In this tutorial, we are going to show you how to install the Graylog server on Ubuntu 22.04 OS.
Graylog is an open-source log management system that collects, analyzes, and sends alerts from large log data. Graylog uses the Elasticsearch search engine and MongoDB database service, which are required for analyzing structured and unstructured logs. In this tutorial, except for the Graylog server, elasticsearch, and MongoDB, we will install Java and Nginx and will configure reverse proxy so you can access Graylog via domain name.
Installing the Graylog server and setting up all requirements is a very easy process and may take up to 20 minutes. Let’s get started!
Prerequisites
- A server with Ubuntu 22.04 as OS and a Minimum 4GB of RAM
- Valid domain pointed to the servers IP address
- User privileges: root or non-root user with sudo privileges
Step 1. Update the System
Before we start with the installation of this software we will update the system packages to their latest versions available.
sudo apt-get update -y && sudo apt-get upgrade -y
Step 2. Install Nginx
To install the Nginx web server execute the following command:
sudo apt-get install nginx -y
After successful installation, the Nginx service will be automatically started. To check the status of Nginx, execute the following command:
sudo systemctl status nginx
You should get the following output:
root@vps:~# sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-11-18 03:28:11 CST; 14min ago
Docs: man:nginx(8)
Process: 3778 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 3779 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 3874 (nginx)
Tasks: 4 (limit: 4575)
Memory: 6.0M
CPU: 53ms
CGroup: /system.slice/nginx.service
├─3874 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
Step 3. Install MongoDB Database Server
First, add the GPG keys:
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
Then, we need to add the MongoDB repository:
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list echo "deb http://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list
Once done, update the system and install the MongoDB database server.
sudo apt update -y sudo apt upgrade -y sudo apt-get install gnupg libssl1.1 -y sudo apt-get install mongodb-org=4.4.8 mongodb-org-server=4.4.8 mongodb-org-shell=4.4.8 mongodb-org-mongos=4.4.8 mongodb-org-tools=4.4.8 -y
After this start and enable the MongoDB service:
sudo systemctl start mongod && sudo systemctl enable mongod
To check the status of MongoDB execute the command below:
sudo systemctl status mongod
You should receive the following output:
root@vps:~# systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2022-11-18 03:59:25 CST; 5s ago
Docs: https://docs.mongodb.org/manual
Main PID: 8635 (mongod)
Memory: 59.9M
CPU: 1.036s
CGroup: /system.slice/mongod.service
└─8635 /usr/bin/mongod --config /etc/mongod.conf
Nov 18 03:59:25 host.test.vps systemd[1]: Started MongoDB Database Server.
Step 4. Install Java
To install the latest Java version, we need to install first some Java dependencies:
apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y
Once these dependencies are installed, we can install Java with the following command:
apt install openjdk-11-jre-headless -y
After successfull installation, check the installed Java version:
java --version
You should receive output similar to this:
root@host:~# java --version openjdk 11.0.17 2022-10-18 OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu222.04) OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu222.04, mixed mode, sharing)
Step 5. Install Elasticsearch
First we are going to add the elasticsearch public key to the APT, and the elastic source to the sources.list.d.
To add the GPG-KEY execute the following command:
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg
To add the elastic source in the sources.list.d execute the following command:
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
Now, update the system and install the elastic search with the following commands:
sudo apt update -y sudo apt install elasticsearch
Start and enable the elasticsearch service.
sudo systemctl start elasticsearch && sudo systemctl enable elasticsearch
To check the status of the service if is up and running execute the following command:
sudo systemctl status elasticsearch
You should receive the following output:
root@host:~# sudo systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-11-22 16:59:52 CST; 2min 8s ago
Docs: https://www.elastic.co
Main PID: 11001 (java)
Tasks: 68 (limit: 4575)
Memory: 2.3G
CPU: 2min 36.261s
CGroup: /system.slice/elasticsearch.service
├─11001 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch >
└─11191 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Nov 22 16:58:50 host.test.vps systemd[1]: Starting Elasticsearch...
