How To Install Graylog on Manjaro

Centralized log management is essential for modern system administration and DevOps workflows. Graylog stands out as a powerful open-source solution that transforms how administrators collect, analyze, and monitor logs across their infrastructure. This comprehensive guide walks through the complete installation and configuration of Graylog on Manjaro Linux, an Arch-based distribution known for its user-friendliness and rolling release model.

Manjaro users benefit from access to the extensive Arch User Repository (AUR) and pacman package manager, making Graylog deployment straightforward. Whether managing a single server or an entire network, Graylog provides real-time search capabilities, customizable dashboards, and robust alerting mechanisms that elevate log analysis from reactive troubleshooting to proactive system monitoring.

This tutorial covers everything from initial system preparation through post-installation configuration. Readers will learn to install all required dependencies, configure the complete Graylog stack, and troubleshoot common issues. By the end, a fully functional log management system will be operational and ready to collect data from multiple sources.

What is Graylog?

Graylog is an enterprise-grade log management platform that centralizes log data from diverse sources into a single, searchable repository. Built on a robust three-component architecture, it combines MongoDB for configuration storage, Elasticsearch for log indexing and search, and the Graylog server itself for processing and presentation.

The platform excels at collecting logs from applications, servers, network devices, and cloud services simultaneously. Real-time search and analysis capabilities allow administrators to query millions of log entries within seconds, identifying patterns and anomalies that might otherwise go unnoticed. Custom dashboards provide at-a-glance visibility into system health, while the stream processing engine routes specific logs to designated outputs based on customizable rules.

Alert functionality transforms Graylog from a passive repository into an active monitoring system. Administrators configure conditions that trigger notifications via email, Slack, or webhooks when specific events occur. This proactive approach catches issues before they escalate into critical failures.

System administrators leverage Graylog for security monitoring, application debugging, compliance reporting, and performance optimization. Its open-source nature and extensibility through plugins make it adaptable to virtually any logging scenario.

System Requirements and Prerequisites

Proper resource allocation ensures optimal Graylog performance. Hardware requirements vary based on expected log volume, but a baseline configuration provides a solid foundation.

Minimum specifications include 4GB RAM, though 8GB or more is strongly recommended for production environments. Multi-core processors handle concurrent log processing more efficiently. Allocate at least 20GB of free disk space for the base installation, with additional storage scaled according to log retention policies and expected daily volume.

Software prerequisites are equally important. Manjaro Linux should be fully updated to the latest stable release. Java OpenJDK 17 or higher is mandatory, as Graylog 5.x requires this version for operation. MongoDB 5.x or 6.x provides the configuration backend, while Elasticsearch handles the heavy lifting of log indexing and search.

Network configuration requires attention to several ports. Graylog’s web interface operates on port 9000 by default. Elasticsearch communicates internally on port 9200, and MongoDB uses port 27017. Ensure these ports remain available and configure firewall rules accordingly.

Administrative access via sudo or root privileges is non-negotiable throughout the installation process. Basic command-line proficiency helps navigate configuration files and troubleshoot issues efficiently. A static IP address or properly configured hostname simplifies access and prevents connection problems after reboots.

Step 1: Update System and Install Dependencies

Beginning with a fully updated system prevents compatibility issues and ensures access to the latest security patches. Manjaro’s rolling release model delivers continuous updates, making this step particularly important.

Execute the system update command:

sudo pacman -Syu

This command synchronizes package databases and upgrades all installed packages to their newest versions. The process may take several minutes depending on how recently the system was last updated. Review the package list carefully and confirm the upgrade when prompted.

Essential utilities facilitate the remaining installation steps. Install necessary tools:

sudo pacman -S curl wget pwgen

These packages provide download capabilities and password generation functionality needed during configuration. The pacman package manager resolves dependencies automatically, ensuring all required libraries install correctly.

Reboot if kernel updates were applied:

sudo reboot

System updates occasionally include kernel changes that require a restart to take effect. Check the update output for kernel-related packages before deciding whether to reboot immediately or continue.

Step 2: Install Java OpenJDK

Graylog’s core functionality depends on Java runtime environments. Modern Graylog versions specifically require OpenJDK 17 or newer, a requirement that became standard with Graylog 5.x releases.

