This article is a walkthrough for installing “Graylog Open 6” and leverages the documentation at “https://go2docs.graylog.org/current/downloading_and_installing_graylog/ubuntu_installation.html” and “https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/”. We’re using Ubuntu 22.04 because 24.04 is not supported using the documentation linked above.
We’re starting from a fresh “standard” Ubuntu 22.04 installation. Our resources are “4GB RAM, 8 CPU Cores, 25GB Disk space”. These resources are far too low for an enterprise installation, but fine for this walkthrough. Log into the Ubuntu server as root and issue these commands.
Update your system and install a few packages:
apt update && apt upgrade apt install gnupg curl net-tools
Set the time and get the additional packages key:
timedatectl set-timezone UTC wget -qO- 'http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf5679a222c647c87527c2f8cb00a0bd1e2c63c11' | sudo apt-key add -
Install MongoDB:
curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list apt update apt install mongodb-org echo "mongodb-org hold" | sudo dpkg --set-selections echo "mongodb-org-database hold" | sudo dpkg --set-selections echo "mongodb-org-server hold" | sudo dpkg --set-selections echo "mongodb-mongosh hold" | sudo dpkg --set-selections echo "mongodb-org-mongos hold" | sudo dpkg --set-selections echo "mongodb-org-tools hold" | sudo dpkg --set-selections systemctl enable mongod systemctl start mongod apt-mark hold mongodb-org
Install OpenSearch:
curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list apt update OPENSEARCH_INITIAL_ADMIN_PASSWORD=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32) apt install opensearch apt-mark hold opensearch
Edit the “/etc/opensearch/opensearch.yml” file and set the following values:
cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
discovery.type: single-node
network.host: 0.0.0.0
action.auto_create_index: false
plugins.security.disabled: true
Set the following two settings in “/etc/opensearch/jvm.options” (replace the ‘4’ with 50% of the installed memory):
-Xms4g -Xmx4g
Set kernel settings and enable/start services:
sysctl -w vm.max_map_count=262144 echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf systemctl daemon-reload systemctl enable opensearch.service systemctl start opensearch.service systemctl status opensearch.service
Install Graylog:
wget https://packages.graylog2.org/repo/packages/graylog-6.0-repository_latest.deb dpkg -i graylog-6.0-repository_latest.deb apt update && apt install graylog-server apt-mark hold graylog-server
Modify the Graylog settings in “/etc/graylog/server/server.conf” and set the passwords.
# For password_secret - used for system hashing and salting: tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 96 # For root_password_sha2 - the hash is stored in the config file, the password is used at admin's login time: echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
So using the example above (and adding two more values), the values for the “/etc/graylog/server/server.conf” would be (but don’t copy my passwords, generate your own using the above methods):
password_secret = YnkGQJLBZxlxmjud3ReuYplcrm08ralBalH0tRoNXNeqjpsfzsEng415WwOx1GiWv095UU0Co0ONLeVljmvzmbkJfbnHxbtP root_password_sha2 = cc04274f68adbc48d30b6e0d3c2035ac0d7f09a0806342c5d77570747ca65e0a http_bind_address = 0.0.0.0:9000 elasticsearch_hosts = http://127.0.0.1:9200
Finalisation:
systemctl daemon-reload systemctl enable graylog-server.service systemctl start graylog-server.service systemctl --type=service --state=active | grep graylog
Now visit the site:
- Host: http://<ip-address>:9000/
- Username: admin
- Password: <password_secret>
The <password_secret> is what you created earlier in this walkthrough.
Finally we need to start ingesting logs. That’s where this walkthrough ends. But you can continue on with your first ingest here “https://graylog.org/post/how-to-use-graylog-as-a-syslog-server/”.
