Graylog2 rocks, however, the install instructions leave much to be desired, simply because they don’t mention any of the other required services and how those services should be setup.

I’m here to help.

This writeup is going to written for Ubuntu 10.04, however, if you’re installing graylog, I assume you know how to install packages on your linux distribution of choice.

First, we’re going to need all the prerequisite libraries and servers: mongo, elasticsearch, and the java jdk.
Here are some links that helped me:
mongodb ppa instructions for Ubuntu
Mongo user creation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

wget https://github.com/downloads/Graylog2/graylog2-server/graylog2-server-0.9.6.tar.gz
wget https://github.com/downloads/Graylog2/graylog2-web-interface/graylog2-web-interface-0.9.6.tar.gz
tar -xzf graylog2-server-0.9.6.tar.gz
tar -xzf graylog2-web-interface-0.9.6.tar.gz
cd graylog2-server-0.9.6
cp graylog2.conf.example /etc/graylog2.conf
cd ..
mv graylog2-server-0.9.6 /opt/graylog2-server/
tar -xzf graylog2-web-interface-0.9.6.tar.gz
mv graylog2-web-interface-0.9.6 /opt/graylog2-web-interface
 
# needed to compile ruby
apt-get install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion libcurl4-openssl-dev
# getting ruby for the web interface.
bash -s stable < http://www.mongodb.org/display/DOCS/Ubuntu+and+Debian+packages
 
# the default ubuntu mongodb is horribly broken
apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10
echo "deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" >> /etc/apt/sources.list
apt-get update && apt-get install mongodb-10gen -y
 
# bind only on the localhost
echo "bind_ip = 127.0.0.1" >> /etc/mongodb.conf
/etc/init.d/mongodb restart
 
# elasticsearch
wget https://github.com/downloads/elasticsearch/elasticsearch/elasticsearch-0.19.0.deb
dpkg -i ./elasticsearch-0.19.0.deb
 
# only bind to localhost
echo "network.bind_host: 127.0.0.1" >> /etc/elasticsearch/elasticsearch.yml
 
#possibly necessay, if you start to get the "out of file descriptors" error in
# /var/log/elasticsearch/elasticsearch.log
echo "fs.file-max = 100000" >> /etc/sysctl.conf;
sysctl -p

Elastic search should be reasonably configured from the start for our purposes.

Setting up the mongodb user and database ( yes, I know, 123, but it’s the default, and mongodb should only be listening to loclahost.)

1
2
3
4
5
6

$ ./mongo
use admin
db.addUser("theadmin", "anadminpassword")
db.auth("theadmin","anadminpassword")
use graylog2
db.addUser("grayloguser","123")

you’ll also want to specify these values explicitly in the mongoid configuration file in the webserver. In /opt/graylog2-web-interface/config/mongoid.yml add these values, and delete the other production values.

1
2
3
4
5
6
7

# or specify values manually
production:
   host: localhost
   port: 27017
   username: grayloguser
   password: 123
   database: graylog2

the nginx upstart script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# nginx
 
description "nginx http daemon"
start on (filesystem and net-device-up IFACE=lo)
stop on runlevel [!2345]
 
env DAEMON=/opt/nginx/sbin/nginx
env PID=/opt/nginx/logs/nginx.pid
 
expect fork
respawn
 
pre-start script
        $DAEMON -t
        if [ $? -ne 0 ]
                then exit $?
        fi
end script
 
post-stop script
    start-stop-daemon --stop --pidfile $PID --name nginx --exec $DAEMON --signal TERM
end script

and this is what your /opt/nginx/conf/nginx.conf should look like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

#user  nobody;
worker_processes  1;
 
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
 
pid        logs/nginx.pid;
 
events {
    worker_connections  1024;
}
 
http {
    passenger_root /opt/graylog2-web-interface/vendor/ruby/1.9.1/gems/passenger-3.0.10;
    passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.2-p290/ruby;
 
    include       mime.types;
    default_type  application/octet-stream;
 
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
 
    #access_log  logs/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    #keepalive_timeout  0;
    keepalive_timeout  65;
 
    gzip  on;
 
server {
      listen 80;
      server_name graylog2.headliner.fm;
      root /opt/graylog2-web-interface/public;   #

I used this upstart scripts for the graylog2-server. if you copy and paste it into your /etc/init files (it’s late, if you need the exact commands, write a comment…)

now, for the magic:

1
2
3
4

/etc/init.d/mongodb start
/etc/init.d/elasticsearch start
service graylog2-server start
service nginx start

and you’re off.