Installation - JCSC-JE/Graylog-IR GitHub Wiki

  1. Install Ubuntu 22.04 Server LTS
  2. Enable SSH access and login
  3. Get the Graylog Installation. This will install the latest branch 0f 5.2 branch
wget https://raw.githubusercontent.com/JCSC-JE/Graylog-IR/main/installation/graylog-5.2-install.sh?token=GHSAT0AAAAAACTA22ZMSBQS4EFX2EQCKBZ2ZSZYTRQ
  1. Setup the Graylog and Opensearch Java virtual memory in the following files
  • /etc/default/graylog-server
  • /opt/graylog/opensearch/config/jvm.options

A virtual machine with a minimum of 8GB memory would be setup as below Graylog - 1.5GB

# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1500m -Xmx1500m -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow"

Opensearch - 2.5GB

################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms2500m
## -Xmx2500m
##
## See https://opensearch.org/docs/opensearch/install/important-settings/
## for more information
##
################################################################

It is best practice to leave half of the virtual memory allocated to Opensearch as it holds many files open

Make sure you restarted both services for the changes to take effect.

POST Installation

Message Processing Order

Login to your new graylog instance on the configured ip on port 9000 e.g http://192.168.1.20:9000 and navigate to System > Configurations > Message Processors. Now set the order to that shown below.

Install CSV files

Copy the files from CSV files directory an upload them into the /etc/graylog/lookup-tables directory as shown below

Setup Geo-IP

Head over to Maxmind and sign up to get access to their database

Copy the files to lookup tables directory and adjust permissions as per below

Now head to System > Configurations > Plugins Geo IP Processor and set as below

Enable Content Pack

Now head to System > Content Packs in the Graylog interface and enable all the default content as per below

Upload Content pack

Now in the same place select "Upload a content pack" and use the one in the content pack directory directory

Congratulations

Now head to either the ingestion or architecture pages to learn more.