How to Install Graylog Server on Ubuntu 22.04

In this tutorial, we are going to show you how to install the Graylog server on Ubuntu 22.04 OS.

Graylog is an open-source log management system that collects, analyzes, and sends alerts from large log data. Graylog uses the Elasticsearch search engine and MongoDB database service, which are required for analyzing structured and unstructured logs. In this tutorial, except for the Graylog server, elasticsearch, and MongoDB, we will install Java and Nginx and will configure reverse proxy so you can access Graylog via domain name.

Installing the Graylog server and setting up all requirements is a very easy process and may take up to 20 minutes. Let’s get started!

Prerequisites

  • A server with Ubuntu 22.04 as OS and a Minimum 4GB of RAM
  • Valid domain pointed to the servers IP address
  • User privileges: root or non-root user with sudo privileges

Step 1. Update the System

Before we start with the installation of this software we will update the system packages to their latest versions available.

sudo apt-get update -y && sudo apt-get upgrade -y

Step 2. Install Nginx

To install the Nginx web server execute the following command:

sudo apt-get install nginx -y

After successful installation, the Nginx service will be automatically started. To check the status of Nginx, execute the following command:

sudo systemctl status nginx

You should get the following output:

root@vps:~# sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-11-18 03:28:11 CST; 14min ago
       Docs: man:nginx(8)
    Process: 3778 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 3779 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 3874 (nginx)
      Tasks: 4 (limit: 4575)
     Memory: 6.0M
        CPU: 53ms
     CGroup: /system.slice/nginx.service
             ├─3874 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"

Step 3. Install MongoDB Database Server

First, add the GPG keys:

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -

Then, we need to add the MongoDB repository:

echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list

echo "deb http://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list

Once done, update the system and install the MongoDB database server.

sudo apt update -y
sudo apt upgrade -y
sudo apt-get install gnupg libssl1.1 -y

sudo apt-get install mongodb-org=4.4.8 mongodb-org-server=4.4.8 mongodb-org-shell=4.4.8 mongodb-org-mongos=4.4.8 mongodb-org-tools=4.4.8 -y

After this start and enable the MongoDB service:

sudo systemctl start mongod && sudo systemctl enable mongod

To check the status of MongoDB execute the command below:

sudo systemctl status mongod

You should receive the following output:

root@vps:~# systemctl status mongod
● mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; disabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-11-18 03:59:25 CST; 5s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 8635 (mongod)
     Memory: 59.9M
        CPU: 1.036s
     CGroup: /system.slice/mongod.service
             └─8635 /usr/bin/mongod --config /etc/mongod.conf

Nov 18 03:59:25 host.test.vps systemd[1]: Started MongoDB Database Server.

Step 4. Install Java

To install the latest Java version, we need to install first some Java dependencies:

apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y

Once these dependencies are installed, we can install Java with the following command:

apt install openjdk-11-jre-headless -y

After successfull installation, check the installed Java version:

java --version

You should receive output similar to this:

root@host:~# java --version
openjdk 11.0.17 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu222.04)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu222.04, mixed mode, sharing)

Step 5. Install Elasticsearch

First we are going to add the elasticsearch public key to the APT, and the elastic source to the sources.list.d.

To add the GPG-KEY execute the following command:

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg

To add the elastic source in the sources.list.d execute the following command:

echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Now, update the system and install the elastic search with the following commands:

sudo apt update -y

sudo apt install elasticsearch

Start and enable the elasticsearch service.

sudo systemctl start elasticsearch && sudo systemctl enable elasticsearch

To check the status of the service if is up and running execute the following command:

sudo systemctl status elasticsearch

You should receive the following output:

root@host:~# sudo systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-11-22 16:59:52 CST; 2min 8s ago
       Docs: https://www.elastic.co
   Main PID: 11001 (java)
      Tasks: 68 (limit: 4575)
     Memory: 2.3G
        CPU: 2min 36.261s
     CGroup: /system.slice/elasticsearch.service
             ├─11001 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch >
             └─11191 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Nov 22 16:58:50 host.test.vps systemd[1]: Starting Elasticsearch...

After starting the service we need to configure the cluster name for our Graylog server:

sudo nano /etc/elasticsearch/elasticsearch.yml

Enter these lines of code:

cluster.name: graylog
action.auto_create_index: false

Save the file, close it and restart the daemon along with elasticsearch service:

sudo systemctl daemon-reload && sudo systemctl restart elasticsearch

Step 6. Install Graylog Server

First, we need to download the Graylog package:

wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb

After that, we need to install it:

dpkg -i graylog-4.3-repository_latest.deb

sudo apt update -y

sudo apt install graylog-server -y

Start and Enable the graylog-server service:

systemctl enable graylog-server.service && systemctl start graylog-server.service

To check the status of the Graylog server execute the following command:

systemctl status graylog-server

You should get output similar to this:

● graylog-server.service - Graylog server
     Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-11-22 18:03:17 CST; 199ms ago
       Docs: http://docs.graylog.org/
   Main PID: 13451 (graylog-server)
      Tasks: 9 (limit: 4575)
     Memory: 5.5M
        CPU: 268ms
     CGroup: /system.slice/graylog-server.service
             ├─13451 /bin/sh /usr/share/graylog-server/bin/graylog-server
             ├─13470 /usr/bin/java -XX:+PrintFlagsFinal
             └─13471 grep -q UseConcMarkSweepGC

Nov 22 18:03:17 host.test.vps systemd[1]: Started Graylog server.

