(Last Updated On: July 2, 2018)

This is a complete guide on How to Install and Configure Graylog Server on Ubuntu 18.04 for Centralized Log management. Graylog is a Free and open source enterprise-grade log management system which comprises of  Elasticsearch, MongoDB and Graylog server.

For CentOS 7 server, we have how to Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7.

Graylog Components / Architecture

The work of Elasticsearch is to store logs data and provide powerful search capabilities to Graylog Server. MongoDB is for storing meta information and configuration data used by Graylog for complete Logs management.

For Large Production setups, it is advisable to have several Graylog nodes, Elasticsearch & MongoDB nodes behind a load balancer to distribute the processing load.

Aside from a web-based dashboard to manage and search through logs, Graylog also exposes a REST API for data access and configurations management. Below is a basic architectural overview of Graylog architecture. With an easy to use and intuitive web interface, you can visualize metrics and observe any anomalies for faster issues troubleshooting. In this guide, you’ll learn how to install and configure Graylog serve on Ubuntu 18.04 Server.

Step 1: Update system

It is a rule of thumb to update your system before installing any packages. This is recommended to avoid any dependency issues:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo reboot

Step 2: Install Java / OpenJDK 8

One main component/dependency of Graylog is Elasticsearch. Elasticsearch requires Java 8 installed for it to run. You can install Oracle Java or its open source alternative – OpenJDK. Here we will install OpenJDK.

$ sudo apt install apt-transport-https uuid-runtime pwgen openjdk-8-jre-headless

Once installed, proceed to step 3.

Step 3: Install Elasticsearch 5.x

As of this writing, the latest release of Graylog (2.4) requires Elasticsearch 5.x to work. I’ll update once compatible with Elasticsearch 6.x. Install Elasticsearch 5.x on Ubuntu 18.04 using the guide: How to Install Elasticsearch 5.x on Ubuntu 18.04 LTS (Bionic Beaver) Linux

Once the installation of Elasticsearch 5.x  is complete, set cluster name for Graylog.

$ sudo vim /etc/elasticsearch/elasticsearch.yml

Set on line 17

cluster.name: graylog

Restart elasticsearch service:

$ sudo systemctl restart elasticsearch
$ sudo systemctl status elasticsearch

Step 4: Install MongoDB

Follow the guide How to install Latest MongoDB on Ubuntu 18.04 / Ubuntu 16.04 for installation of MongoDB on Ubuntu 18.04.

Step 5: Install Graylog on Ubuntu 18.04

Now that we have installed MongoDB and Elasticsearch, the last piece is the installation of Graylog server. Add Graylog repository and install graylog-server package using apt.

$ wget https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.deb
$ sudo dpkg -i graylog-2.4-repository_latest.deb
Selecting previously unselected package graylog-2.4-repository.
(Reading database ... 102444 files and directories currently installed.)
Preparing to unpack graylog-2.4-repository_latest.deb ...
Unpacking graylog-2.4-repository (1-6) ...
Setting up graylog-2.4-repository (1-6) ...
$ sudo apt-get update && sudo apt-get install graylog-server

Step 6: Configure Graylog

After installation, we need to do some configurations before you can start using Graylog.

Generate root password:

You need to generate a 256-bit hash for the for admin user password:

$ echo -n MyStrongPassword | sha256sum
7a96004f5149811c069f40146b08cf45f45087d4530d35f7d4d88d058db9612d -

Add the given password to root_password_sha2= line under /etc/graylog/server/server.conf file.

$ sudo vim /etc/graylog/server/server.conf
root_password_sha2 = 7a96004f5149811c069f40146b08cf45f45087d4530d35f7d4d88d058db9612d

Next is to generate and set password secret for securing stored user passwords.

$ sudo apt-get install pwgen
$ pwgen -N 1 -s 96
5JdTcmGgqBUNw2oip7YZEqbZxc4UV5X8461xukUHdq9PjBYiSu1wxSeiRCk0z73tVZc9FGluZ2k0c9YXdxg5Z0buzNx58tmY
$ sudo vim /etc/graylog/server/server.conf
password_secret = 5JdTcmGgqBUNw2oip7YZEqbZxc4UV5X8461xukUHdq9PjBYiSu1wxSeiRCk0z73tVZc9FGluZ2k0c9YXdxg5Z0buzNx58tmY

Please run the following commands if you want to start Graylog automatically on system boot:

sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

By default, REST API will listen on:

rest_listen_uri = http://127.0.0.1:9000/api/

and Web interface URI will be on

web_listen_uri = http://127.0.0.1:9000/

You can change it to server’s IP Address if you want

Step 7: Access Graylog Web Interface

Access Graylog web interface using its IP Address and port 9000. If you would like to access it using a domain, check Configure Graylog Nginx reverse proxy with Letsencrypt SSL to Configure Nginx as a Graylog reverse proxy.

A simple nginx configuration without https section is given below

# cat /etc/nginx/conf.d/graylog.conf 
server
{
    server_name graylog.computingforgeeks.com;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/api;
      proxy_pass       http://127.0.0.1:9000;
    }
}

Start nginx after making the change

$ sudo systemctl restart nginx

Access web UI on http://domain.com

Login with username admin and password set on step 6.

The next step is to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.