Graylog is an opensource log aggregation and management tool which can be used to store, analyse and send alerts from the logs collected. Graylog can be used to analyse both structured and unstructured logs using OpenSearch and MongoDB. This includes a variety of systems including Windows systems, Linux systems, different applications and micro-services etc.
Graylog makes it easier to easily analyse, and monitor these systems and applications from a single host.
Graylog has the following components:
- Graylog server
- MongoDB
- OpenSearch
Let us quickly jump into the installation of Graylog server on an Ubuntu host. We shall then configure SSL using Let’sEncrypt.
To achieve this, we will need to install Nginx to serve as a reverse-proxy on our system.
Similar articles: How To Forward Logs to Grafana Loki using Promtail
Setup Pre-requisites
Before we can install on your box, make sure your host meets the below minimal requirements:
- 4 CPU Cores
- 8 GB RAM
- SSD Hard Disk Space with High IOPS for OpenSearch Log Storage
- Ubuntu LTS installed and updated.
- All packages upgraded
With the above conditions met, let us begin the installation process.
Step 1 – Update system
Ensure your system is up to date.
sudo apt update && sudo apt -y full-upgrade
We highly recommend you perform a system reboot after the upgrade:
[ -f /var/run/reboot-required ] && sudo reboot -f
Install other dependencies.
sudo apt update
sudo apt install vim apt-transport-https uuid-runtime pwgen curl dirmngr
Step 2 – Install OpenSearch
OpenSearch is the tool that is used to store and analyse incoming logs from external sources. It uses the web-based RESTful API.
Download and install OpenSearch GPG signing key.
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
Add OpenSearch repository to your sources list:
echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
Install OpenSearch on Ubuntu system.
sudo apt update && sudo apt install opensearch -y
Configure cluster name for Graylog.
sudo vim /etc/opensearch/opensearch.yml
Edit the cluster name to graylog
cluster.name: graylog
Also update the following fields for a minimum unsecured running state (single node).
node.name: ${HOSTNAME}
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
discovery.type: single-node
network.host: 0.0.0.0
action.auto_create_index: false
plugins.security.disabled: true
Edit JVM options and update the Xms & Xmx settings with half of the installed system memory.
$ sudo vim /etc/opensearch/jvm.options
-Xms1g
-Xmx1g
Also update kernel parameters at runtime.
sudo sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> sudo /etc/sysctl.conf
Reload daemon the start OpenSearch service.
sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service
sudo systemctl status opensearch.service
You can check for the status of the service by :
$ systemctl status opensearch
systemctl status opensearch
● opensearch.service - OpenSearch
Loaded: loaded (/lib/systemd/system/opensearch.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-11-24 11:33:45 UTC; 20s ago
Docs: https://opensearch.org/
Main PID: 13489 (java)
Tasks: 66 (limit: 4524)
Memory: 1.2G
CPU: 32.999s
CGroup: /system.slice/opensearch.service
└─13489 /usr/share/opensearch/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt>
Nov 24 11:33:31 jammy systemd[1]: Starting OpenSearch...
Nov 24 11:33:45 jammy systemd[1]: Started OpenSearch.
OpenSearch runs on port 9200 and this can be virified by curl
command:
curl -X GET http://localhost:9200
You should see your cluster name in the output.
$ curl -X GET http://localhost:9200
{
"name" : "jammy",
"cluster_name" : "graylog",
"cluster_uuid" : "FFlndxWCQcii1uirhxQkeQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.11.0",
"build_type" : "deb",
"build_hash" : "4dcad6dd1fd45b6bd91f041a041829c8687278fa",
"build_date" : "2023-10-13T02:57:02.526977318Z",
"build_snapshot" : false,
"lucene_version" : "9.7.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Step 3 – Install MongoDB
Start by importing the MongoDB 6.0 GPG key to your system:
curl -fsSL https://www.mongodb.org/static/pgp/server-6.0.asc|sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-6.gpg
Add the MongoDB 6.0 repo on the system:
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu $(lsb_release -cs)/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
Download and install mongoDB from Ubuntu’s base repository.