Step 7. Configure Graylog User

In this step we will secure the user passwords using the password generator command pwgen.

pwgen -N 1 -s 96

You will get output similar to this:

hG1gMQmadHjwU31q3jqQk6Mfe85HW1go7nEfUjIvGvUVfMdqrcGlqOFPAtQilK8uujHR9uRZ2sA0fZ6RSPmpPESviRztoTGc

Then we will create an admin password:

echo -n YourStrongPasswordHere | shasum -a 256

You will receive output similar to this:

root@host:~# echo -n YourStrongPasswordHere | shasum -a 256
ddea588114d8e836dcc38e6a172dc03e6e256eca7788dab45be849dfe60b24f2  -

Open the /etc/graylog/server/server.conf file and find the part password_secret and root_password_sha2 fields. Paste the previously generated passwords.

password_secret = hG1gMQmadHjwU31q3jqQk6Mfe85HW1go7nEfUjIvGvUVfMdqrcGlqOFPAtQilK8uujHR9uRZ2sA0fZ6RSPmpPESviRztoTGc

root_password_sha2 = ddea588114d8e836dcc38e6a172dc03e6e256eca7788dab45be849dfe60b24f2

Save the file, close it and restart the graylog server.

systemctl daemon-reload

systemctl restart graylog-server

Step 8. Create Nginx Virtual Host

Create the Nginx virtual host file.

touch /etc/nginx/sites-available/graylog.conf

Open the file and paste the following lines of code:

server {
    listen 80;
    server_name <strong>YourDomainHere</strong>;

location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/;
      proxy_pass       <strong>http://YourServerIPHere:9000</strong>;
    }

}

Enable the Nginx configuration with a symbolic link.

ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/

Check the Nginx syntax:

nginx -t

If you get the following output, restart the Nginx service:

root@host:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl restart nginx

Now, you can access your Graylog server at http://YourDomainHere.com using the credentials you created above.

Once logged in, you will get the following screen:

Hopefully, our guide on how to install Graylog on Ubuntu 22.04 was of help to you.

We would love to hear from you now:

Did we skip something essential, or do you need a more detailed explanation about any of the steps?

What are some other topics or tutorials you would want us to delve into?

Please, feel free to share your thoughts in the comment section.

9 thoughts on “How to Install Graylog Server on Ubuntu 22.04”

  1. Hi
    Thanks for your tutorial
    I’m having trouble logging into the graylog web page
    The graylog .conf file is a bit confusing, maybe you can add an example?
    BTW, some of the lines you use “sudo”, but other you don’t , so I had to add it

    Thanks anyway

    Reply
  2. HI I great document thank you I am facing some issues in 8th step

    added the script as above but getting error in line 3 and line 12

    Reply
    • Hello, Dileep

      In this case you have to replace the “YourDomainHere” with your domain name and “http://YourServerIPHere:9000” with the IP address of your server.

      Thanks.

      Reply
      • syntax check will fail if you copy/paste your code.

        the does not belong:

        server {
        listen 80;
        server_name YourDomainHere;

        location /
        {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Graylog-Server-URL http://$server_name/;
        proxy_pass http://YourServerIPHere:9000;
        }

        }

        Reply
        • Hello,

          In this case you have to replace the “YourDomainHere” with your domain name and “http://YourServerIPHere:9000” with the IP address of your server.

          Thanks.

          Reply
  3. Some items need to be updated: Mongo should install v6, OpenSearch should be used as Elasticsearch v7.10 is end of life and graylog will remove support soon. Graylog is now on 5.2 and that version should be used. Graylog now bundles java/jdk and is no longer required to install separately. For a quick reference for updated commands for all these items check out https://github.com/Graylog2/se-poc-docs/tree/main/src/On%20Prem%20POC

    Thanks!

    Reply
  4. how to connect another normal machine that contains filebeat with the graylog machine because I wanted from the grto do aylog machine to save the logs of the other machine not the graylog machine itself what are the changes I have to do ??
    Thanks!

    Reply
    • Unfortunately, this blog post is only about the installation. You would want to consider checking our sister company at https://rosehosting.com and since it’s a managed hosting company, they will help you with connecting a machine to your graylog server hosted with them.

      Reply

Leave a Comment