Graylog is a free and open-source log monitoring tool used for capturing, storing, and enabling real-time analysis of terabytes of machine data. It is designed for modern log analytics that allows users to quickly and easily find meaning in data and take action faster. It also provides alerts and logs history search systems using ElasticSearch as the main index database and MongoDB for storing meta information. It helps you to monitor, search and analyze a large amount of data in a simple, readable format.
In this tutorial, we will show you how to install Graylog on Ubuntu 22.04 server.
Prerequisites
- A server running Ubuntu 22.04 with a minimum 4GB of RAM
- A root password is configured on the server.
Getting Started
First, you will need to update your system packages to the latest version. You can update them all with the following command:
apt update -y
apt upgrade
After updating all the packages, you will also need to install some dependencies on your server. You can install all of them with the following command:
apt install apt-transport-https gnupg2 uuid-runtime pwgen curl dirmngr -y
Once all the required dependencies are installed, you can proceed to the next step.
Install Java JDK
Graylog requires Java to be installed on your server. If not installed, you can install it with the following command:
apt install openjdk-11-jre-headless -y
Once the Java is installed, you can verify the installed version of Java by running the following command:
java -version
You should get the following output:
openjdk version "11.0.16" 2022-07-19 OpenJDK Runtime Environment (build 11.0.16 8-post-Ubuntu-0ubuntu122.04) OpenJDK 64-Bit Server VM (build 11.0.16 8-post-Ubuntu-0ubuntu122.04, mixed mode, sharing)
Once you are finished, you can proceed to the next step.
Install and Configure Elasticsearch
Graylog uses Elasticsearch to store logs coming from external resources. So you will need to install Elasticsearch in your system.
By default, the Elasticsearch package is not available in the Ubuntu default repository. So you will need to add the Elasticsearch repository to your system.
First, download and add the Elasticsearch GPG key with the following command:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
Next, add the Elasticsearch repository with the following command:
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
Next, update the repository and install the Elasticsearch with the following command:
apt update -y
apt install elasticsearch-oss -y
After installing Elasticsearch, you will need to edit the Elasticsearch configuration file and define the cluster name. You can do it with the following command:
nano /etc/elasticsearch/elasticsearch.yml
Define your cluster name to Graylog and add another line as shown below:
cluster.name: graylog action.auto_create_index: false
Save and close the file when you are finished. Then, start the Elasticsearch service and enable it to start at boot with the following command:
systemctl daemon-reload
systemctl start elasticsearch
systemctl enable elasticsearch
You can also verify the status of the Elasticsearch service with the following command:
systemctl status elasticsearch
You should get the following output:
? elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2022-09-25 07:05:27 UTC; 21s ago
Docs: https://www.elastic.co
Main PID: 74226 (java)
Tasks: 48 (limit: 4579)
Memory: 1.2G
CPU: 22.739s
CGroup: /system.slice/elasticsearch.service
??74226 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.t>
Sep 25 07:05:11 ubuntu2204 systemd[1]: Starting Elasticsearch...
Sep 25 07:05:27 ubuntu2204 systemd[1]: Started Elasticsearch.
Now, verify the Elasticcsearch response with the following command:
curl -X GET http://localhost:9200
You should get the following output:
{
"name" : "ubuntu2204",
"cluster_name" : "graylog",
"cluster_uuid" : "6IWBEBx_THa2Gzqb7a1LTQ",
"version" : {
"number" : "7.10.2",
"build_flavor" : "oss",
"build_type" : "deb",
"build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
"build_date" : "2021-01-13T00:42:12.435326Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Install MongoDB Server
Graylog uses MongoDB as a database. So you will need to install the MongoDB database to your server. By default, the MongoDB package is not included in the Ubuntu default repository. So you will need to add the MongoDB official repo to your system:
You can add it with the following command:
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-4.4.list
Once the repository is added, update the repository cache and install the Graylog with the following command:
apt update -y
apt install -y mongodb-org
Once the MongoDB is installed, start the MongoDB service and enable it to start at system reboot with the following command:
systemctl enable --now mongod
You can also check the MongoDB status with the following command:
systemctl status mongod
You should see the MongoDB status in the following output:
? mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-09-25 07:20:35 UTC; 8s ago
Docs: https://docs.mongodb.org/manual
Main PID: 77018 (mongod)
Memory: 60.0M
CPU: 936ms
CGroup: /system.slice/mongod.service
??77018 /usr/bin/mongod --config /etc/mongod.conf
Sep 25 07:20:35 ubuntu2204 systemd[1]: Started MongoDB Database Server.
Once you are finished, you can proceed to the next step.
Install and Configure Graylog
By default, the Graylog package is not available in the Ubuntu default repository. So you will need to install the Graylog repository to your server.
