HowtoForge

How to Install Graylog 4 on Ubuntu 22.04

Graylog is a free and open-source log monitoring tool used for capturing, storing, and enabling real-time analysis of terabytes of machine data. It is designed for modern log analytics that allows users to quickly and easily find meaning in data and take action faster. It also provides alerts and logs history search systems using ElasticSearch as the main index database and MongoDB for storing meta information. It helps you to monitor, search and analyze a large amount of data in a simple, readable format.

In this tutorial, we will show you how to install Graylog on Ubuntu 22.04 server.

Prerequisites

Getting Started

First, you will need to update your system packages to the latest version. You can update them all with the following command:

apt update -y
apt upgrade

After updating all the packages, you will also need to install some dependencies on your server. You can install all of them with the following command:

apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y

Once all the required dependencies are installed, you can proceed to the next step.

Install Java JDK

Graylog requires Java to be installed on your server. If not installed, you can install it with the following command:

apt install openjdk-11-jre-headless -y

Once the Java is installed, you can verify the installed version of Java by running the following command:

java -version

You should get the following output:

openjdk version "11.0.16" 2022-07-19
OpenJDK Runtime Environment (build 11.0.16+8-post-Ubuntu-0ubuntu122.04)
OpenJDK 64-Bit Server VM (build 11.0.16+8-post-Ubuntu-0ubuntu122.04, mixed mode, sharing)

Once you are finished, you can proceed to the next step.

Install and Configure Elasticsearch

Graylog uses Elasticsearch to store logs coming from external resources. So you will need to install Elasticsearch in your system.

By default, the Elasticsearch package is not available in the Ubuntu default repository. So you will need to add the Elasticsearch repository to your system.

First, download and add the Elasticsearch GPG key with the following command:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -

Next, add the Elasticsearch repository with the following command:

echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Next, update the repository and install the Elasticsearch with the following command:

apt update -y
apt install elasticsearch-oss -y

After installing Elasticsearch, you will need to edit the Elasticsearch configuration file and define the cluster name. You can do it with the following command:

nano /etc/elasticsearch/elasticsearch.yml

Define your cluster name to Graylog and add another line as shown below:

cluster.name: graylog
action.auto_create_index: false

Save and close the file when you are finished. Then, start the Elasticsearch service and enable it to start at boot with the following command:

systemctl daemon-reload
systemctl start elasticsearch
systemctl enable elasticsearch

You can also verify the status of the Elasticsearch service with the following command:

systemctl status elasticsearch

You should get the following output:

? elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-09-25 07:05:27 UTC; 21s ago
       Docs: https://www.elastic.co
   Main PID: 74226 (java)
      Tasks: 48 (limit: 4579)
     Memory: 1.2G
        CPU: 22.739s
     CGroup: /system.slice/elasticsearch.service
             ??74226 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.t>

Sep 25 07:05:11 ubuntu2204 systemd[1]: Starting Elasticsearch...
Sep 25 07:05:27 ubuntu2204 systemd[1]: Started Elasticsearch.

Now, verify the Elasticcsearch response with the following command:

curl -X GET http://localhost:9200

You should get the following output:

{
  "name" : "ubuntu2204",
  "cluster_name" : "graylog",
  "cluster_uuid" : "6IWBEBx_THa2Gzqb7a1LTQ",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Install MongoDB Server

Graylog uses MongoDB as a database. So you will need to install the MongoDB database to your server. By default, the MongoDB package is not included in the Ubuntu default repository. So you will need to add the MongoDB official repo to your system:

You can add it with the following command:

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-4.4.list

Once the repository is added, update the repository cache and install the Graylog with the following command:

apt update -y
apt install -y mongodb-org

Once the MongoDB is installed, start the MongoDB service and enable it to start at system reboot with the following command:

systemctl enable --now mongod

You can also check the MongoDB status with the following command:

systemctl status mongod

You should see the MongoDB status in the following output:

? mongod.service - MongoDB Database Server
     Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-09-25 07:20:35 UTC; 8s ago
       Docs: https://docs.mongodb.org/manual
   Main PID: 77018 (mongod)
     Memory: 60.0M
        CPU: 936ms
     CGroup: /system.slice/mongod.service
             ??77018 /usr/bin/mongod --config /etc/mongod.conf

Sep 25 07:20:35 ubuntu2204 systemd[1]: Started MongoDB Database Server.

Once you are finished, you can proceed to the next step.

Install and Configure Graylog

By default, the Graylog package is not available in the Ubuntu default repository. So you will need to install the Graylog repository to your server.

You can download the Graylog repository package with the following command:

wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb

Once the download is completed, install the downloaded package with the following command:

dpkg -i graylog-4.3-repository_latest.deb

Next, update the repository and install the Graylog server with the following command:

apt update -y
apt install graylog-server -y

After installing the Graylog server, you will need to generate a secret to secure the user passwords. You can generate it with the following command:

pwgen -N 1 -s 96

You should see the following output:

d1fDH1NEOMgb3nxbFYY3eVpqzjOprwgPgFuGh2F0flDdZglJP2CxENV4WEeW8iqZXsjDEZgMob3oBvQYm62RXxoc33hKTPJa

Next, you will also need to generate a secure password for the Graylog admin user. You will need this password to log in to the Graylog web interface. You can generate it with the following command:

echo -n "Enter Password: " && head -1

You should see the following output:

Enter Password: yourpassword
e472e1436cbe87774c1bc75d0a646d67e506bea1dff8701fd41f34bca33e1419

