This guide walks you through setting up a fully‑functional Graylog server on Ubuntu 21, starting with the necessary prerequisites of OpenJDK 11, MongoDB 4.x, and Elasticsearch 7.x. It then explains how to install each component, enable the services, add the official Graylog APT repository, and finally pull in the graylog-server package. After installation you’ll be instructed to edit key configuration settings—such as generating a password secret, hashing the admin password, and setting the HTTP bind address—before reloading the systemd daemon. The final steps cover opening port 9000 on UFW, testing the web UI, and offer troubleshooting pointers like checking log files and monitoring disk usage to prevent Elasticsearch connection failures.

Install Graylog Server on Ubuntu 21

You’ll learn how to get a fully‑functional Graylog server up and running on Ubuntu 21, from installing Java and Elasticsearch all the way to tweaking the graylog.conf file so your logs start flowing into the web UI.

Prerequisites: Java, MongoDB, Elasticsearch

Graylog is built on top of a few heavy‑weight services. If you skip any one of these, it’s going to choke right away.

1. OpenJDK 11 – Graylog still relies on the old 11 LTS runtime; newer releases break the embedded GELF libraries.

   sudo apt install -y openjdk-11-jre-headless

The Java runtime is what actually runs the Graylog code, so an incompatible JDK will throw cryptic errors like “UnsupportedClassVersionError”.

2. MongoDB 4.x – Stores user data and stream configurations.

   wget -qO - https://www.mongodb.org/static/pgp/server-4.0.asc | sudo apt-key add -
   echo "deb http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongo-org-4.2.list
   sudo apt update && sudo apt install -y mongodb-org

Graylog’s core database is MongoDB; without it you’ll see “Mongo not found” errors as soon as the service boots.

3. Elasticsearch 7.x – The search engine behind the UI.

   wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
   echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
   sudo apt update && sudo apt install -y elasticsearch

Elasticsearch holds the actual log data. If it’s not running, Graylog will refuse to start and you’ll get that dreaded “Cannot connect to Elasticsearch” message.

After installing each package, enable and start them:

sudo systemctl enable --now mongodb.service
sudo systemctl enable --now elasticsearch.service

If you’re watching the logs in real time, keep an eye on memory usage; both services can be heavy if you’re ingesting a lot of traffic.

Add the Graylog APT Repository

Grab the official package source so updates roll through automatically:

wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
sudo dpkg -i graylog-4.3-repository_latest.deb
sudo apt update

The “latest” tag pulls in the newest stable release (currently 5.x). If you prefer an older version, replace latest with the specific package name.

Install Graylog Packages

sudo apt install -y graylog-server

This pulls in the server binaries and places config files under /etc/graylog/server. The installer also registers a system user called graylog, which is the account that will run all services.

Configure Graylog

Open the main config:

sudo nano /etc/graylog/server/server.conf

Key edits you’ll need to make (and why they matter):

• password_secret – A random string used for hashing passwords.

  password_secret=$(pwgen -N 1 -s 96)

Without this, the web UI’s authentication will be insecure.

• root_password_sha2 – SHA‑256 hash of your first admin account password.

  root_password_hash=$(echo -n "YourStrongPassword" | sha256sum | awk '{print $1}')

Graylog does not store plain text passwords; it expects the hash.

• elasticsearch_shards and elasticsearch_replicas – Tweak these if you’re running a cluster.

Leave the defaults (1 shard, 0 replicas) for a single‑node setup.

• http_bind_address – By default Graylog listens on port 9000. If your server is behind a firewall or reverse proxy, point it to the correct IP.

  http_bind_address=0.0.0.0:9000

The UI and REST API will otherwise be inaccessible from outside.

A quick trick: after editing, run sudo systemctl daemon-reload so Graylog picks up changes without a full reboot.

Enable and Start Services

Make sure services start in the correct order:

sudo systemctl enable --now graylog-server.service

If you hit “Graylog failed to bind to port 9000”, double‑check that no other service is using it. Use sudo lsof -i :9000 to see.

A real scenario I ran into: I had Elasticsearch running but not fully synced; when Graylog started, it kept spamming the logs with “Cannot connect to Elasticsearch” until I manually restarted the ES service after a sudden disk full error. Lesson learned—always keep an eye on disk usage on your /var/lib/elasticsearch partition.

Open Firewalls & Test the Web UI

If UFW is active, expose port 9000:

sudo ufw allow 9000/tcp

Now point a browser to http://your‑server:9000. Log in with the admin account you set up earlier. If everything looks green and you can create streams, congratulations—you just built your own log aggregator.

If something still isn’t working:

• Check /var/log/graylog/server.log for error messages.
• Run systemctl status graylog-server.service to see why a service might be stuck.
• Verify that both MongoDB and Elasticsearch services are healthy with their respective logs.

That’s all the heavy lifting you need; after this, your log data will start rolling into Graylog in real time, ready for filtering, alerting, and dashboards.