How to Install Graylog on Ubuntu 24.04

Graylog is a free and open-source log-management platform for capturing, storing, and enabling real-time analysis of your data and logs. It's written in Java and built on top of other open-source software like MongoDB and Elasticsearch.

Graylog provides one of the most efficient, fast, and flexible centralized log management platforms. With Graylog, you can send and analyze both structured and unstructured data from almost any data source.

In this tutorial, you'll learn how to install the Graylog server on Ubuntu 24.04. You'll be installing Graylog with MongoDB and Elasticsearch.

Prerequisites

To complete this tutorial, make sure you have the following:

  • An Ubuntu 24.04 server with at least 4 or 8 GB of memory
  • A non-root user with administrator privileges

Installing MongoDB

To install Graylog, you must have the MongoDB installed first. At this time, Graylog only supports MongoDB v5.x-7.x, and in this section, you'll be installing MongoDB 7.x to your Ubuntu server.

First, run the command below to install some dependencies.

sudo apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y

install deps

Now add the MongoDB GPG key and repository with the following command. In this example, you'll be using MongoDB 7.0 for the previous Ubuntu version.

curl -fsSL <https://www.mongodb.org/static/pgp/server-7.0.asc> | \
sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg \
--dearmor
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | \
sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list

add repo

Once the repository is added, run the 'apt' command below to update your Ubuntu package index and install MongoDB to your system.

sudo apt update && sudo apt install mongodb-org

Enter 'Y' to confirm the installation.

install mongodb

After the installation is complete, start and enable the 'mongod' service with the command below.

sudo systemctl enable --now mongod

Lastly, verify the 'mongod' service to ensure that the service is running. You should see MongoDB is running on your system.

sudo systemctl status mongod

check mongodb

Installing Elasticsearch

After you've installed MongoDB, you need to install Elasticsearch. And before that, you must install Java OpenJDK first, and then install Elasticsearch. As for now, the Graylog server only supports Elasticsearch v7.x.

To install Java OpenJDK, run the 'apt' command below. Enter 'Y' to proceed with the installation.

sudo apt install openjdk-11-jre-headless

install java

Now check the Java version with the following. You should see that Java OpenJDK 11 has been installed.

java --version

After Java is installed, you're ready to install Elasticsearch.

check java

Run the command below to add the GPG key and repository for Elasticsearch. In this example, you'll be installing Elasticsearch 7.x.

wget -qO - <https://artifacts.elastic.co/GPG-KEY-elasticsearch> | apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | \
sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

add repo

Now run the command below to update your Ubuntu repository and install the 'elasticsearch' package. Input 'Y' to confirm.

sudo apt update && sudo apt install elasticsearch

install elasticsearch

After the installation, open the Elasticsearch config file '/etc/elasticsearch/elasticsearch.yml' with the 'nano' editor.

sudo nano /etc/elasticsearch/elasticsearch.yml

Change the default 'cluster.name' and set the 'action.auto_create_index' to 'false' like the following:

cluster.name: graylog
action.auto_create_index: false

Save the file and exit the editor.

Now run the 'systemctl' command below to reload the systemd manager, start, and enable the Elasticsearch service.

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch

start and enable elasticsearch

With the Elasticsearch running, you can verify it with the command below.

sudo systemctl status elasticsearch

The following output confirms that Elasticsearch is running.

check elasticsearch

You can also check Elasticsearch with the 'curl' command below.

curl -X GET http://localhost:9200

If Elasticsearch running, you can see its version number and the cluster name like the following.

check with curl

Installing Graylog

Now that you've installed MongoDB and Elasticsearch, you're ready to install Graylog on your server. In this section, you'll install Graylog and set up password authentication for your installation.

Download the Graylog repository package using the 'wget' command and install it with the 'dpkg' command like the following:

wget https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.deb
sudo dpkg -i graylog-6.1-repository_latest.deb

add repo

Now run the 'apt' command below to update your Ubuntu package index and install the 'graylog-server' package. Enter 'Y' to confirm the installation.

sudo apt update && sudo apt install graylog-server

install graylog

After the installation, you need to generate two passwords, 'password_secret' and 'root_password_sha2', for Graylog.

To generate the 'password_secret', run the command below. Make sure to copy the generated password.

< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;

For the 'root_password_sha2' password, run the following command. Enter your password when prompted and copy the generated sha password.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Now that you've generated Graylog passwords, you'll modify Graylog configuration file.

geenrate password

Open the file '/etc/graylog/server/server.conf' with the following 'nano' editor.

sudo nano /etc/graylog/server/server.conf

Paste your generated password for both 'password_secret' and 'root_password_sha2'. And then, change the default 'http_bind_address' to your local IP address.

password_secret = PoMVlAiuJLA89rNAtLWz0PF7TLwX3JEQD7zp1kfOGAwdr0P-oQ0HKoebpevpPK2Q2quvjmqHQreP1yQYTX0jDjIe3JcBU5J
root_password_sha2 = a7fdfe53e2a13cb602def10146388c65051c67e60ee55c051668a1c709449111
http_bind_address = 192.168.10.60:9000

Save the file and exit the editor.

Next, run the following 'systemctl' command to reload the systemd manager, start and enable the 'graylog-server' service.

sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server

start adn enable

Lastly, check the 'graylog-server' status using the command. If your installation is successful, you'll see Graylog is running on your Ubuntu server.

sudo systemctl status graylog-server

check status

Configuring Graylog

At this point, Graylog is running on your Ubuntu server. Now you'll configure Graylog through a web browser.

Before accessing Graylog, check the log file '/var/log/graylog-server/server.log' with the command below. Copy the link for configuring your Graylog installation and paste it into your browser.

cat /var/log/graylog-server/server.log

check log

Now you'll see the Graylog initial setup page. Here, you'll configure SSL certificates for Graylog data-node like the following:

  • Enter your organization's name
    Enter certificate expiration days
    Skip the certificate data-node provision

Once finished, click the 'Resume startup' to continue.

setup graylog

Now you'll be redirected to the Graylog login page. Enter the default user 'admin' with the password within the 'root_password_sha2' option.

login

If you have the correct username and password, you'll get the Graylog dashboard like the following:

dashboard

Conclusion

Congratulations! You've completed the installation of Graylog on the Ubuntu 24.04 server. You've Graylog up and running with the MongoDB 7.x and Elasticsearch 7.x. From here, you can now create new Graylog inputs so you can send logs to your Graylog server.

Share this page:

0 Comment(s)