Now, edit the Graylog main configuration file and define both passwords:

nano /etc/graylog/server/server.conf

Paste both passwords that you have generated above, as shown below:

password_secret = Wv4VQWCAA9sRbL7pxPeY7tb9lSo50esEWgNXxXHypx0Og3CezMmQLdF2QzQdRSIXmNXKINjRvZpPTrvZv4k4NlJrFYTfOc3c
root_password_sha2 = e472e1436cbe87774c1bc75d0a646d67e506bea1dff8701fd41f34bca33e1419   

Next, you will also need to define your server a bind address as shown below:

http_bind_address = 127.0.0.1:9000

Save and close the file when you are finished, then start the Graylog service and enable it to start at system reboot with the following command:

systemctl daemon-reload
systemctl start graylog-server
systemctl enable graylog-server

Next, you can verify the status of the Graylog server using the following command:

systemctl status graylog-server

You should see the following output:

? graylog-server.service - Graylog server
     Loaded: loaded (/lib/systemd/system/graylog-server.service; disabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-09-25 07:25:13 UTC; 10s ago
       Docs: http://docs.graylog.org/
   Main PID: 78082 (graylog-server)
      Tasks: 44 (limit: 4579)
     Memory: 539.4M
        CPU: 18.488s
     CGroup: /system.slice/graylog-server.service
             ??78082 /bin/sh /usr/share/graylog-server/bin/graylog-server
             ??78119 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeC>

Sep 25 07:25:13 ubuntu2204 systemd[1]: Started Graylog server.
Sep 25 07:25:13 ubuntu2204 graylog-server[78119]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 a>
Sep 25 07:25:14 ubuntu2204 graylog-server[78119]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performan>
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: An illegal reflective access operation has occurred
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/share/graylog-server/gr>
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: Please consider reporting this to the maintainers of retrofit2.Platform
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access >
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: All illegal access operations will be denied in a future release

You can also verify the Graylog server log with the following command:

tail -f /var/log/graylog-server/server.log

Once the Graylog server has been started successfully, you should get the following output:

2022-09-25T07:25:40.117Z INFO  [ServerBootstrap] Services started, startup times in ms: {FailureHandlingService [RUNNING]=73, GeoIpDbFileChangeMonitorService [RUNNING]=88, PrometheusExporter [RUNNING]=88, OutputSetupService [RUNNING]=89, JobSchedulerService [RUNNING]=89, InputSetupService [RUNNING]=90, BufferSynchronizerService [RUNNING]=91, LocalKafkaMessageQueueReader [RUNNING]=92, LocalKafkaMessageQueueWriter [RUNNING]=92, GracefulShutdownService [RUNNING]=93, MongoDBProcessingStatusRecorderService [RUNNING]=93, UserSessionTerminationService [RUNNING]=101, StreamCacheService [RUNNING]=133, LocalKafkaJournal [RUNNING]=134, UrlWhitelistService [RUNNING]=134, ConfigurationEtagService [RUNNING]=137, EtagService [RUNNING]=139, PeriodicalsService [RUNNING]=174, LookupTableService [RUNNING]=203, JerseyService [RUNNING]=4076}
2022-09-25T07:25:40.133Z INFO  [ServerBootstrap] Graylog server up and running.

At this point, the Graylog server is started and listening on port 9000. You can check it with the following command:

ss -antpl | grep 9000

You should get the following output:

LISTEN            0                 4096                         [::ffff:127.0.0.1]:9000                                    *:*                users:(("java",pid=78119,fd=56))                                                                                                             

Configure Nginx as a Reverse Proxy for Graylog

Next, you will need to install and configure Nginx as a reverse proxy to access the Graylog server on port 80.

First, install the Nginx server with the following command:

apt install nginx -y

After installing the Nginx server, create a new Nginx virtual host configuration file with the following command:

nano /etc/nginx/sites-available/graylog.conf

Add the following lines:

server {
    listen 80;
    server_name graylog.example.org;

location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL http://$server_name/;
      proxy_pass       http://208.117.84.72:9000;
    }

}

Save and close the file when you are finished. Then, verify the Nginx for any syntax error with the following command:

nginx -t

You should get the following output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next, enable the Nginx virtual host configuration file with the following command:

ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/

Next, remove the Nginx default virtual host file:

rm -rf /etc/nginx/sites-enabled/default

Finally, restart the Nginx service to apply the changes:

systemctl restart nginx

Next, verify the status of the Graylog with the following command:

systemctl status nginx

You should get the following output:

? nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-09-25 07:30:45 UTC; 8s ago
       Docs: man:nginx(8)
    Process: 78980 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 78981 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 78982 (nginx)
      Tasks: 3 (limit: 4579)
     Memory: 3.3M
        CPU: 49ms
     CGroup: /system.slice/nginx.service
             ??78982 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             ??78983 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
             ??78984 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""

Sep 25 07:30:45 ubuntu2204 systemd[1]: Starting A high performance web server and a reverse proxy server...
Sep 25 07:30:45 ubuntu2204 systemd[1]: Started A high performance web server and a reverse proxy server.

Access Graylog Web Interface

Now, open your web browser and type the URL http://graylog.example.com. You will be redirected to the Graylog login page as shown below:

Provide your admin username, password and click on the Login button. You should see the Graylog dashboard on the following page:

Conclusion

Congratulations! you have successfully installed and configured the Graylog server with Nginx as a reverse proxy on Ubuntu 22.04. You can now explore the Graylog and create an input to receive Rsyslog logs from external sources. Feel free to ask me if you have any questions.

How to Install Graylog 4 on Ubuntu 22.04