First, verify whether Java is already present:

java -version

If Java is installed, the command displays version information. If not installed or running an older version, proceed with OpenJDK 17 installation.

Install OpenJDK 17 on Manjaro:

sudo pacman -S jdk17-openjdk

Manjaro’s repositories include OpenJDK packages maintained specifically for Arch-based distributions. The installation automatically configures system paths, eliminating manual JAVA_HOME configuration in most cases.

Confirm successful installation:

java -version

The output should indicate OpenJDK 17 or higher. Version mismatches can cause Graylog to fail during startup, so verify this carefully.

If multiple Java versions exist on the system, use the archlinux-java tool to set the correct default:

sudo archlinux-java set java-17-openjdk

This ensures Graylog uses the appropriate Java runtime regardless of other installed versions.

Step 3: Install and Configure MongoDB

MongoDB serves as Graylog’s configuration database, storing user accounts, stream definitions, dashboards, and system settings. While it doesn’t handle log data itself, MongoDB remains critical for Graylog operation.

Install MongoDB from Manjaro repositories:

sudo pacman -S mongodb

Alternatively, if MongoDB isn’t available in the standard repositories, install from the AUR:

yay -S mongodb-bin

The installation creates necessary system users and directory structures automatically. Once installed, start the MongoDB service:

sudo systemctl start mongodb

Enable MongoDB to launch automatically at system boot:

sudo systemctl enable mongodb

Verify MongoDB is running correctly:

sudo systemctl status mongodb

A properly functioning service displays “active (running)” in green text. If the service fails to start, check system logs for specific error messages:

sudo journalctl -u mongodb -n 50

Test MongoDB connectivity directly:

mongosh

This opens the MongoDB shell interface. If connection succeeds, the database is accepting connections. Exit with exit or Ctrl+C.

MongoDB version compatibility matters—Graylog supports MongoDB 5.x and 6.x. Verify the installed version:

mongosh --version

For security-conscious deployments, consider creating a dedicated MongoDB user for Graylog rather than using default credentials. This step is optional for single-user development systems but recommended for production environments.

Step 4: Install and Configure Elasticsearch

Elasticsearch provides the search engine foundation that makes Graylog powerful. It indexes incoming logs and executes complex queries across millions of entries in milliseconds.

Install Elasticsearch on Manjaro:

sudo pacman -S elasticsearch

If unavailable in standard repositories, the AUR provides alternative packages:

yay -S elasticsearch

Configuration adjustments optimize Elasticsearch for Graylog’s specific needs. Edit the Elasticsearch configuration file:

sudo nano /etc/elasticsearch/elasticsearch.yml

Set the cluster name to identify this Elasticsearch instance:

cluster.name: graylog

Configure network binding for localhost access:

network.host: 127.0.0.1

Elasticsearch requires increased virtual memory mapping. Set this critical system parameter:

sudo sysctl -w vm.max_map_count=262144

Make this change permanent by editing the sysctl configuration:

echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf

This setting prevents Elasticsearch from failing with out-of-memory errors.

Configure JVM heap size based on available system memory. Edit the jvm.options file:

sudo nano /etc/elasticsearch/jvm.options

Set heap size to approximately 50% of available RAM, never exceeding 32GB. For a system with 8GB total RAM:

-Xms2g
-Xmx2g

Start the Elasticsearch service:

sudo systemctl start elasticsearch

Enable automatic startup:

sudo systemctl enable elasticsearch

Verify service status:

sudo systemctl status elasticsearch

Elasticsearch takes 15-30 seconds to fully initialize. Test connectivity:

curl -X GET http://localhost:9200

A successful response returns JSON data including cluster name and version information. If this fails, Graylog cannot function properly.

Check Elasticsearch logs if issues arise:

sudo journalctl -u elasticsearch -n 100

Version compatibility between Elasticsearch and Graylog is crucial. Consult Graylog’s official compatibility matrix to ensure versions align correctly.

Step 5: Install Graylog Server

With dependencies configured, install the Graylog server itself. Manjaro offers several installation methods depending on repository availability.