sudo apt update && sudo apt install mongodb-org -y
Start MongoDB
sudo systemctl start mongod
sudo systemctl enable mongod
$ systemctl status mongod
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2023-11-17 00:23:04 UTC; 1 day 7h ago
Docs: https://docs.mongodb.org/manual
Main PID: 2652 (mongod)
Memory: 172.9M
CPU: 23min 2.591s
CGroup: /system.slice/mongod.service
└─2652 /usr/bin/mongod --config /etc/mongod.conf
Nov 17 00:23:04 jammy systemd[1]: Started MongoDB Database Server.
Step 4 – Install Graylog Server
Download and configure Graylog repository.
wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb
Install Graylog server:
sudo apt update
sudo apt install graylog-server
Generate a secret to secure user passwords using pwgen
command
pwgen -N 1 -s 96
The output should look like:
FFP3LhcsuSTMgfRvOx0JPcpDomJtrxovlSrbfMBG19owc13T8PZbYnH0nxyIfrTb0ANwCfH98uC8LPKFb6ZEAi55CvuZ2Aum
Edit the graylog config file to add the secret we just created:
sudo vim /etc/graylog/server/server.conf
Locate the password_secret =
line and add the above created secret after it.
password_secret = FFP3LhcsuSTMgfRvOx0JPcpDomJtrxovlSrbfMBG19owc13T8PZbYnH0nxyIfrTb0ANwCfH98uC8LPKFb6ZEAi55CvuZ2Aum
If you would like to Graylog interface with Server IP Address and port, then set http_bind_address
to the public host name or a public IP address of the machine you can connect to.
$ sudo vim /etc/graylog/server/server.conf
http_bind_address = 0.0.0.0:9000
The next step is to create a hash sha256 password for the administrator. This is the password you will need to login to the web interface.
$ echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Enter Password: password
You will get an output of this kind:
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Edit the /etc/graylog/server/server.conf
file then place the hash password at root_password_sha2 =
$ sudo vim /etc/graylog/server/server.conf
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
Update OpenSearch address as well.
elasticsearch_hosts = http://127.0.0.1:9200
Graylog is now configured and ready for use.
Start Graylog service:
sudo systemctl daemon-reload
sudo systemctl restart mongod graylog-server
sudo systemctl enable mongod graylog-server
You can check if the service has started successfully from the logs:
sudo tail -f /var/log/graylog-server/server.log
Output:
========================================================================================================
It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
been started. You must log in to it to perform the initial configuration and continue.
Initial configuration is accessible at 0.0.0.0:9000, with username 'admin' and password 'btcCPSxboD'.
========================================================================================================
You can then access graylog web dashboard on:
http://<serverip_hostname>:9000
Step 5 – Using Nginx with Let’s Encrypt SSL (Optional)
The next step is to configure SSL so that we can access Graylog web interface via HTTPS.
To achieve this, we will need the following:
- Fully qualified domain name(FQDN)
- Nginx
- Let’sEncrypt certificate
Follow steps in the guide below:
The steps are provided below for easy reference.
- update system and install nginx
sudo apt update && sudo apt install nginx
2. Configure firewall
sudo ufw allow 'Nginx Full'
3. Create virtualhost with your domain name
Create a file in /etc/nginx/sites-available/
e.g
sudo vim /etc/nginx/sites-available/graylog.conf
Add the following in the file:
server {
listen 80;
server_name graylog.yourdomain.com;
return 301 https://$host$request_uri;
access_log /var/log/nginx/graylog.yourdomain.com.access.log combined;
error_log /var/log/nginx/graylog.yourdomain.com.error.log;
}
Remember to substitute graylog.yourdomain.com with your FQDN.
4. Create a symlink of the file we just created in /etc/nginx/sites-available
to /etc/nginx/sites-enabled
sudo ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/
5. Check if nginx config is okay by running nginx -t
command.
