How to Install and Configure Graylog Server on Ubuntu 16.04



Graylog is a free and open source, centralized log management tool based on MongoDB and Elasticsearch. Using Graylog you can easily collect and analyze your server logs.

Graylog is made up of three components Elasticsearch, MongoDB and Graylog server. Elasticsearch is used to store the logs and provide searching facilities. MongoDB stores the configuration and meta information. Graylog server collects the log messages from different inputs and provides a web interface for managing the logs.

In this tutorial we will guide you through the steps of installing Graylog on an Ubuntu 16.04 VPS


Login to your VPS as user root

ssh [email protected]_ADDRESS

and update the system

apt-get update && apt-get upgrade

Install Java

We need Java installed on the server for the Graylog installation. It can be installed from the official ubuntu repo:

apt-get install openjdk-7-jre

check the version

java -version

openjdk version "1.8.0_131"
OpenJDK Runtime Environment (build 1.8.0_131-8u131-b11-2ubuntu1.16.04.3-b11)
OpenJDK 64-Bit Server VM (build 25.131-b11, mixed mode)

Install MongoDB

MongoDB cannot be installed from the Ubuntu repository, so we will have to add the MongoDB repository

sudo apt-key adv --keyserver hkp:// --recv 7F0CEB10
echo "deb wheezy/mongodb-org/3.0 main" > /etc/apt/sources.list.d/mongodb-org-3.0.list
apt-get update

and run the following command to install MongoDB

apt-get install mongodb-org

Once installed, start MongoDB and enable it to start on boot

systemctl start mongod
systemctl enable mongod

Install Elasticsearch

Add the GPG key to the server:

wget -qO - | sudo apt-key add -

Now add the elasticsearch repository to sources list

apt-get install apt-transport-https
echo "deb stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list

Update the package lists and install Elasticsearch

apt-get update && apt-get install elasticsearch

Once the installation is completed, modify the Elasticsearch configuration file, uncomment the ‘’ name, and change it to ‘graylog’. graylog

start Elastcisearch and enable it to start at boot time

systemctl start elasticsearch
systemctl enable elasticsearch

Install Graylog

Download and install Graylog repository

dpkg -i graylog-2.3-repository_latest.deb

Update the package lists and install Graylog

apt-get update && apt-get install graylog-server

Next, we must specify ‘root_password_sha2’ password and secret key.

Run the following command to create your password ‘root_password_sha2’, which will be password for the ‘admin’ account

echo -n PASSWORD | sha256sum
0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60 -

Replace PASSWORD with an actual password

Create a sectret key using pwgen

apt-get install pwgen
pwgen -s 80 1

Edit the ‘/etc/graylog/server/server.conf’ file and insert the shasum of your desired password in the ‘root_password_sha2’ line and the secret key we created with pwgen in the ‘password_secret’ line

nano /etc/graylog/server/server.conf
root_password_sha2 = 0be64ae89ddd24e225434de95d501711339baeee18f009ba9b4369af27d30d60
password_secret = I2UqBbXDXcWkYTs2x7wCAPs7GDmLG4iB82AuAhhtB0ayegd5SAjlMxh1Il848Vyq5DP5Q5ZN8wJmWK4m

In the same ‘server.conf’ find the following lines and change ‘IP_ADDRESS’ with your server IP address

rest_listen_uri = http://IP_ADDRESS:9000/api/
web_listen_uri = http://IP_ADDRESS:9000/

Save the changes and restart Graylog

systemctl restart graylog-server

Check if Graylog is properly started

systemctl status graylog-server

If everything is OK, you will get the following output

● graylog-server.service - Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2017-08-19 22:50:14 CDT; 54s ago
Main PID: 571 (graylog-server)
CGroup: /system.slice/graylog-server.service
├─571 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─572 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThr

Finally, you should be able to access Graylog web interface at http://IP_ADDRESS:9000 and login with user ‘admin’ and the password we created as ‘root_password_sha2’.

Please check Graylog’s official documentation for more information on how to configure and use the application.