Install from standard repositories if available:

sudo pacman -S graylog

The AUR provides maintained Graylog packages when standard repositories lack them:

yay -S graylog

For manual installation, download the latest Graylog package directly from the official repository and install using pacman:

wget https://packages.graylog2.org/repo/packages/graylog-5.x-repository_latest.rpm
sudo pacman -U graylog-5.x-repository_latest.rpm

Installation creates the graylog-server service and places configuration files in /etc/graylog/server/. Log files will accumulate in /var/log/graylog-server/ once the service starts.

Verify installation by checking for the configuration file:

ls -la /etc/graylog/server/server.conf

The presence of server.conf confirms successful installation. This file requires extensive configuration before Graylog can start.

Step 6: Configure Graylog Server

Graylog’s main configuration file contains dozens of parameters, but several are absolutely essential. Open the configuration file:

sudo nano /etc/graylog/server/server.conf

Generate a password secret for internal encryption. This secret protects sensitive data:

pwgen -N 1 -s 96

Alternatively, generate it manually:

< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c96; echo

Copy the output and add it to server.conf:

password_secret = [your_generated_secret]

Never share this secret or commit it to version control.

Create the root administrator password by generating a SHA256 hash:

echo -n "yourpassword" | sha256sum | cut -d" " -f1

Replace “yourpassword” with a strong, unique password. Add the hash to server.conf:

root_password_sha2 = [your_generated_hash]

Configure Graylog as the cluster leader for single-node deployments:

is_leader = true

Set the node ID file location:

node_id_file = /etc/graylog/server/node-id

Configure web interface binding to allow external access:

http_bind_address = 0.0.0.0:9000

Set the external URI that browsers will use to access Graylog:

http_external_uri = http://your_server_ip:9000/

Replace “your_server_ip” with the actual server IP address or hostname. Incorrect configuration here causes login redirects to fail.

Configure MongoDB connection:

mongodb_uri = mongodb://localhost:27017/graylog

Configure Elasticsearch connection:

elasticsearch_hosts = http://127.0.0.1:9200

Optional but useful configurations include timezone settings:

root_timezone = Asia/Jakarta

Email server configuration enables alert notifications:

transport_email_enabled = true
transport_email_hostname = smtp.example.com
transport_email_port = 587
transport_email_use_auth = true
transport_email_auth_username = your_email@example.com
transport_email_auth_password = your_email_password
transport_email_from_email = graylog@example.com

Save and close the configuration file. Back up this file immediately:

sudo cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf.backup

Configuration mistakes can prevent Graylog from starting. The backup allows quick recovery.

Step 7: Start and Enable Graylog Services

With configuration complete, launch all services in the correct order. Dependencies must start before Graylog itself.

Ensure MongoDB is running:

sudo systemctl status mongodb

Verify Elasticsearch is operational:

sudo systemctl status elasticsearch

Both services must show “active (running)” status. If either service is stopped, start it before proceeding.

Reload systemd to recognize configuration changes:

sudo systemctl daemon-reload

Start the Graylog server:

sudo systemctl start graylog-server

Enable automatic startup at boot:

sudo systemctl enable graylog-server

Check Graylog service status:

sudo systemctl status graylog-server

Graylog requires 2-3 minutes for complete initialization. Monitor the startup process in real-time:

sudo tail -f /var/log/graylog-server/server.log

Watch for the message “Graylog server up and running.” This confirms successful startup. Press Ctrl+C to stop following the log.

If Graylog fails to start, the log file contains specific error messages explaining why. Common issues include configuration syntax errors, failed database connections, or port conflicts.

Verify all three services are running simultaneously:

sudo systemctl status mongodb elasticsearch graylog-server

All three must show active status for proper operation.

Step 8: Access Graylog Web Interface

With services running, access the web interface through a browser. Navigate to:

http://your_server_ip:9000

Replace “your_server_ip” with the actual IP address or hostname configured in http_external_uri. The Graylog login page appears after initial loading completes.

First-time access may take 30-60 seconds as Graylog initializes its web components. Be patient during this process.

Login using default credentials:

• Username: admin
• Password: The plaintext password used to generate the SHA256 hash

Successful authentication displays the Graylog dashboard. The interface presents several main sections:

The search bar dominates the top, enabling log queries using Graylog’s powerful search syntax. Streams appear in the left sidebar, organizing logs into logical categories. Dashboards provide customizable visualization, while the System menu accesses configuration options.

