GRAYLOG - Install on Ubuntu 24.4

Return to Wiki Index

Graylog is an open-source log management platform that helps you to collect, index, and analyze log data from various sources in real-time. It provides powerful tools for searching, visualizing, and alerting based on log data. This document provides a detailed guide on how to install Graylog on Ubuntu 24.4 and configure it for use.

Before proceeding with the installation of Graylog, ensure that your system meets the following requirements:

• Ubuntu 24.4 LTS or later
• At least 4GB of RAM
• At least 2 CPUs
• Elasticsearch version 8.x
• MongoDB version 6.x
• Java Runtime Environment (JRE) 11 or later
• OpenJDK 11 or later is recommended

Before installing Graylog, you will need to set up some essential components:

Graylog uses Elasticsearch as its backend for storing logs. Follow the steps below to install Elasticsearch on Ubuntu 24.4.

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.x.x-linux-x86_64.tar.gz
tar -xvf elasticsearch-8.x.x-linux-x86_64.tar.gz
cd elasticsearch-8.x.x/
./bin/elasticsearch

Configure Elasticsearch to start as a service:

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

Graylog also requires MongoDB to store metadata. To install and configure MongoDB on Ubuntu 24.4, use the following commands:

sudo apt update
sudo apt install -y mongodb
sudo systemctl enable mongodb
sudo systemctl start mongodb

Graylog requires Java to run. For optimal performance, install OpenJDK 11 or later:

sudo apt install openjdk-11-jdk

Verify that Java has been installed correctly:

java -version

After installing the required components, you can install Graylog itself. First, add the Graylog repository:

wget https://packages.graylog2.org/repo/packages/graylog-4.x.x-repository-1.noarch.rpm
sudo dpkg -i graylog-4.x.x-repository-1.noarch.rpm

Update your apt package list and install Graylog:

sudo apt update
sudo apt install graylog-server

Once the installation is complete, configure Graylog by editing the configuration file.

Graylog's configuration file is located at `/etc/graylog/server/server.conf`. Below are some important configuration settings:

Graylog uses a password secret for securing communication. Set a password secret by generating a random string:

openssl rand -base64 32

Paste the generated string in the `password_secret` field in `server.conf`.

Graylog requires a root password hash for initial login. You can generate this using the `graylog-password` utility:

echo -n yourpassword | sha256sum

Copy the generated hash and paste it into the `root_password_sha2` field in `server.conf`.

In the `server.conf` file, you will need to specify the web interface URL:

http_bind_address = 0.0.0.0:9000

This binds Graylog’s web interface to all available network interfaces on port 9000.

Once you've configured Graylog, you can start the Graylog server service:

sudo systemctl enable graylog-server
sudo systemctl start graylog-server

Check the Graylog server status:

sudo systemctl status graylog-server

Once the server is up and running, you can access the Graylog web interface by opening a browser and navigating to `http://<your_server_ip>:9000`. Log in with the default username `admin` and the password you set in the `root_password_sha2` configuration.

After installing and accessing the Graylog web interface, you can proceed with additional configuration such as:

• Setting up inputs to collect logs from various sources.
• Configuring extractors to parse the logs.
• Setting up streams and alerts to monitor log data.
• Integrating with external data sources, like Syslog or Beats.

• [Graylog Documentation](https://docs.graylog.org)
• [Graylog GitHub Repository](https://github.com/Graylog2/graylog2-server)
• [Elasticsearch Installation Guide](https://www.elastic.co/guide/en/elasticsearch/reference/index.html)
• [MongoDB Installation Guide](https://www.mongodb.com/docs/manual/installation/)
• [OpenJDK Installation Guide](https://openjdk.java.net/)