Install Graylog

Updated on 25 Jul 2024
4 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

Graylog is an open-source log management and analysis tool designed for collecting, indexing, and analyzing log data in real-time. It centralizes logs from various sources, including servers, applications, and network devices, offering a unified platform for monitoring and troubleshooting. With its scalable architecture, Graylog enables users to store large volumes of log data, perform searches, create alerts based on specific conditions, and visualize data through dashboards. It supports plugins for extending functionality and integrates with other tools in the DevOps and IT operations ecosystem. Graylog is valued for its ease of use, powerful querying capabilities, and robust features that aid in maintaining system reliability and security through comprehensive log analysis.

Install Graylog

To install Graylog (Version 6.0.0) on Ubuntu, perform the following steps:

Update your local package index to ensure you have the latest version of available packages.
sudo apt update
Install the following set of dependencies needed during the installation of the Graylog server.
sudo apt install curl wget apt-transport-https

Install Open JDK

Before installing Graylog, Java needs to be installed. Install OpenJDK, a free and open-source implementation of Java currently maintained by Oracle. The latest version of Graylog - Graylog 5.2 - requires at least OpenJDK 17.

To install OpenJDK 17, run the command.
sudo apt install openjdk-17-jre-headless -y
After installing Java, to confirm the version of Java, run the command.
java -version
Figure: Java version

Install ElasticSearch

Elasticsearch is another critical component in the Graylog installation. It’s a distributed search and analytics engine widely used for full-text search, log analysis, business analytics, and analyzing security events.

In Graylog, Elasticsearch stores, searches, and analyzes logs and messages from external sources.

Elasticsearch is not hosted on official Ubuntu repositories. Hence, the Elasticsearch repository needs to be installed. First, download and add the Elasticsearch GPG Key.
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Switch to the Root User.
sudo su -
Add the Elasticsearch repository to the system.
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
Update the local cache to notify the system of the newly added repository.
apt update
Use the APT package manager to install Elasticsearch from the repository after the local cache has been updated.
apt install elasticsearch -y
Figure: Install APT package
After the installation is finished, the primary Elasticsearch configuration file needs to be adjusted a little. Open the file in your preferred text editor. The command-line editor nano is being used here.
nano /etc/elasticsearch/elasticsearch.yml
Set your preferred cluster name and add the action.auto_create_index: false line below it.
cluster.name: graylog
action.auto_create_index: false
Save the changes and exit. Reload systemd for the change to apply and start Elasticsearch.
systemctl daemon-reload
systemctl start elasticsearch
Verify the status of Elasticsearch as shown.
sudo systemctl status elasticsearch
Figure: Status of elasticsearch
Enable the Elasticsearch service to start on boot.
systemctl enable elasticsearch
Send a GET request to your node using the curl command-line tool to view detailed information about Elasticsearch.
curl -X GET http://localhost:9200
Figure: Detailed information of Elasticsearch

Install MongoDB server

User and configuration data are stored in the MongoDB database of the Graylog server. Graylog version latest requires MongoDB 5.x and 6.x releases. Install MongoDB 6.0 using the MongoDB repository from this instruction.

Add the MongoDB GPG signing key.
curl -fsSL https://pgp.mongodb.com/server-6.0.asc | \
sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-server-6.0.gpg
Next, add the MongoDB repository to the sources.list.d directory on your system.
echo "deb [ arch=amd64,arm64 signed=/etc/apt/trusted.gpg.d/keyrings/mongodb-server-6.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
With the repository added to your system, update the local APT cache.
sudo apt update
Then install the MongoDB database server.
sudo apt install mongodb-org -y
Figure: Install MongoDB server
To verify the version installed, run the command:
mongod --version
Figure: MongoDB version
MongoDB does not start automatically upon installation, so start it as shown.
sudo systemctl start mongod
Confirm that the MongoDB database service is running:
sudo systemctl status mongod
Figure: MongoDB service
Enable the service to auto-start on boot.
sudo systemctl enable mongod

With the MongoDB database server installed, the next step is to install the Graylog server.

Install Graylog Server

The installation of Graylog server on Ubuntu is now complete. The Graylog server package is not by default accessible through Ubuntu repositories. As a result, we will install Graylog using the official repository.

Download the Graylog Debian package.
wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
Next, run the dpkg command to run the package.
sudo dpkg -i graylog-5.0-repository_latest.deb
Next, update the local APT cache.
sudo apt-get update
Finally, install the Graylog server as follows.
sudo apt install graylog-server -y
Figure: Graylog server
After installing the Graylog server, you must create an encrypted password for the admin user and a secret to protect the user passwords.
To generate a secret password for securing user passwords, run the following command:
< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;
The encrypted password, composed of alphanumeric characters, will be displayed on the terminal.
Generate an encrypted password for the Graylog admin login user.
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
When prompted, type in the password and hit Enter. The encrypted password will be displayed on the screen.
Figure: Generate encrypted passwords
Copy and paste the two encrypted passwords somewhere and open the Graylog configuration file.
nano /etc/graylog/server/server.conf
Update the password_secret and root_password_sha2 with the encrypted passwords generated.
password_secret = hTRdp0JxNLeuxKXFeTjNYzOMpM-6zdBPalK4eKbsEhxSlxkIFgTcUBzPmhj21Hc89OmyW1NqitmROHXtgqJqwGte4t7PBwi0
root_password_sha2 = bfe4814665ab5c23359f7114d289110e7c725a1528fa2cd68c601a0a5d6c05108
Next, specify the IP address on which the Graylog HTTP interface will listen using the http_bind_address. By default, this is set to localhost or the loopback address. Ensure you set it to the IP assigned to your network interface and specify the port Graylog listens on (port 9000).
http_bind_address = 208.117.84.72:9000
Save the changes and exit the configuration file. Next, reload systemd to notify the system of the changes made.
systemctl daemon-reload
Next, start the Graylog service.
systemctl start graylog-server
The Graylog daemon or service should now be running. You can confirm this as shown.
systemctl status graylog-server
Figure: Check graylog server status
Consider enabling the service to start on system startup.
systemctl enable graylog-server

Access Graylog web interface

To access the Graylog web interface, visit the following URL on your web browser.
http://server-ip
On the webpage log in using the username admin and the root user password you specified in plain text in step 5. Click the Sign In.
Figure: Graylog web login
Once logged in, you will see the Graylog web UI. From here, you can add data sources for real-time data analysis.
Figure: Graylog server dashboard

Was this article helpful?

What's Next

Install HashiCorp Vault

Table of contents

Install Graylog