How To Install Graylog on Ubuntu 24.04 LTS
In today’s complex IT environments, effective log management is crucial for maintaining system health, security, and compliance. Graylog stands out as a powerful, open-source log management platform that offers real-time analysis, robust search capabilities, and scalable architecture. This guide will walk you through the process of installing Graylog on Ubuntu 24.04, providing you with a centralized solution for collecting, indexing, and analyzing log data from various sources across your infrastructure.
Ubuntu 24.04, the latest long-term support release, offers an ideal foundation for deploying Graylog. Its stability, security features, and compatibility with modern software stacks make it an excellent choice for hosting log management solutions. By the end of this tutorial, you’ll have a fully functional Graylog instance ready to streamline your log management workflows.
Prerequisites
Before diving into the installation process, ensure that your system meets the following requirements:
- A server running Ubuntu 24.04 LTS with at least 4 GB of RAM (8 GB or more recommended for production environments)
- Sufficient disk space for storing logs (the amount depends on your retention policies and log volume)
- A non-root user account with sudo privileges
- Basic familiarity with the Linux command line interface
Graylog relies on several key components to function properly. We’ll be installing the following software as part of this guide:
- OpenJDK (Java Runtime Environment)
- MongoDB (version 5.x–7.x) for storing Graylog’s configuration data
- Elasticsearch (version 7.x) for indexing and searching log data
Step 1: Update System Packages
Begin by ensuring your Ubuntu system is up-to-date. This step is crucial for maintaining system security and ensuring compatibility with the software we’ll be installing.
sudo apt update && sudo apt upgrade -y
This command updates the package lists and upgrades all installed packages to their latest versions. The -y flag automatically answers “yes” to any prompts, streamlining the update process.
Step 2: Install OpenJDK
Graylog is built on Java, so we need to install a Java Runtime Environment. We’ll use OpenJDK 17, which is well-supported and compatible with Graylog.
sudo apt install openjdk-17-jdk -y
After the installation completes, verify that Java is correctly installed by checking its version:
java -version
You should see output indicating the installed Java version, confirming a successful installation.
Step 3: Install MongoDB
MongoDB serves as the database for storing Graylog’s configuration data. Follow these steps to install MongoDB:
- Import the MongoDB GPG key:
curl -fsSL https://pgp.mongodb.com/server-6.0.asc | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-server-6.0.gpg
- Add the MongoDB repository to your system:
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
- Update the package list and install MongoDB:
sudo apt update && sudo apt install mongodb-org -y
- Enable and start the MongoDB service:
sudo systemctl enable mongod --now
Verify that MongoDB is running correctly by checking its status:
sudo systemctl status mongod
Look for “active (running)” in the output to confirm that MongoDB is operational.
Step 4: Install Elasticsearch
Elasticsearch is the search engine that powers Graylog’s log indexing and searching capabilities. Here’s how to install and configure it:
- Import the Elasticsearch GPG key:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
- Add the Elasticsearch repository:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
- Update package lists and install Elasticsearch:
sudo apt update && sudo apt install elasticsearch -y
- Configure Elasticsearch by editing its configuration file:
sudo nano /etc/elasticsearch/elasticsearch.yml
Find the line containing “network.host” and uncomment it (remove the # at the beginning). Change its value to:
network.host: localhost
Save the file and exit the editor.
- Enable and start the Elasticsearch service:
sudo systemctl enable elasticsearch --now
Verify that Elasticsearch is running by sending a request to its API:
curl -X GET "localhost:9200"
You should receive a JSON response with information about your Elasticsearch instance.
Step 5: Install Graylog
Now that we have all the dependencies in place, let’s proceed with installing Graylog itself:
- Download and install the Graylog repository package:
wget https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.deb
sudo dpkg -i graylog-6.1-repository_latest.deb
sudo apt update && sudo apt install graylog-server -y
- Generate a secret key for password encryption:
pwgen -N 1 -s 96
Copy the generated key; you’ll need it in the next step.
- Create a SHA-256 hash of your desired admin password:
echo -n "YourPassword" | sha256sum | awk '{print $1}'
Replace “YourPassword” with your chosen password. Copy the resulting hash.
- Configure Graylog by editing its main configuration file:
sudo nano /etc/graylog/server/server.conf
Find and modify the following lines:
password_secret = <paste_your_generated_secret_here>
root_password_sha2 = <paste_your_password_hash_here>
http_bind_address = <your_server_ip>:9000
Replace <your_server_ip> with your server’s public IP address or 0.0.0.0 to bind to all interfaces.
- Start and enable the Graylog service:
sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server
Check the status of the Graylog service to ensure it’s running:
sudo systemctl status graylog-server
Step 6: Configure Nginx as a Reverse Proxy (Optional)
Setting up Nginx as a reverse proxy can enhance security and provide SSL/TLS encryption for accessing the Graylog web interface. Here’s how to do it:
sudo apt install nginx -y
- Create a new Nginx configuration file for Graylog:
sudo nano /etc/nginx/sites-available/graylog
Add the following configuration:
server {
listen 80;
server_name your_domain_or_IP;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Replace “your_domain_or_IP” with your server’s domain name or IP address.
- Enable the new configuration:
sudo ln -s /etc/nginx/sites-available/graylog /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
Step 7: Access the Graylog Web Interface
With all components installed and configured, you can now access the Graylog web interface:
- Open a web browser and navigate to
http://<your_server_ip>:9000(orhttp://your_domainif you set up Nginx). - Log in using the username “admin” and the password you set earlier.
- You’ll be greeted by the Graylog dashboard, where you can start configuring inputs, streams, and dashboards for your log data.
Common Troubleshooting Tips
Even with careful installation, you might encounter some issues. Here are solutions to common problems:
Graylog Server Not Starting
If Graylog fails to start, check the logs for error messages:
sudo tail -f /var/log/graylog-server/server.log
Look for specific error messages that might indicate configuration problems or conflicts with other services.
Elasticsearch or MongoDB Not Running
Ensure both services are active:
sudo systemctl status elasticsearch
sudo systemctl status mongod
If either service is not running, try starting it manually:
sudo systemctl start elasticsearch
sudo systemctl start mongod
Unable to Access Web Interface
If you can’t access the Graylog web interface, check your firewall settings:
sudo ufw status
Ensure that port 9000 (or 80/443 if using Nginx) is open. If necessary, allow traffic on the required port:
sudo ufw allow 9000/tcpCongratulations! You have successfully installed Graylog. Thanks for using this tutorial for installing the Graylog on Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official Graylog website.
