We need to install following softwares:

Step 1 — Configuring Elasticsearch

We need to modify the Elasticsearch configuration file so that the cluster name matches the one set in the Graylog configuration file. To keep things simple, we’ll set the Elasticsearch cluster name to the default Graylog name of graylog. You may set it to whatever you wish, but make sure you update the Graylog configuration file to reflect that change.

Open the Elasticsearch configuration file in your editor:

sudo vi /etc/elasticsearch/elasticsearch.yml

Find the following line: <CURRENT CLUSTER NAME>

Change the value to graylog: graylog

Save the file and exit your editor.

Since we modified the configuration file, we have to restart the service for the changes to take effect.

sudo systemctl restart elasticsearch

Now that you have configured Elasticsearch, let’s move on to installing Graylog.

Step 2 — Installing Graylog

In this step, we we’ll install the Graylog server.

First, download the package file containing the Graylog repository configuration. Visit the Graylog download page to find the current version number. We’ll use version 2.2 for this tutorial.


Next, install the repository configuration from the .deb package file, again replacing 2.2 with the version you downloaded.

sudo dpkg -i graylog-2.2-repository_latest.deb

Now that the repository configuration has been updated, we have to fetch the new list of packages. Execute this command:

sudo apt-get update

Next, install the graylog-server package:

sudo apt-get install graylog-server

Lastly, start Graylog automatically on system boot with this command:

sudo systemctl enable graylog-server.service

Graylog is now successfully installed, but it’s not started yet. We have to configure it before it will start.

Step 3 — Configuring Graylog

Now that we have Elasticsearch configured and Graylog installed, we need to change a few settings in the default Graylog configuration file before we can use it. Graylog’s configuration file is located at /etc/graylog/server/server.conf by default.

First, we need to set the password_secret value. Graylog uses this value to secure the stored user passwords. We will use a randomly-generated 128-character value.

We will use pwgen to generate the password, so install it if it isn’t already installed:

sudo apt install pwgen

Generate the password and place it in the Graylog configuration file. We’ll use the sed program to inject the password_secret value into the Graylog configuration file. This way we don’t have to copy and paste any values. Execute this command to create the secret and store it in the file:

sudo -E sed -i -e "s/password_secret =.*/password_secret = $(pwgen -s 128 1)/" /etc/graylog/server/server.conf

For more information on using sed, see this DigitalOcean sed tutorial.

Next, we need to set the root_password_sha2 value. This is an SHA-256 hash of your desired password. Once again, we’ll use the sed command to modify the Graylog configuration file so we don’t have to manually generate the SHA-256 hash using shasum and paste it into the configuration file.

Execute this command, but replace password below with your desired default administrator password:

Note: There is a leading space in the command, which prevents your password from being stored as plain text in your Bash history.

sudo sed -i -e "s/root_password_sha2 =.*/root_password_sha2 = $(echo -n 'password' | shasum -a 256 | cut -d' ' -f1)/" /etc/graylog/server/server.conf

Now, we need to make a couple more changes to the configuration file. Open the Graylog configuration file with your editor:

sudo vi /etc/graylog/server/server.conf

Find and change the following lines, uncommenting them and replacing graylog_public_ip with the public IP of your server. This can be an IP address or a fully-qualified domain name.

root_timezone = Australia/Melbourne

rest_listen_uri =

rest_transport_uri =

web_enable = true

# Web interface listen URI.

# If you want to use port 80, you need extra configuration, which will be mentioned later.

web_listen_uri = http://your_server_ip_or_domain::9000/

elasticsearch_shards = 1
elasticsearch_replicas = 0

elasticsearch_index_prefix = graylog

elasticsearch_cluster_name = graylog

elasticsearch_discovery_zen_ping_unicast_hosts =

elasticsearch_http_enabled = false

mongodb_uri = mongodb://localhost/graylog

Add following at the end of the configuration file:


Save the file and exit your editor.

Since we changed the configuration file, we have to restart (or start) the graylog-server service. The restart command will start the server even if it is currently stopped.

sudo systemctl restart graylog-server

Next, check the status of the server.

sudo systemctl status graylog-server
Bind the port 80 to Java:

Since running as graylog ( Java software) user can’t open ports < 1024, we have to solutions to this:

Allow java open ports < 1024:

First, we need to find the Java bin file:

sudo update-alternatives --config java

The output will look something like the following. In this case, this is what the output will look like with all Java versions installed.

There are 5 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
* 0            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      auto mode
  1            /usr/lib/jvm/java-6-oracle/jre/bin/java          1         manual mode
  2            /usr/lib/jvm/java-7-oracle/jre/bin/java          2         manual mode
  3            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode
  4            /usr/lib/jvm/java-8-oracle/jre/bin/java          3         manual mode
  5            /usr/lib/jvm/java-9-oracle/bin/java              4         manual mode

Press <enter> to keep the current choice[*], or type selection number:


Note down the Path with star mark * , issue the command:

sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Port redirecting:

So the solution is:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000

or for all interfaces

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000

How to install graylog 2 on Ubuntu 16.04 LTS :

Configure Web interface :