How To Install Graylog 3.0 on Debian 9


Graylog is a free, open-source log management tool which helps you to collect and analyze any machine logs centrally. This guide focuses on installing Graylog 3.0 on Debian 9.


  1. Elasticsearch – It stores the machine logs and provides the searching facility.
  2. MongoDB – Acts as a database to store configurations and meta information.
  3. Graylog server – t collects the logs from various inputs and provides built-in Web Interface for managing the logs.


Install the few required packages for the Graylog setup.

sudo apt update 
sudo apt install -y apt-transport-https uuid-runtime pwgen curl dirmngr

Install either Oracle JDK or OpenJDK on your machine for Elasticsearch.

sudo apt install -y openjdk-8-jre-headless

Verify the Java version.

java -version


openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
OpenJDK 64-Bit Server VM (build 25.212-b01, mixed mode)

Install Elasticsearch

Elasticsearch is one of the main component in Graylog set up. It acts as a search server, offers a real-time distributed search and analytics with the RESTful web interface.

Elasticsearch stores the logs sent by the Graylog server and displays the messages whenever user request over the built-in web interface.

Let’s add the Elasticsearch GPG signing key.

wget -qO - | sudo apt-key add -

Configure Eleasticsearch repository by running below command.

echo "deb stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

Update repository cache and install Elasticsearch.

sudo apt update
sudo apt install -y elasticsearch

Set Elasticsearch to start automatically on the system startup.

sudo systemctl enable elasticsearch

Edit configuration file of Elasticsearch.

sudo nano /etc/elasticsearch/elasticsearch.yml

Set the cluster name as graylog. graylog

Restart the Elasticsearch service.

sudo systemctl restart elasticsearch

Wait for a minute to let the Elasticsearch get fully started.

Elastisearch should be now listening on port 9200 for serving HTTP request, use a CURL to check the response.

curl -X GET http://localhost:9200

Ensure that cluster name shows as graylog.

  "name" : "11hs8Br",
  "cluster_name" : "graylog",
  "cluster_uuid" : "yX-GubwXSO6p5QYGFccENg",
  "version" : {
    "number" : "6.6.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "3bd3e59",
    "build_date" : "2019-03-06T15:16:26.864148Z",
    "build_snapshot" : false,
    "lucene_version" : "7.6.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  "tagline" : "You Know, for Search"

Check the health of the Elasticsearch cluster.

curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

Make sure the cluster status is green.

  "cluster_name" : "graylog",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 0,
  "active_shards" : 0,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0

Install MongoDB

Import the MongoDB’s public key to your system.

sudo apt-key adv --keyserver hkp:// --recv 9DA31620334BD75D9DCB49F368818C72E52529D4

Add mongodb repository to your system by creating the /etc/apt/sources.list.d/mongodb-org.list file using the following command.

echo "deb stretch/mongodb-org/4.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list

Install MongoDB using the following command.

sudo apt update
sudo apt install -y mongodb-org

Start the MongoDB service and enable it in the start-up.

sudo systemctl start mongod
sudo systemctl enable mongod

Install Graylog

Graylog server accepts and processes the machine logs and displays them for requests that come from the graylog web interface.

Download and Install graylog 3.x repository.

sudo dpkg -i graylog-3.0-repository_latest.deb

Update the repository cache.

sudo apt update

Install the Graylog server using the apt command.

sudo apt install graylog-server

Set a secret to secure user passwords. Use the pwgen command to the same.

pwgen -N 1 -s 96



Edit the server.conf file to begin the graylog configuration.

sudo nano /etc/graylog/server/server.conf

Place the secret like below.

password_secret = OH9wXpsNZVBA8R5vJQSnkhTB1qDOjCxAh3aE3LvXddtfDlZlKYEyGS24BJAiIxI0sbSTSPovTTnhLkkrUvhSSxodTlzDi5gP

Set a hash (sha256) password for Graylog’s root user (Root user of graylog is admin).

Graylog admin’s password can’t be changed using web interface; you must edit this variable to set it.

Replace yourpassword with the choice of yours. You will want this password to login into the Graylog web interface.

echo -n yourpassword | sha256sum



Edit the server.conf again.

sudo nano /etc/graylog/server/server.conf

Place the hash password.

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Set up an email address for the Graylog admin user.

root_email = "[email protected]"

Set timezone of root (admin) user.

root_timezone = UTC

Set the master node by defining the below variable. The default setting is true.

is_master = true

If you add a second Graylog server, set this setting to false to make the node as a slave.

Shards setting rely on the number of Elastic nodes in an Elasticsearch cluster.

If you have only one Elastic node, set it as 1.

elasticsearch_shards = 1

This setting sets the number of replicas for indices. If you have only one Elasticsearch node in the cluster, set it as 0.

elasticsearch_replicas = 0

Install Graylog web interface

Edit the server.conf file.

sudo nano /etc/graylog/server/server.conf

Modify the below entries to enable Graylog Web Interface.

http_bind_address =

Restart Graylog service.

sudo systemctl start graylog-server

Enable Graylog server to start automatically on system boot.

sudo systemctl enable graylog-server

Check out the server startup logs to troubleshoot the Graylog in case of an issue.

sudo tailf /var/log/graylog-server/server.log

Upon the successful start of the Graylog server, you should get the following message in the log file.

2019-03-21T23:44:58.285-04:00 INFO  [ServerBootstrap] Graylog server up and running.

Access Graylog web interface

The Graylog web interface will now be available on port 9000. So, point your browser to.

Login with username admin and the password you configured on server.conf.

Install Graylog 3.0 on Debian 9 - Graylog Login Screen
Install Graylog 3.0 on Debian 9 – Graylog Login Screen

Once you logged in, you should see the Graylog’s getting started page.

Install Graylog 3.0 on Debian 9 - Graylog Dashboard
Install Graylog 3.0 on Debian 9 – Graylog Dashboard

Click on System >> Overview to check the status of the Graylog server.

Install Graylog 3.0 on Debian 9 - Graylog System Overview
Install Graylog 3.0 on Debian 9 – Graylog System Overview


You have successfully installed Graylog Graylog 3.0 on Debian 9. To receive logs from other machines, you would need to configure Graylog inputs and have to configure Linux machine to send logs to Graylog.

You might also like