After starting the service we need to configure the cluster name for our Graylog server:
sudo nano /etc/elasticsearch/elasticsearch.yml
Enter these lines of code:
cluster.name: graylog action.auto_create_index: false
Save the file, close it and restart the daemon along with elasticsearch service:
sudo systemctl daemon-reload && sudo systemctl restart elasticsearch
Step 6. Install Graylog Server
First, we need to download the Graylog package:
wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
After that, we need to install it:
dpkg -i graylog-4.3-repository_latest.deb sudo apt update -y sudo apt install graylog-server -y
Start and Enable the graylog-server service:
systemctl enable graylog-server.service && systemctl start graylog-server.service
To check the status of the Graylog server execute the following command:
systemctl status graylog-server
You should get output similar to this:
● graylog-server.service - Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-11-22 18:03:17 CST; 199ms ago
Docs: http://docs.graylog.org/
Main PID: 13451 (graylog-server)
Tasks: 9 (limit: 4575)
Memory: 5.5M
CPU: 268ms
CGroup: /system.slice/graylog-server.service
├─13451 /bin/sh /usr/share/graylog-server/bin/graylog-server
├─13470 /usr/bin/java -XX:+PrintFlagsFinal
└─13471 grep -q UseConcMarkSweepGC
Nov 22 18:03:17 host.test.vps systemd[1]: Started Graylog server.
Step 7. Configure Graylog User
In this step we will secure the user passwords using the password generator command pwgen.
pwgen -N 1 -s 96
You will get output similar to this:
hG1gMQmadHjwU31q3jqQk6Mfe85HW1go7nEfUjIvGvUVfMdqrcGlqOFPAtQilK8uujHR9uRZ2sA0fZ6RSPmpPESviRztoTGc
Then we will create an admin password:
echo -n YourStrongPasswordHere | shasum -a 256
You will receive output similar to this:
root@host:~# echo -n YourStrongPasswordHere | shasum -a 256 ddea588114d8e836dcc38e6a172dc03e6e256eca7788dab45be849dfe60b24f2 -
Open the /etc/graylog/server/server.conf file and find the part password_secret and root_password_sha2 fields. Paste the previously generated passwords.
password_secret = hG1gMQmadHjwU31q3jqQk6Mfe85HW1go7nEfUjIvGvUVfMdqrcGlqOFPAtQilK8uujHR9uRZ2sA0fZ6RSPmpPESviRztoTGc root_password_sha2 = ddea588114d8e836dcc38e6a172dc03e6e256eca7788dab45be849dfe60b24f2
Save the file, close it and restart the graylog server.
systemctl daemon-reload systemctl restart graylog-server
Step 8. Create Nginx Virtual Host
Create the Nginx virtual host file.
touch /etc/nginx/sites-available/graylog.conf
Open the file and paste the following lines of code:
server {
listen 80;
server_name <strong>YourDomainHere</strong>;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
proxy_pass <strong>http://YourServerIPHere:9000</strong>;
}
}
Enable the Nginx configuration with a symbolic link.
ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/
Check the Nginx syntax:
nginx -t
If you get the following output, restart the Nginx service:
root@host:~# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl restart nginx
Now, you can access your Graylog server at http://YourDomainHere.com using the credentials you created above.
Once logged in, you will get the following screen:
Hopefully, our guide on how to install Graylog on Ubuntu 22.04 was of help to you.
We would love to hear from you now:
Did we skip something essential, or do you need a more detailed explanation about any of the steps?
What are some other topics or tutorials you would want us to delve into?
Please, feel free to share your thoughts in the comment section.
Hi
Thanks for your tutorial
I’m having trouble logging into the graylog web page
The graylog .conf file is a bit confusing, maybe you can add an example?
BTW, some of the lines you use “sudo”, but other you don’t , so I had to add it
Thanks anyway
The graylog .conf file must be specific to your monitoring objective.
HI I great document thank you I am facing some issues in 8th step
added the script as above but getting error in line 3 and line 12
Hello, Dileep
In this case you have to replace the “YourDomainHere” with your domain name and “http://YourServerIPHere:9000” with the IP address of your server.
Thanks.
syntax check will fail if you copy/paste your code.
the does not belong:
server {
listen 80;
server_name YourDomainHere;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
proxy_pass http://YourServerIPHere:9000;
}
}
Hello,
In this case you have to replace the “YourDomainHere” with your domain name and “http://YourServerIPHere:9000” with the IP address of your server.
Thanks.
Some items need to be updated: Mongo should install v6, OpenSearch should be used as Elasticsearch v7.10 is end of life and graylog will remove support soon. Graylog is now on 5.2 and that version should be used. Graylog now bundles java/jdk and is no longer required to install separately. For a quick reference for updated commands for all these items check out https://github.com/Graylog2/se-poc-docs/tree/main/src/On%20Prem%20POC
Thanks!