This guide describes the fastest way to install Graylog on Debian Linux 10 (Buster) and 11 (Bullseye). All links and packages are present at the time of writing.
Prerequisites
Graylog 5.0 requires the following to maintain compatibility with its software dependencies:
- OpenJDK 17 (embedded in the 5.0 installation file)
- Elasticsearch 7.10.2 OR OpenSearch
- MongoDB (5.x or 6.x)
MongoDB
Graylog 5.0 is compatible with MongoDB 5.x-6.x.
The official MongoDB repository provides the most up-to-date version and is the recommended way of installing MongoDB. (Ensure you have replaced version 5.x with your selected version.):
wget -qO - https://www.mongodb.org/static/pgp/server-5.x.asc | sudo apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/5.x main" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.x.list
sudo apt-get update
sudo apt-get install -y mongodb-org
The next step is to enable MongoDB during the operating system’s start up:
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl --type=service --state=active | grep mongod
OpenSearch
If you are using OpenSearch as your data node, then follow the steps below to install OpenSearch 2.0.1.
The recommended method of installation is to follow the user documentation provided by the OpenSource service. To set up your OpenSearch service with your Graylog instance, read the following recommendations and guidance.
You may prefer to disable transparent hugepages to improve performance before installing.
sudo su
cat > /etc/systemd/system/disable-transparent-huge-pages.service <<EOF
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable disable-transparent-huge-pages.service
sudo systemctl start disable-transparent-huge-pages.service
Create your OpenSearch user.
sudo adduser --system --disabled-password --disabled-login --home /var/empty --no-create-home --quiet --force-badname --group opensearch
Now, you can begin the installation of the OpenSearch tarball. Full instructions for tarball installation are recorded in the OpenSearch documentation.
#Download Opensearch 2.0.1
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.0.1/opensearch-2.0.1-linux-x64.tar.gz
#Create Directories
sudo mkdir -p /graylog/opensearch/data
sudo mkdir /var/log/opensearch
#Extract Contents from tar
sudo tar -zxf opensearch-2.0.1-linux-x64.tar.gz
sudo mv opensearch-2.0.1/* /graylog/opensearch/
#Set Permissions
sudo chown -R opensearch:opensearch /graylog/opensearch/
sudo chown -R opensearch:opensearch /var/log/opensearch
sudo chmod -R 2750 /graylog/opensearch/
sudo chmod -R 2750 /var/log/opensearch
#Create empty log file
sudo -u opensearch touch /var/log/opensearch/graylog.log
#Create System Service
sudo su
cat > /etc/systemd/system/opensearch.service <<EOF
[Unit]
Description=Opensearch
Documentation=https://opensearch.org/docs/latest
Requires=network.target remote-fs.target
After=network.target remote-fs.target
ConditionPathExists=/graylog/opensearch
ConditionPathExists=/graylog/opensearch/data
[Service]
Environment=OPENSEARCH_HOME=/graylog/opensearch
Environment=OPENSEARCH_PATH_CONF=/graylog/opensearch/config
ReadWritePaths=/var/log/opensearch
User=opensearch
Group=opensearch
WorkingDirectory=/graylog/opensearch
ExecStart=/graylog/opensearch/bin/opensearch
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target
EOF
Graylog Configuration for OpenSearch
Begin by opening the yml file.
nano /graylog/opensearch/config/opensearch.yml
Update the following fields for a minimum unsecured running state.
cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /graylog/opensearch/data
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
cluster.initial_master_nodes: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
action.auto_create_index: false
plugins.security.disabled: true
Enable JVM options.
sudo nano /graylog/opensearch/config/jvm.options
Now, update the XMS settings with half of the installed system memory.
Configure the kernel parameters at runtime.
sudo sysctl -w vm.max_map_count=262144
sudo echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
Finally, enable the system service.
sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service
sudo systemctl --type=service --state=active | grep opensearch
Elasticsearch
Graylog 5.0 can be used with Elasticsearch 7.10.2. Please follow the below instructions to install the open-source version of Elasticsearch.
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch-oss
The above instructions are a derivative from the Elasticsearch install page.
Graylog Configuration for Elasticsearch
Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml) and set the cluster name to graylog and uncomment action.auto_create_index: false to enable the action:
sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null << EOT
cluster.name: graylog
action.auto_create_index: false
EOT
After you have modified the configuration, you can start Elasticsearch and verify it is running.
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch
Graylog
Now install the Graylog repository configuration and Graylog itself with the following commands:
wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server
If you are installing Graylog Operations, then you will use the following commands:
wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-enterprise
Edit the Configuration File
Read the instructions within the configurations file and edit as needed, located at /etc/graylog/server/server.conf. Additionally, add password_secret and root_password_sha2 as these are mandatory, and Graylog will not start without them.
To create your root_password_sha2 run the following command:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
To be able to connect to Graylog, you should sethttp_bind_address to the public hostname or a public IP address for the machine with which you can connect. More information about these settings can be found in Configuring the Web Interface.
The last step is to enable Graylog during the operating system’s start up and verify it is running.
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog
If you are running Graylog Operations, you can verify it is running:
sudo systemctl daemon-reload
sudo systemctl enable graylog-enterprise.service
sudo systemctl start graylog-enterprise.service
sudo systemctl --type=service --state=active | grep graylog
The next step is to ingest messages into your Graylog instance and extract the messages with extractors or use Pipelines to work with the messages.
Multiple Server Setup
If you plan to have multiple servers delegating different roles in your cluster like we have in this big production setup, then you need to modify only a few settings. This is covered in our Multi-node Setup Guide. The default file location guide will give you the file you need to modify in your setup.