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
6. Install Let’sEncrypt with certbot.
sudo apt install certbot python3-certbot-nginx
7. Run certbot for nginx
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: graylog.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for graylog.computingforgeeks.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/graylog.computingforgeeks.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/graylog.computingforgeeks.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://graylog.computingforgeeks.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=graylog.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/graylog.computingforgeeks.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/graylog.computingforgeeks.com/privkey.pem
Your cert will expire on 2021-02-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have successfully obtained SSL for our domain.
Step 6 -Access Graylog dashboard
The next step is to configure reverse proxy on Nginx that will be used to serve Graylog which is running on the same host on port 9000.
- IP or Domain without SSL: http://serverip_or_hostname:9000
- With Nginx domain and SSL: http://domain
Edit the /etc/nginx/sites-available/graylog.conf
file:
sudo vim /etc/nginx/sites-available/graylog.conf
And add the following configuration under the Location
section.
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://127.0.0.1:9000;
}
The final config file should look like:
server {
listen 80;
server_name graylog.example.com;
return 301 https://$host$request_uri;
access_log /var/log/nginx/graylog_access.log combined;
error_log /var/log/nginx/graylog_error.log;
}
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name graylog.example.com;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/graylog.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/graylog.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://127.0.0.1:9000;
}
}
Verify your nginx configuration using the nginx -t
just to make sure your nginx configuration is okay.
Now restart nginx service.
sudo systemctl restart nginx
With the above up and running, you should be able to access your graylog dashboard by entering https://graylog.yourdomain.com
.
Remember to replace graylog.yourdomain.com
with your FQDN.

The default username for Graylog is admin and the password we configured in step 4 (Install Graylog server) above. For my case, this would be “Str0ngPassw0rd“
You can now start using your Graylog web dashboard configured with SSL.

Conclusion
We have successfully installed graylog server, configured SSL through Nginx as a reverse proxy and managed to login to the web interface.
Configuring SSL on Graylog server is important for securing your system.
Should you face any challenge during the setup process feel free to comment or ask any question on the comments section.
Thanks for the hard work on this article. I was working with Apache 2.4, but most of the article worked just fine for me, and saved me some head scratching and Googling 🙂
You are welocome! Feel free to check more articles on the site.
This was absolutely perfect. I tried two other articles that just didn’t work for me.
Thank you!
Great welcome!
in the instructions:
sudo systemctl daemon-reload
sudo systemctl restart mongod graylog-server
sudo systemctl enable mongod graylog-server
there is a typo. should be
sudo systemctl daemon-reload
sudo systemctl restart mongodb graylog-server
sudo systemctl enable mongodb graylog-server
This has been updated. Thanks
Has this been tested on 22.04?
I can’t install MongoDB – “Package ‘mongodb-server’ has no installation candidate”
Thanks Luke for the comment.
The guide has been updated!
Nice But how can we configure ssl on a IP Address using Nginx
You can generate and use self signed certificates if you do not have an FQDN.
I have got the message:
sudo systemctl restart mongodb graylog-server
Failed to restart mongodb.service: Unit mongodb.service not found.
After installing the graylog-server, opensearch, mongod and all the services are working.
but on the web interface their is a error i am getting
{
“type”: “ApiError”,
“message”: “”
}
when i start the web browser. this is the error i got when i run this line in the command
sudo tail -f /var/log/graylog-server/server.log
2023-11-22T07:25:14.425-05:00 ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource
java.util.NoSuchElementException: null
at java.util.StringTokenizer.nextToken(Unknown Source) ~[?:?]
at org.graylog2.bootstrap.preflight.web.BasicAuthFilter.filter(BasicAuthFilter.java:67) ~[graylog.jar:?]
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108) ~[graylog.jar:?]
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:44) ~[graylog.jar:?]
at org.glassfish.jersey.process.internal.Stages.process(Stages.java:173) ~[graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:247) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
at java.lang.Thread.run(Unknown Source) [?:?]
Please try with the updated guide