Grafana Installation Guide
For server administrators opting for standalone binary instances instead of automated setups, execute the following secure hardening steps to deploy Grafana version 13.0.1+security-01.
1. Download & Extract
Acquire the hardened Linux 64-bit package and expand it to the server file system:
# Retrieve package from official distribution portal
wget https://dl.grafana.com/grafana/release/13.0.1+security-01/grafana_13.0.1+security-01_25720641773_linux_amd64.tar.gz
# Untar the binary payload
tar -zxvf grafana_13.0.1+security-01_25720641773_linux_amd64.tar.gz
2. System Security Group & User
Isolate the Grafana runtime by provisioning a dedicated system user configured without login capabilities:
sudo useradd -r -s /bin/false grafana
3. Installation & Core Permissions
Migrate the binary hierarchy into safe execution pathways (/usr/local) and institute fundamental recursive ownership constraints:
# Move extracted directory into system binaries space
# Replace '<DOWNLOAD_PATH>' with the exact directory name extracted (e.g., grafana-13.0.1)
sudo mv <DOWNLOAD_PATH> /usr/local/grafana
# Align base directory permissions
sudo chown -R grafana:users /usr/local/grafana
4. Systemd Service Unit Definition
To authorize daemon oversight, process supervision, and startup perseverance, register the service via systemd:
sudo touch /etc/systemd/system/grafana-server.service
Add the following unit descriptor definitions to the service file:
[Unit]
Description=Grafana Server
After=network.target
[Service]
Type=simple
User=grafana
Group=users
ExecStart=/usr/local/grafana/bin/grafana server --config=/usr/local/grafana/conf/grafana.ini --homepath=/usr/local/grafana
Restart=on-failure
[Install]
WantedBy=multi-user.target
5. Initialization & Lifecycle Activation
Grafana generates critical run-time directory architectures (e.g., /usr/local/grafana/data) during its initial runtime. Run the process manually once, stop it, ensure permissions are reapplied, and then fully activate the daemon:
# Step A: Run binary inline once to invoke directory scaffolding
/usr/local/grafana/bin/grafana server --homepath /usr/local/grafana
[!IMPORTANT] Observe terminal log stream output confirming successful bootstrapping, then terminate the task using
CTRL + C.
Once directory generation resolves, finalize system controls:
# Step B: Finalize file permissions across generated directories
sudo chown -R grafana:users /usr/local/grafana
# Step C: Reload and arm the systemd daemon
sudo systemctl daemon-reload
sudo systemctl start grafana-server
sudo systemctl enable grafana-server
Verification
Verify active service operational status and bind ports:
sudo systemctl status grafana-server
The Grafana Administrative Suite can now be queried over standard HTTP mapping. Default credentials can be changed upon your initial sign-on routing.
Prometheus Installation Guide
For server administrators opting for standalone binary instances instead of automated setups, execute the following steps to deploy Prometheus version 3.11.3.
1. Create System User & Group
Isolate the Prometheus runtime by provisioning a dedicated system user without login capabilities:
sudo useradd --no-create-home --shell /bin/false prometheus
2. Directory Scaffolding
Create the required directories for configuration and data storage:
sudo mkdir /etc/prometheus
sudo mkdir /var/lib/prometheus
sudo chown prometheus:prometheus /etc/prometheus
sudo chown prometheus:prometheus /var/lib/prometheus
3. Download & Extract Binary
Acquire the official Linux 64-bit package and expand it:
# Retrieve package
wget https://github.com/prometheus/prometheus/releases/download/v3.11.3/prometheus-3.11.3.linux-amd64.tar.gz
# Untar the payload
tar -zxvf prometheus-3.11.3.linux-amd64.tar.gz
4. Install Binary & Supporting Files
Migrate the binaries to their designated locations:
cd prometheus-3.11.3.linux-amd64
# Move binaries
sudo cp prometheus /usr/local/bin/
sudo cp promtool /usr/local/bin/
# Align base ownership for binaries
sudo chown prometheus:prometheus /usr/local/bin/prometheus
sudo chown prometheus:prometheus /usr/local/bin/promtool
5. Create Configuration File
Create the primary configuration file at /etc/prometheus/prometheus.yml:
sudo tee /etc/prometheus/prometheus.yml <<EOF
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'prometheus'
scrape_interval: 5s
static_configs:
- targets: ['localhost:9090']
EOF
Ensure correct permissions are applied:
sudo chown prometheus:prometheus /etc/prometheus/prometheus.yml
5.1. Configure HTTP Basic Authentication
To natively secure the Prometheus web console and endpoints, create an HTTP Basic Authentication file at /etc/prometheus/web.yml.
