This guide describes the recommended way to install Graylog on Ubuntu 20.04 LTS and 22.04. All links and packages are present at the time of writing.

Warning: This guide does not cover security settings! The server administrator must make sure the Graylog server is not publicly exposed and is following security best practices.

Prerequisites

Hint: This guide assumes that any firewall is disabled and traffic can flow across all necessary ports.

Graylog 5.0 requires the following to maintain compatibility with its software dependencies: 

  • OpenJDK 17 (This is embedded in Graylog 5.0 and does not need to be separately installed.)
  • OpenSearch 1.x, 2.x or Elasticsearch 7.10.2
  • MongoDB 5.x or 6.x

MongoDB

Graylog 5.0 is compatible with MongoDB 5.x-6.x.

1. Installing MongoDB on Ubuntu should follow the tutorial for Ubuntu from the MongoDB documentation:

Copy
sudo apt-get install gnupg

wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -

# Ubuntu 18.04
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

# Ubuntu 20.04 
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

# Ubuntu 22.04
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

sudo apt-get update
sudo apt-get install -y mongodb-org

2. For example, in corporate proxies and other non-free environments, you can use a keyserver approach via a widget:

Copy
wget -qO- 'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf5679a222c647c87527c2f8cb00a0bd1e2c63c11' | sudo apt-key add -

3. Enable MongoDB during the operating system’s start up and verify it is running:

Copy
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl --type=service --state=active | grep mongod

Hint: For the following sections on OpenSearch and Elasticsearch, select which data node you will be using for your Graylog instance and complete only the requisite section.

OpenSearch

If you are using OpenSearch as your data node, then follow the steps below to install OpenSearch 2.0.1.

The recommended method of installation is to follow the user documentation provided by the OpenSearch service. To set up the OpenSearch service with your Graylog instance, read the following recommendations and guidance.

1. You may prefer to disable transparent hugepages to improve performance before installing.

Copy
sudo su

cat > /etc/systemd/system/disable-transparent-huge-pages.service <<EOF
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable disable-transparent-huge-pages.service
sudo systemctl start disable-transparent-huge-pages.service

2. Create your OpenSearch user.

Copy
sudo adduser --system --disabled-password --disabled-login --home /var/empty --no-create-home --quiet --force-badname --group opensearch

3. Now, you can begin the installation of the OpenSearch tarball. Full instructions for tarball installation are recorded in the OpenSearch documentation.

Copy
#Download Opensearch 2.0.1
wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.0.1/opensearch-2.0.1-linux-x64.tar.gz

#Create Directories
sudo mkdir -p /graylog/opensearch/data
sudo mkdir /var/log/opensearch

#Extract Contents from tar
sudo tar -zxf opensearch-2.0.1-linux-x64.tar.gz 
sudo mv opensearch-2.0.1/* /graylog/opensearch/

#Set Permissions
sudo chown -R opensearch:opensearch /graylog/opensearch/
sudo chown -R opensearch:opensearch /var/log/opensearch
sudo chmod -R 2750 /graylog/opensearch/
sudo chmod -R 2750 /var/log/opensearch

#Create empty log file
sudo -u opensearch touch /var/log/opensearch/graylog.log

#Create System Service
sudo su
cat > /etc/systemd/system/opensearch.service <<EOF
[Unit]
Description=Opensearch
Documentation=https://opensearch.org/docs/latest
Requires=network.target remote-fs.target
After=network.target remote-fs.target
ConditionPathExists=/graylog/opensearch
ConditionPathExists=/graylog/opensearch/data
[Service]
Environment=OPENSEARCH_HOME=/graylog/opensearch
Environment=OPENSEARCH_PATH_CONF=/graylog/opensearch/config
ReadWritePaths=/var/log/opensearch
User=opensearch
Group=opensearch
WorkingDirectory=/graylog/opensearch
ExecStart=/graylog/opensearch/bin/opensearch
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target
EOF

Graylog Configuration for OpenSearch

1. Begin by opening the yml file:

Copy
nano /graylog/opensearch/config/opensearch.yml

2. Update the following fields for a minimum unsecured running state:

Copy
cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /graylog/opensearch/data
path.logs: /var/log/opensearch
network.host: ${HOSTNAME}
discovery.seed_hosts: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
cluster.initial_master_nodes: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
action.auto_create_index: false
plugins.security.disabled: true

3. Enable JVM options:

Copy
sudo nano /graylog/opensearch/config/jvm.options

4. Now, update the XMS settings with half of the installed system memory.

5. Configure the kernel parameters at runtime:

Copy
sudo sysctl -w vm.max_map_count=262144
sudo echo 'vm.max_map_count=262144' >> /etc/sysctl.conf

6. Finally, enable the system service:

Copy
sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service

Elasticsearch

Elasticsearch 7.10.2 is the only version that is compatible with Graylog 5.0; however, we recommend OpenSearch for new Graylog cluster installations.

1. The following commands will begin the installation of the open-source version of Elasticsearch. See the Elasticsearch install page for more detailed instructions.

Copy
wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
sudo apt-key add myKey
echo "deb https://artifacts.elastic.co/packages/oss-7.10.2/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.10.2.list
sudo apt-get update && sudo apt-get install elasticsearch-oss

2. Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml), set the cluster name to Graylog, and uncomment action.auto_create_index: false to enable the action:

Copy
sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: false
EOT

3. After you have modified the configuration, you can start Elasticsearch and verify it is running:

Copy
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch

Graylog

Install the Graylog Open repository configuration and Graylog itself with the following commands:

Copy
wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server 

If you are installing Graylog Operations, then you will use the following commands:

Copy
wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
sudo apt-get install graylog-enterprise

Edit the Configuration File

Read the instructions within the configurations file and edit as needed, located at /etc/graylog/server/server.conf. Additionally add password_secret and root_password_sha2 as these are mandatory and Graylog will not start without them.

1. To create your root_password_sha2, run the following command:

Copy
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

2. To generate a password_secret:

Copy
pwgen -N 1 -s 96

To be able to connect to Graylog, set http_bind_address to the public host name or a public IP address of the machine with which you can connect. More information about these settings can be found in Configuring the Web Interface.

Hint: If you’re operating a single-node setup and would like to use HTTPS for the Graylog web interface and the Graylog REST API, it’s possible to use NGINX or Apache as a reverse proxy.

3. Enable Graylog during the operating system’s start up:

Copy
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog

4. The last step is to ingest messages into your Graylog and extract the messages with extractors or use pipelines to work with the messages.

Copy
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Multiple Server Setup

If you plan to have multiple servers taking care of different roles in your cluster as we have in this big production setup, you need to modify only a few settings. This is covered in our Multi-Node Setup guide. The Default File Location guide will give you the file you need to modify in your setup.