Graylog Setup

Graylog Setup

Graylog is an open-source log management platform that sits between rsyslog/Filebeat (log shippers) and your team's browser. It provides centralized search across all servers, real-time alerting when specific patterns appear, and dashboards for operations metrics. Unlike ELK which requires separate tuning of multiple components, Graylog ships as a more integrated product. It uses MongoDB for configuration/metadata and Elasticsearch/OpenSearch as the search backend.

What is Graylog?

Graylog architecture:
  Log shippers (syslog, GELF, Beats)
         ↓
  Graylog Server (port 9000 web, 5140 syslog, 12201 GELF)
    - Receives, parses, enriches log messages
    - Applies streams (routing rules) and alert conditions
         ↓           ↓
  MongoDB          Elasticsearch / OpenSearch
  (config,         (log storage and search)
   metadata)

Prerequisites

# Graylog requires MongoDB and Elasticsearch/OpenSearch
# Minimum hardware: 4GB RAM, 2 CPU cores for a small setup

# Install Java (required for Graylog and Elasticsearch):
sudo apt install -y apt-transport-https openjdk-11-jre-headless

# Install MongoDB:
curl -fsSL https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu $(lsb_release -cs)/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
sudo apt update && sudo apt install -y mongodb-org
sudo systemctl enable --now mongod

# Install OpenSearch (Graylog's preferred search backend):
# (Follow OpenSearch installation instructions for your version)

Installing Graylog

# Install Graylog repository and package:
wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb
sudo apt update && sudo apt install -y graylog-server

# Generate password secret (used to encrypt credentials — save this):
pwgen -N 1 -s 96

Initial configuration

# Configure /etc/graylog/server/server.conf:
sudo nano /etc/graylog/server/server.conf

Key settings in server.conf

password_secret = PASTE_YOUR_PWGEN_OUTPUT_HERE

# Generate root password hash (SHA-256 of your admin password):
# echo -n "yourpassword" | sha256sum | awk '{print $1}'
root_password_sha2 = abc123...

http_bind_address = 0.0.0.0:9000

elasticsearch_hosts = http://localhost:9200

mongodb_uri = mongodb://localhost/graylog

sudo systemctl enable --now graylog-server

# Verify it started (takes ~30 seconds):
sudo journalctl -u graylog-server -f

Sending logs to Graylog

# In Graylog web UI (http://SERVER_IP:9000), create an Input:
# System > Inputs > Select input type > GELF UDP or Syslog UDP

# Configure rsyslog on client servers to forward to Graylog:
sudo nano /etc/rsyslog.d/99-graylog.conf

/etc/rsyslog.d/99-graylog.conf

# Load GELF module for structured logging to Graylog
module(load="omgelf")
*.* :omgelf:graylog-server:12201;jsoncnffmt

# Or use syslog forwarding:
# *.* @graylog-server:5140

sudo systemctl restart rsyslog

# Test: send a message and verify it appears in Graylog Streams > All Messages
logger -t testapp "Test message from $(hostname)"

Conclusion

Graylog's advantage over raw ELK is the built-in alerting: define conditions like "more than 10 failed SSH logins in 5 minutes from a single IP" and Graylog sends an email or webhook. The setup cost is higher than simple syslog forwarding, but for teams who need alerting plus search, it delivers both without complex Kibana alert configuration. Size your Elasticsearch/OpenSearch storage based on log volume and retention: a typical server generating 100MB/day of logs with 90-day retention needs ~9GB per server.