This guide describes the recommended way to install Graylog on Debian Linux 10 (Buster) and 11 (Bullseye). All links and packages are present at the time of writing.

Prerequisites

Graylog 5.2 requires the following to maintain compatibility with its software dependencies: 

• OpenJDK 17 (This is embedded in Graylog and does not need to be separately installed.)
• OpenSearch 1.x, 2.x or Elasticsearch 7.10.2
• MongoDB 5.x or 6.x (This requires a CPU with AVX instructions. Confirm that your CPU supports AVX and in virtual environments that the AVX instruction set is presented to the hypervisor.)
• Review the version notes specific to your preferred version of Graylog for additional guidance on installing and configuring your Graylog instance.

Server Timezone

To set a specific time zone on the Graylog server, you can use the following command. (For more information on setting a time zone, we recommend this blog post.)

sudo timedatectl set-timezone UTC

MongoDB

Graylog 5.2 is compatible with MongoDB 5.x-6.x.

MongoDB recommends you disable Transparent Huge Pages: Disable Transparent Huge Pages (THP). (To install MongoDB on Debian, the official MongoDB documentation provides a helpful tutorial.)

The official MongoDB repository provides the most up-to-date version and is the recommended way of installing MongoDB:

1. Install the cryptographic libraries required for the repository keys.

sudo apt-get install gnupg

2. Import the key.

wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -

3. Add the Debian repo to the APT list.

For Debian 10:

echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/6.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

For Debian 11:

echo "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/6.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

4. Update repository package.

sudo apt-get update

5. Install the latest stable version of MongoDB.

sudo apt-get install -y mongodb-org

6. The final step is to enable MongoDB during the operating system’s start up.

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl --type=service --state=active | grep mongod

OpenSearch

If you are using OpenSearch as your data node, then follow the steps below to install OpenSearch.

The recommended method of installation is to follow the user documentation provided by the OpenSearch service.

1. Install the necessary packages.

sudo apt-get update && sudo apt-get -y install lsb-release ca-certificates curl gnupg2

2. Import the OpenSearch GPG key. This key is used to validate signatures of packages from the OpenSearch software repository.

curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring

3. Create an APT repository for OpenSearch.

echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list

4. Verify that the repository was created successfully.

sudo apt-get update

5. With the repository information added, list all available versions of OpenSearch:

sudo apt list -a opensearch

6. Choose the version of OpenSearch you want to install. Unless otherwise indicated, the latest available version of OpenSearch is installed.

sudo OPENSEARCH_INITIAL_ADMIN_PASSWORD=$(tr -dc A-Z-a-z-0-9_@#%^-_=+ < /dev/urandom  | head -c${1:-32}) apt-get install opensearch

To install a specific version of OpenSearch, specify the version manually using opensearch=<version>.

sudo OPENSEARCH_INITIAL_ADMIN_PASSWORD=$(tr -dc A-Z-a-z-0-9_@#%^-_=+ < /dev/urandom  | head -c${1:-32}) apt-get install opensearch=2.12.0

Graylog Configuration for OpenSearch

1. Begin by opening the yml file.

sudo nano /etc/opensearch/opensearch.yml

2. Update the following fields for a minimum unsecured running state (single node).

cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
discovery.type: single-node
network.host: 0.0.0.0
action.auto_create_index: false
plugins.security.disabled: true
indices.query.bool.max_clause_count: 32768

3. Enable JVM options.

sudo nano /etc/opensearch/jvm.options

4. Now, update the Xms and Xmx settings with half of the installed system memory, like shown in the example below.

## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://opensearch.org/docs/opensearch/install/important-settings/
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms1g
-Xmx1g

5. Configure the kernel parameters at runtime.

sudo sysctl -w vm.max_map_count=262144
sudo echo 'vm.max_map_count=262144' >> /etc/sysctl.conf

6. Enable OpenSearch to start during operating system’s startup and verify it is running.

sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service
sudo systemctl status opensearch

Elasticsearch

Elasticsearch 7.10.2 is the only version that is compatible with Graylog 5.2; however, we recommend OpenSearch for new Graylog cluster installations.

The following commands will begin the installation of the open-source version of Elasticsearch. See the Elasticsearch install page for more detailed instructions.

1. First, install the Elasticsearch GPG key.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

2. Then add the repository file /etc/apt/sources.list.d/elastic-7.x.list with the following command:

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

3. And then install the 7.10.2 release with the following commands:

sudo apt-get update && sudo apt-get install elasticsearch=7.10.2

4. Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml), set the cluster name to graylog, and uncomment action.auto_create_index: false to enable the action.

echo "cluster.name: graylog
action.auto_create_index: false" | sudo tee /etc/elasticsearch/elasticsearch.yml

5. After you have modified the configuration, you can start Elasticsearch.

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch

Graylog Configuration for Elasticsearch

1. Modify the Elasticsearch configuration file (/etc/elasticsearch/elasticsearch.yml), set the cluster name to graylog, and uncomment action.auto_create_index: false to enable the action.

echo "cluster.name: graylog
action.auto_create_index: false" | sudo tee /etc/elasticsearch/elasticsearch.yml

2. After you have modified the configuration, you can start Elasticsearch and verify it is running.

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl restart elasticsearch.service

Graylog

Now install the Graylog repository configuration and Graylog Open itself with the following commands.

wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

If you are installing Graylog Operations, then you will use the following commands.

wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb
sudo dpkg -i graylog-5.2-repository_latest.deb
sudo apt-get install graylog-enterprise

Edit the Configuration File

Read the instructions within the configurations file and edit as needed, located at /etc/graylog/server/server.conf. Additionally, add password_secret and root_password_sha2 as these are mandatory and Graylog will not start without them.

1. To create your password_secret, run the following command.

< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;

2. To generate a root_password_sha2:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

3. To be able to connect to Graylog, you should set http_bind_address to the public host name or a public IP address for the machine with which you can connect. More information about these settings can be found in Configuring the Web Interface.

4. It is necessary in Graylog 5.2 to manually adjust the elasticsearch_hosts setting to include a list of comma-separated URIs to one or more valid Elasticsearch/OpenSearch nodes. A sample specification may look as follows:

elasticsearch_hosts = http://es-node-1.example.org:9200/foo,https://someuser:somepassword@es-node-2.example.org:19200

5. The last step is to enable Graylog during the operating system’s start up and verify it is running.

sudo systemctl daemon-reload
sudo systemctl enable graylog-server
sudo systemctl start graylog-server
sudo systemctl --type=service --state=active | grep graylog

Getting Started

Now that you have installed Graylog, you can review your initial configuration settings and connect to the web interface!

Multiple Server Setup

If you plan to have multiple servers delegating different roles in your cluster like we have in this big production setup, then you need to modify a few settings. This is covered in our Multi-Node Setup Guide. The default file location guide will give you the file you need to modify in your setup.