Graylog2 rocks, however, the install instructions leave much to be desired, simply because they don’t mention any of the other required services and how those services should be setup.
I’m here to help.
This writeup is going to written for Ubuntu 10.04, however, if you’re installing graylog, I assume you know how to install packages on your linux distribution of choice.
First, we’re going to need all the prerequisite libraries and servers: mongo, elasticsearch, and the java jdk.
Here are some links that helped me:
mongodb ppa instructions for Ubuntu
Mongo user creation.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | wget https://github.com/downloads/Graylog2/graylog2-server/graylog2-server-0.9.6.tar.gz wget https://github.com/downloads/Graylog2/graylog2-web-interface/graylog2-web-interface-0.9.6.tar.gz tar -xzf graylog2-server-0.9.6.tar.gz tar -xzf graylog2-web-interface-0.9.6.tar.gz cd graylog2-server-0.9.6 cp graylog2.conf.example /etc/graylog2.conf mv graylog2-server-0.9.6 /opt/graylog2-server/ tar -xzf graylog2-web-interface-0.9.6.tar.gz mv graylog2-web-interface-0.9.6 /opt/graylog2-web-interface # needed to compile ruby apt-get install build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion libcurl4-openssl-dev # getting ruby for the web interface. bash -s stable < http://www.mongodb.org/display/DOCS/Ubuntu+and+Debian+packages # the default ubuntu mongodb is horribly broken apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10 echo "deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" >> /etc/apt/sources.list apt-get update && apt-get install mongodb-10gen -y # bind only on the localhost echo "bind_ip = 127.0.0.1" >> /etc/mongodb.conf /etc/init.d/mongodb restart # elasticsearch wget https://github.com/downloads/elasticsearch/elasticsearch/elasticsearch-0.18.7.tar.gz tar -xzf elasticsearch-0.18.7.tar.gz mkdir -p /data/elasticsearch/data mv elasticsearch-0.18.7 /usr/share/elasticsearch mkdir /etc/elasticsearch cp /usr/share/elasticsearch/config/elasticsearch.yml /etc/elasticsearch/ # only bind to localhost echo "network.bind_host: 127.0.0.1" >> /etc/elasticsearch/elasticsearch.yml |
here is the upstart script for elasticsearch, from here written by tobias mcnulty, slightly modified.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | # ElasticSearch Service description "ElasticSearch" start on (net-device-up and local-filesystems and runlevel [2345]) stop on runlevel [016] respawn limit 10 5 env ES_HOME=/usr/share/elasticsearch/ env ES_MIN_MEM=256m env ES_MAX_MEM=2g env DAEMON="${ES_HOME}/bin/elasticsearch" env DATA_DIR=/data/elasticsearch/data env CONFIG_DIR=/etc/elasticsearch console output script if [ -f /etc/default/elasticsearch ]; then . /etc/default/elasticsearch fi su -s /bin/dash -c "/usr/bin/elasticsearch -f -Des.path.conf=$CONFIG_DIR -Des.path.home=$ES_HOME -Des.path.logs=$LOG_DIR -Des.path.data=$DATA_DIR -Des.path.work=$WORK_DIR" elasticsearch end script |
setting up the mongodb user and database ( yes, I know, 123, but it’s the default, and mongodb should only be listening to loclahost.)
1 2 3 4 5 6 | $ ./mongo use admin db.addUser("theadmin", "anadminpassword") db.auth("theadmin","anadminpassword") use graylog2 db.addUser("grayloguser","123") |
you’ll also want to specify these values explicitly in the mongoid configuration file in the webserver. In /opt/graylog2-web-interface/config/mongoid.yml add these values, and delete the other production values.
1 2 3 4 5 6 7 | # or specify values manually production: host: localhost port: 27017 username: grayloguser password: 123 database: graylog2 |
the nginx upstart script
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | # nginx description "nginx http daemon" start on (filesystem and net-device-up IFACE=lo) stop on runlevel [!2345] env DAEMON=/opt/nginx/sbin/nginx env PID=/opt/nginx/logs/nginx.pid expect fork respawn pre-start script $DAEMON -t if [ $? -ne 0 ] then exit $? fi end script post-stop script start-stop-daemon --stop --pidfile $PID --name nginx --exec $DAEMON --signal TERM end script |
and this is what your /opt/nginx/conf/nginx.conf should look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | #user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
passenger_root /opt/graylog2-web-interface/vendor/ruby/1.9.1/gems/passenger-3.0.10;
passenger_ruby /usr/local/rvm/wrappers/ruby-1.9.2-p290/ruby;
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name graylog2.headliner.fm;
root /opt/graylog2-web-interface/public; # |
I used this upstart scripts for the graylog2-server. if you copy and paste it into your /etc/init files (it’s late, if you need the exact commands, write a comment…)
now, for the magic:
1 2 3 4 | /etc/init.d/mongodb start service elasticsearch start service graylog2-server start service nginx start |
and you’re off.