You can download the Graylog repository package with the following command:
wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
Once the download is completed, install the downloaded package with the following command:
dpkg -i graylog-4.3-repository_latest.deb
Next, update the repository and install the Graylog server with the following command:
apt update -y
apt install graylog-server -y
After installing the Graylog server, you will need to generate a secret to secure the user passwords. You can generate it with the following command:
pwgen -N 1 -s 96
You should see the following output:
d1fDH1NEOMgb3nxbFYY3eVpqzjOprwgPgFuGh2F0flDdZglJP2CxENV4WEeW8iqZXsjDEZgMob3oBvQYm62RXxoc33hKTPJa
Next, you will also need to generate a secure password for the Graylog admin user. You will need this password to log in to the Graylog web interface. You can generate it with the following command:
echo -n "Enter Password: " && head -1
You should see the following output:
Enter Password: yourpassword e472e1436cbe87774c1bc75d0a646d67e506bea1dff8701fd41f34bca33e1419
Now, edit the Graylog main configuration file and define both passwords:
nano /etc/graylog/server/server.conf
Paste both passwords that you have generated above, as shown below:
password_secret = Wv4VQWCAA9sRbL7pxPeY7tb9lSo50esEWgNXxXHypx0Og3CezMmQLdF2QzQdRSIXmNXKINjRvZpPTrvZv4k4NlJrFYTfOc3c root_password_sha2 = e472e1436cbe87774c1bc75d0a646d67e506bea1dff8701fd41f34bca33e1419
Next, you will also need to define your server a bind address as shown below:
http_bind_address = 127.0.0.1:9000
Save and close the file when you are finished, then start the Graylog service and enable it to start at system reboot with the following command:
systemctl daemon-reload
systemctl start graylog-server
systemctl enable graylog-server
Next, you can verify the status of the Graylog server using the following command:
systemctl status graylog-server
You should see the following output:
? graylog-server.service - Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2022-09-25 07:25:13 UTC; 10s ago
Docs: http://docs.graylog.org/
Main PID: 78082 (graylog-server)
Tasks: 44 (limit: 4579)
Memory: 539.4M
CPU: 18.488s
CGroup: /system.slice/graylog-server.service
??78082 /bin/sh /usr/share/graylog-server/bin/graylog-server
??78119 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX: ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeC>
Sep 25 07:25:13 ubuntu2204 systemd[1]: Started Graylog server.
Sep 25 07:25:13 ubuntu2204 graylog-server[78119]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 a>
Sep 25 07:25:14 ubuntu2204 graylog-server[78119]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performan>
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: An illegal reflective access operation has occurred
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: Illegal reflective access by retrofit2.Platform (file:/usr/share/graylog-server/gr>
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: Please consider reporting this to the maintainers of retrofit2.Platform
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access >
Sep 25 07:25:17 ubuntu2204 graylog-server[78119]: WARNING: All illegal access operations will be denied in a future release
You can also verify the Graylog server log with the following command:
tail -f /var/log/graylog-server/server.log
Once the Graylog server has been started successfully, you should get the following output:
2022-09-25T07:25:40.117Z INFO [ServerBootstrap] Services started, startup times in ms: {FailureHandlingService [RUNNING]=73, GeoIpDbFileChangeMonitorService [RUNNING]=88, PrometheusExporter [RUNNING]=88, OutputSetupService [RUNNING]=89, JobSchedulerService [RUNNING]=89, InputSetupService [RUNNING]=90, BufferSynchronizerService [RUNNING]=91, LocalKafkaMessageQueueReader [RUNNING]=92, LocalKafkaMessageQueueWriter [RUNNING]=92, GracefulShutdownService [RUNNING]=93, MongoDBProcessingStatusRecorderService [RUNNING]=93, UserSessionTerminationService [RUNNING]=101, StreamCacheService [RUNNING]=133, LocalKafkaJournal [RUNNING]=134, UrlWhitelistService [RUNNING]=134, ConfigurationEtagService [RUNNING]=137, EtagService [RUNNING]=139, PeriodicalsService [RUNNING]=174, LookupTableService [RUNNING]=203, JerseyService [RUNNING]=4076}
2022-09-25T07:25:40.133Z INFO [ServerBootstrap] Graylog server up and running.
At this point, the Graylog server is started and listening on port 9000. You can check it with the following command:
ss -antpl | grep 9000
You should get the following output:
LISTEN 0 4096 [::ffff:127.0.0.1]:9000 *:* users:(("java",pid=78119,fd=56))
Configure Nginx as a Reverse Proxy for Graylog
Next, you will need to install and configure Nginx as a reverse proxy to access the Graylog server on port 80.
First, install the Nginx server with the following command:
apt install nginx -y
After installing the Nginx server, create a new Nginx virtual host configuration file with the following command:
nano /etc/nginx/sites-available/graylog.conf
Add the following lines:
server {
listen 80;
server_name graylog.example.org;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
proxy_pass http://208.117.84.72:9000;
}
}
Save and close the file when you are finished. Then, verify the Nginx for any syntax error with the following command:
nginx -t
You should get the following output:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
Next, enable the Nginx virtual host configuration file with the following command:
ln -s /etc/nginx/sites-available/graylog.conf /etc/nginx/sites-enabled/
Next, remove the Nginx default virtual host file:
rm -rf /etc/nginx/sites-enabled/default
Finally, restart the Nginx service to apply the changes:
systemctl restart nginx
Next, verify the status of the Graylog with the following command:
systemctl status nginx
You should get the following output:
? nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2022-09-25 07:30:45 UTC; 8s ago
Docs: man:nginx(8)
Process: 78980 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 78981 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 78982 (nginx)
Tasks: 3 (limit: 4579)
Memory: 3.3M
CPU: 49ms
CGroup: /system.slice/nginx.service
??78982 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
??78983 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
??78984 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
Sep 25 07:30:45 ubuntu2204 systemd[1]: Starting A high performance web server and a reverse proxy server...
Sep 25 07:30:45 ubuntu2204 systemd[1]: Started A high performance web server and a reverse proxy server.
Access Graylog Web Interface
Now, open your web browser and type the URL http://graylog.example.com. You will be redirected to the Graylog login page as shown below:
Provide your admin username, password and click on the Login button. You should see the Graylog dashboard on the following page:
Conclusion
Congratulations! you have successfully installed and configured the Graylog server with Nginx as a reverse proxy on Ubuntu 22.04. You can now explore the Graylog and create an input to receive Rsyslog logs from external sources. Feel free to ask me if you have any questions.