If the browser cannot connect, verify firewall rules allow traffic on port 9000. Check that http_bind_address and http_external_uri are configured correctly in server.conf.

Connection timeouts often indicate Graylog hasn’t fully started yet. Wait another minute and refresh the browser. Persistent issues require log file investigation.

Step 9: Post-Installation Configuration

Initial login completes installation, but additional configuration maximizes Graylog’s capabilities. Start by creating an input to receive logs.

Navigate to System → Inputs from the top menu. Click “Select input” and choose an input type. Syslog UDP provides universal compatibility with most systems:

1. Select “Syslog UDP” from the dropdown
2. Click “Launch new input”
3. Configure the input:
   • Title: “Syslog Input”
   • Bind address: 0.0.0.0
   • Port: 514
4. Click “Save”

The input starts immediately, listening for incoming syslog messages. Configure systems and applications to send logs to this server’s IP address on port 514.

Create data streams to organize incoming logs. Navigate to Streams and click “Create Stream”:

1. Title: “System Logs”
2. Description: “Operating system logs”
3. Remove matches from default stream: Optional
4. Click “Save”

Add rules to direct specific logs into this stream based on source, message content, or other criteria.

Build dashboards for visual monitoring. Navigate to Dashboards → Create dashboard:

1. Title: “System Overview”
2. Description: “Real-time system metrics”
3. Click “Create”

Add widgets displaying log volume, error rates, or specific search results. Dashboards update in real-time as new logs arrive.

Configure user accounts for team access. Navigate to System → Authentication → Users:

1. Click “Create User”
2. Set username, password, and email
3. Assign appropriate roles (Admin, Reader, etc.)
4. Click “Create”

Role-based access control restricts sensitive log data to authorized personnel.

Set up alerts to receive notifications about critical events. Navigate to Alerts → Event Definitions:

1. Click “Create Event Definition”
2. Configure alert conditions based on log patterns
3. Add notification channels (email, webhook)
4. Set notification frequency
5. Save and activate

Adjust timezone settings in System → Configuration to ensure log timestamps display correctly.

Configure index retention policies to manage disk space. Navigate to System → Indices:

1. Edit the default index set
2. Set rotation strategy (time-based, size-based)
3. Configure retention (how many indices to keep)
4. Save changes

This prevents unbounded storage growth as log volume increases.

Implement a backup strategy immediately. Critical components include:

• /etc/graylog/server/server.conf (configuration)
• MongoDB database (use mongodump)
• Elasticsearch indices (use snapshot API)

Regular backups protect against data loss from hardware failures or misconfigurations.

Change the default admin password immediately as a security best practice. Navigate to System → Users, edit the admin user, and set a new strong password.

Common Issues and Troubleshooting

Even careful installations encounter occasional problems. Understanding common issues accelerates resolution.

Graylog service won’t start is frequently caused by configuration errors. Check the server log:

sudo journalctl -u graylog-server -n 100

Configuration syntax errors appear clearly in log output. Verify server.conf contains no typos in parameter names or values. Ensure MongoDB and Elasticsearch are running before Graylog starts.

Port conflicts occur when another service uses port 9000. Identify the conflicting process:

sudo netstat -tulpn | grep 9000

Either stop the conflicting service or configure Graylog to use an alternative port.

Java version mismatches prevent startup. Verify OpenJDK 17 or higher is active:

java -version
archlinux-java status

Cannot access web interface despite a running service has several causes. First, verify the service truly runs:

sudo systemctl status graylog-server

Check firewall rules allow port 9000. On systems using firewalld:

sudo firewall-cmd --permanent --add-port=9000/tcp
sudo firewall-cmd --reload

For ufw:

sudo ufw allow 9000/tcp
sudo ufw reload

Incorrect http_external_uri configuration causes redirect loops. Double-check this parameter matches the URL used in the browser.

Browser cache sometimes displays old error pages. Try accessing from an incognito window or different browser.

Elasticsearch connection failures block log processing. Test Elasticsearch directly:

curl http://localhost:9200

No response indicates Elasticsearch isn’t running or not listening on the expected port. Check elasticsearch_hosts in server.conf matches the actual Elasticsearch address.

