How to Install Graylog on Ubuntu 20.04

Updated on September 30, 2021
How to Install Graylog on Ubuntu 20.04 header image

Introduction

Graylog is an open-source, web-based log management and aggregation system used to analyze large amounts of data. It stores and analyzes logs collected from the server and sends alerts. It uses Elasticsearch for indexing logs data with MongoDB for storing meta information. This article explains how to install Graylog on Ubuntu 20.04 server.

Prerequisites

  • Deploy a fully updated Vultr Ubuntu 20.04 Server with at least 4 GB of RAM.
  • Create a non-root user with sudo access.

1. Install OpenJDK

Install OpenJDK required by Elasticsearch and other dependencies.

$ sudo apt -y install bash-completion apt-transport-https uuid-runtime pwgen openjdk-11-jre-headless

2. Install Elasticsearch

  1. Import the Elasticsearch PGP signing key.

     $ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
  2. Add the Elasticsearch repository.

     $ echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
  3. Update the system.

     $ sudo apt update
  4. Install Elasticsearch.

     $ sudo apt -y install elasticsearch-oss
  5. Edit the Elasticsearch configuration file.

     $ sudo nano /etc/elasticsearch/elasticsearch.yml
  6. Add these two lines to the end of the file.

     cluster.name: graylog
     action.auto_create_index: false
  7. Save and exit the file.

  8. Reload the system daemon.

     $ sudo systemctl daemon-reload
  9. Restart Elasticsearch service.

     $ sudo systemctl restart elasticsearch
  10. Enable Elasticsearch to run on system startup.

     $ sudo systemctl enable elasticsearch

3. Install MongoDB

  1. Install the MongoDB server.

     $ sudo apt install mongodb-server -y
  2. Start the MongoDB service.

     $ sudo systemctl start mongodb
  3. Enable MongoDB service to start at system startup.

     $ sudo systemctl enable mongodb

4. Install Graylog

  1. Add the Graylog repository.

     $ wget https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.deb
  2. Install the Graylog server package.

     $ sudo dpkg -i graylog-4.1-repository_latest.deb
  3. Update the system.

     $ sudo apt update
  4. Install Graylog.

     $ sudo apt -y install graylog-server
  5. Generate a 96-character random string for Graylog and save a copy to use in the Graylog server configuration file.

     $ pwgen -N 1 -s 96
  6. Choose a strong password for your admin account and generate a 64-character hash. For example, if you choose StrongPassword:

     $ echo -n StrongPassword | sha256sum

    The hash is:

     05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
  7. Edit the Graylog configuration file.

     $ sudo nano /etc/graylog/server/server.conf
  8. Update password_secret with the 96-character random string you generated earlier. For example:

     password_secret = E2oSBW5rFhN6q6zguM7ve7KH1e7WfkAnqy64WR2E4U673ryQmSSDtCSBCfnVoCrLgISiYkPvBam1h0EKfIxGCFhpVX78gz7l
  9. Update root_password_sha2 with the 64-character hash of your admin password. For example:

     root_password_sha2 = 05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223
  10. Update http_bind_address as shown:

     http_bind_address = 0.0.0.0:9000
  11. Save and close the file.

  12. Restart the system daemon.

     $ sudo systemctl daemon-reload
  13. Restart the Graylog service.

     $ sudo systemctl restart graylog-server
  14. Enable the Graylog service to run on system startup.

     $ sudo systemctl enable graylog-server
  15. Verify the status of the Graylog server.

     $ sudo systemctl status graylog-server

5. Access Graylog Web UI

  1. Open your web browser and navigate to your servers IP address at port 9000. for example:

     http://192.0.2.10:9000
  2. Log in with username admin and the password you chose to access the Graylog dashboard.

More Information

For more information on Graylog, please visit the official documentation.