This is a complete guide on How to Install and Configure Graylog Server on Ubuntu 18.04 for Centralized Log management. Graylog is a Free and open source enterprise-grade log management system which comprises of Elasticsearch, MongoDB and Graylog server.
For CentOS 7 server, we have how to Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7.
Graylog Components / Architecture
The work of Elasticsearch is to store logs data and provide powerful search capabilities to Graylog Server. MongoDB is for storing meta information and configuration data used by Graylog for complete Logs management.
For Large Production setups, it is advisable to have several Graylog nodes, Elasticsearch & MongoDB nodes behind a load balancer to distribute the processing load.
Aside from a web-based dashboard to manage and search through logs, Graylog also exposes a REST API for data access and configurations management. Below is a basic architectural overview of Graylog architecture. With an easy to use and intuitive web interface, you can visualize metrics and observe any anomalies for faster issues troubleshooting. In this guide, you’ll learn how to install and configure Graylog serve on Ubuntu 18.04 Server.
Step 1: Update system
It is a rule of thumb to update your system before installing any packages. This is recommended to avoid any dependency issues:
$ sudo apt-get update $ sudo apt-get upgrade $ sudo reboot
Step 2: Install Java / OpenJDK 8
One main component/dependency of Graylog is Elasticsearch. Elasticsearch requires Java 8 installed for it to run. You can install Oracle Java or its open source alternative – OpenJDK. Here we will install OpenJDK.
$ sudo apt install apt-transport-https uuid-runtime pwgen openjdk-8-jre-headless
Once installed, proceed to step 3.
Step 3: Install Elasticsearch 5.x
As of this writing, the latest release of Graylog (2.4) requires Elasticsearch 5.x to work. I’ll update once compatible with Elasticsearch 6.x. Install Elasticsearch 5.x on Ubuntu 18.04 using the guide: How to Install Elasticsearch 5.x on Ubuntu 18.04 LTS (Bionic Beaver) Linux
Once the installation of Elasticsearch 5.x is complete, set cluster name for Graylog.
$ sudo vim /etc/elasticsearch/elasticsearch.yml
Set on line 17
Restart elasticsearch service:
$ sudo systemctl restart elasticsearch $ sudo systemctl status elasticsearch
Step 4: Install MongoDB
Follow the guide How to install Latest MongoDB on Ubuntu 18.04 / Ubuntu 16.04 for installation of MongoDB on Ubuntu 18.04.
Step 5: Install Graylog on Ubuntu 18.04
Now that we have installed MongoDB and Elasticsearch, the last piece is the installation of Graylog server. Add Graylog repository and install
graylog-server package using apt.
$ wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb $ sudo dpkg -i graylog-2.4-repository_latest.deb Selecting previously unselected package graylog-2.4-repository. (Reading database ... 102444 files and directories currently installed.) Preparing to unpack graylog-2.4-repository_latest.deb ... Unpacking graylog-2.4-repository (1-6) ... Setting up graylog-2.4-repository (1-6) ... $ sudo apt-get update && sudo apt-get install graylog-server
Step 6: Configure Graylog
After installation, we need to do some configurations before you can start using Graylog.
Generate root password:
You need to generate a 256-bit hash for the for admin user password:
$ echo -n MyStrongPassword | sha256sum 7a96004f5149811c069f40146b08cf45f45087d4530d35f7d4d88d058db9612d -
Add the given password to
root_password_sha2= line under
$ sudo vim /etc/graylog/server/server.conf root_password_sha2 = 7a96004f5149811c069f40146b08cf45f45087d4530d35f7d4d88d058db9612d
Next is to generate and set password secret for securing stored user passwords.
$ sudo apt-get install pwgen $ pwgen -N 1 -s 96 5JdTcmGgqBUNw2oip7YZEqbZxc4UV5X8461xukUHdq9PjBYiSu1wxSeiRCk0z73tVZc9FGluZ2k0c9YXdxg5Z0buzNx58tmY $ sudo vim /etc/graylog/server/server.conf password_secret = 5JdTcmGgqBUNw2oip7YZEqbZxc4UV5X8461xukUHdq9PjBYiSu1wxSeiRCk0z73tVZc9FGluZ2k0c9YXdxg5Z0buzNx58tmY
Please run the following commands if you want to start Graylog automatically on system boot:
sudo systemctl enable graylog-server.service sudo systemctl start graylog-server.service
By default, REST API will listen on:
rest_listen_uri = http://127.0.0.1:9000/api/
and Web interface URI will be on
web_listen_uri = http://127.0.0.1:9000/
You can change it to server’s IP Address if you want
Step 7: Access Graylog Web Interface
Access Graylog web interface using its IP Address and port 9000. If you would like to access it using a domain, check Configure Graylog Nginx reverse proxy with Letsencrypt SSL to Configure Nginx as a Graylog reverse proxy.
A simple nginx configuration without https section is given below
Start nginx after making the change
$ sudo systemctl restart nginx
Access web UI on http://domain.com
Login with username admin and password set on step 6.