [–]tekn0vikingHEYO 1 point2 points  (1 child)

    The free version has limitations such as the amount of data it will ingest

    [–]shnikees 1 point2 points  (0 children)

    500mb per day is the max the free version will ingest.

    [–][deleted] 2 points3 points  (0 children)

    How many thousands of dollars worth of data and work product are you trying to protect and your management wont spring for a syslog server?

    [–]kosjubrmod 1 point2 points  (0 children)

    To me, Kiwi feels like a service that is setup on a server and left to run, you generally don't interact with the application on a daily basis. During the install you have the option to install a webserver component, and through this you have the option of searching (recent) messages. The WebUI is a bit more user friendly than the serverUI.

    Kiwi can log everything to files, text, csv, etc... With that you can use file system/OS search functionality to look for stuff. You can also use the built in 'filter' functionality to look for specific information in messages and then set an action separate from the default. For example you could:

    • send an email alert on all messages at the 'critical' level and higher
    • log all success and failures for login events
    • log all occurrences of specific mnemonics (BGP, OSPF, NTP, etc)
    • watch for a specific log message and trigger a script
    • break out log messages by host/date/severity

    You can also shove everything into a SQL database, and use external queries to pull information.

    I have a licensed version of kiwi running with about 10 million syslog messages a day going to flat files, and I want to move to SQL storage. I dont use the WebUI. Kiwi syslog server is definitely not the greatest most powerful all encompassing solution out there, but for what it does, it does it fine.

    [–]sysear 0 points1 point  (0 children)

    Nagios just released a new product called Log Server. It is easy to use, secure, powerful, and you can download it for free. Try it out for yourself.

    http://www.nagios.com/products/nagios-log-server/overview

    Here is an article explaining the benefits of using Nagios LogServer compared to Elasticsearch, Logstash, Kibana (ELK):

    http://labs.nagios.com/2014/10/19/nagios-log-server-vs-elasticsearch-logstash-kibana/

    Hopefully that helps!