Generate a bcrypt hash of your password (requires apache2-utils or python):
# Install utils if needed
sudo apt-get update && sudo apt-get install -y apache2-utils
# Generate the bcrypt hash for user 'admin'
htpasswd -B -n admin
# Example Output: admin:$2b$12$XYZ123abc...
Create the web.yml file containing your user/hash mapping (ensure $ escapes if inside scripts):
sudo tee /etc/prometheus/web.yml <<EOF
basic_auth_users:
admin: "\$2b\$12\$Phdubp1E6jqZTIa0Mw/qXecSxy5AQr2RazJceZkh7UDWbiPbipdnG"
EOF
Ensure appropriate restricted permissions are enforced:
sudo chown prometheus:prometheus /etc/prometheus/web.yml
sudo chmod 600 /etc/prometheus/web.yml
6. Systemd Service Unit Definition
Register the service with systemd, enforcing the native web-authentication configuration:
sudo tee /etc/systemd/system/prometheus.service <<EOF
[Unit]
Description=Prometheus Monitoring System
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus \\
--config.file /etc/prometheus/prometheus.yml \\
--web.config.file /etc/prometheus/web.yml \\
--storage.tsdb.path /var/lib/prometheus/ \\
--web.listen-address=0.0.0.0:9090
[Install]
WantedBy=multi-user.target
EOF
7. Start & Enable Service
Activate the service via systemd:
sudo systemctl daemon-reload
sudo systemctl start prometheus
sudo systemctl enable prometheus
Verification
Verify that Prometheus is active, and verify credentials by querying the metrics endpoint with authorization:
sudo systemctl status prometheus
# Query with Basic Auth credentials
curl -u admin:btech@monitoring123 -I http://localhost:9090/metrics
Grafana Loki Installation Guide
For centralizing log aggregation, execute the following steps to install Grafana Loki version 3.7.2 as a standalone binary.
1. Create System User
Provision an isolated user for the Loki process:
sudo useradd --no-create-home --shell /bin/false loki
2. Download & Install Binary
Download and extract the Loki binary payload:
# Install unzip if not present
sudo apt-get update && sudo apt-get install -y unzip
# Retrieve and unzip
wget https://github.com/grafana/loki/releases/download/v3.7.2/loki-linux-amd64.zip
unzip loki-linux-amd64.zip
# Move to system binaries pathway
sudo mv loki-linux-amd64 /usr/local/bin/loki
sudo chown loki:loki /usr/local/bin/loki
3. Configuration & Data Folders
Create structures for configurations and persistent TSDB indexing:
sudo mkdir -p /etc/loki
sudo mkdir -p /var/lib/loki
sudo chown loki:loki /etc/loki
sudo chown loki:loki /var/lib/loki
4. Create Loki Configuration File
Create the local configuration pointing to an internal daemon port (3101):
sudo tee /etc/loki/loki-config.yaml <<EOF
auth_enabled: false
server:
http_listen_port: 3101
grpc_listen_port: 9096
common:
instance_addr: 127.0.0.1
path_prefix: /var/lib/loki
storage:
filesystem:
chunks_directory: /var/lib/loki/chunks
rules_directory: /var/lib/loki/rules
replication_factor: 1
ring:
kvstore:
store: inmemory
query_range:
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
schema_config:
configs:
- from: 2020-10-24
store: tsdb
object_store: filesystem
schema: v13
index:
prefix: index_
period: 24h
ruler:
alertmanager_url: http://localhost:9093
EOF
Apply proper file permissions:
sudo chown loki:loki /etc/loki/loki-config.yaml
4.1. Install & Configure Nginx Front-End for Basic Auth
Since Loki does not natively support Basic Auth, we deploy Nginx to listen on public Port 3100 and proxy securely to Loki's internal interface on Port 3101.
A. Install Dependencies & Generate Password
# Install Nginx and utility packages
sudo apt-get update && sudo apt-get install -y nginx apache2-utils
# Generate htpasswd file for user 'admin'
sudo htpasswd -c /etc/loki/.htpasswd admin
B. Configure Nginx Proxy Site
Create the virtualhost configuration:
sudo tee /etc/nginx/sites-available/loki <<EOF
upstream loki_backend {
server 127.0.0.1:3101;
}
server {
listen 3100;
server_name localhost; # Replace with your active domain_name
location / {
auth_basic "Grafana Loki Aggregation Hub";
auth_basic_user_file /etc/loki/.htpasswd;
proxy_pass http://loki_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host \$http_host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
# Performance buffer limit expansions
client_max_body_size 100m;
}
}
EOF
C. Activate Proxy & Restart Nginx
# Link and enable virtualhost
sudo ln -s /etc/nginx/sites-available/loki /etc/nginx/sites-enabled/loki
# Remove default site to avoid port conflicts
sudo rm -f /etc/nginx/sites-enabled/default
# Test configuration and restart
sudo nginx -t
sudo systemctl restart nginx
sudo systemctl enable nginx
5. Systemd Service Unit Definition
Register Loki as a background service:
sudo tee /etc/systemd/system/loki.service <<EOF
[Unit]
Description=Grafana Loki Service
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=loki
Group=loki
ExecStart=/usr/local/bin/loki -config.file /etc/loki/loki-config.yaml
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
6. Start & Enable Daemon
Start up the aggregator:
sudo systemctl daemon-reload
sudo systemctl start loki
sudo systemctl enable loki
Verification
Verify operational connectivity through the authenticating front-end gateway:
# Query with basic auth credentials (replace with password created in htpasswd)
curl -u admin:password -G http://localhost:3100/ready