Version incompatibilities between Graylog and Elasticsearch cause connection rejection. Consult compatibility documentation to ensure versions align.

MongoDB connection issues prevent configuration loading. Verify MongoDB responds:

mongosh

Check mongodb_uri syntax carefully—typos in the connection string cause failures. The default mongodb://localhost:27017/graylog works for standard installations.

Authentication failures occur when MongoDB requires credentials but server.conf doesn’t provide them.

Login authentication failures typically stem from password hash mismatches. Regenerate the SHA256 hash:

echo -n "yourpassword" | sha256sum | cut -d" " -f1

Update root_password_sha2 in server.conf with the new hash. Restart Graylog after changes:

sudo systemctl restart graylog-server

Performance issues manifest as slow searches or high memory usage. OutOfMemoryError messages indicate insufficient heap allocation. Increase Elasticsearch JVM heap size or add more physical RAM.

High log volume overwhelms undersized systems. Monitor resource usage:

htop

Scale hardware resources or reduce log ingestion rates accordingly.

Search results limitations include the notorious page 66 limit. Elasticsearch restricts result windows by default. Increase index.max_result_window:

curl -X PUT "localhost:9200/_all/_settings" -H 'Content-Type: application/json' -d'
{
  "index.max_result_window": 100000
}
'

Field names containing dots cause parsing problems. Avoid periods in custom field definitions.

Service dependencies and startup order matter significantly. Always start MongoDB first, then Elasticsearch, finally Graylog. Creating systemd unit dependencies automates this sequence.

The Graylog community forums provide extensive troubleshooting assistance. Search existing threads before posting new questions—many issues have documented solutions.

Best Practices and Optimization Tips

Implementing proven practices ensures long-term reliability and performance. Regular system updates prevent security vulnerabilities:

sudo pacman -Syu

Schedule updates during maintenance windows to minimize disruption.

Monitor resource usage continuously. Track CPU, RAM, and disk utilization:

htop
df -h

Set up alerts when resources approach capacity limits. Proactive monitoring prevents unexpected outages.

Configure appropriate retention policies to manage disk space. Balance log retention requirements against available storage. Short retention periods (7-30 days) suffice for most operational logs, while compliance requirements may mandate longer retention.

Implement log rotation strategies beyond Graylog’s built-in capabilities. Rotate Graylog’s own log files:

sudo nano /etc/logrotate.d/graylog-server

Schedule regular backups of critical components. Automate MongoDB backups:

mongodump --db graylog --out /backup/mongodb-$(date +%Y%m%d)

Back up Elasticsearch indices using snapshot repositories. Store backups on separate physical disks or remote storage.

Performance tuning optimizes responsiveness. Adjust Elasticsearch JVM heap based on actual memory usage patterns. Monitor garbage collection statistics and tune accordingly.

MongoDB query optimization improves dashboard loading times. Create appropriate indices for frequently accessed collections.

Graylog processing buffers control log throughput. Adjust processbuffer_processors and outputbuffer_processors in server.conf based on CPU core count and log volume.

Security hardening protects sensitive log data. Rotate passwords regularly, especially for administrative accounts. Keep all components updated with latest security patches.

Implement SSL/TLS for the web interface in production environments. Use reverse proxies like nginx to handle HTTPS termination:

sudo pacman -S nginx

Configure nginx to proxy requests to Graylog while providing SSL encryption.

Network segmentation isolates log traffic from production networks. Route logs through dedicated VLANs or network interfaces.

Scaling considerations become important as deployments grow. Graylog supports multi-node clusters for high availability and increased capacity. Plan scaling strategy early to simplify future expansion.

Document all configurations and customizations. Maintain runbooks for common tasks and troubleshooting procedures. Team members benefit from clear documentation during incidents.

Test input configurations in development environments before production deployment. Verify log parsing extracts fields correctly and streams route messages appropriately.

Monitor Graylog’s own logs for issues. The server log reveals performance bottlenecks, configuration problems, and potential failures before they impact operations.

Congratulations! You have successfully installed Graylog. Thanks for using this tutorial for installing Graylog log management and security analytics on your Manjaro Linux system. For additional help or useful information, we recommend you check the official Graylog website.