GrayLog is a powerful free open source centralized log management solution for capturing, storing, and enabling real-time analysis.

It is requires at least 4 GB of RAM on the server because it works with a NoSQL database program (MongoDB) plus a search and analytics solution (ElasticSearch) running all side-by-side.


Preparing the system:

sudo apt update && sudo apt upgrade -y
sudo apt install bash-completion apt-transport-https uuid-runtime pwgen openjdk-11-jre-headless nano net-tools pwgen -y

Installing MongoDB:

sudo apt install mongodb-server -y
sudo systemctl enable mongodb && sudo systemctl start mongodb
sudo systemctl --type=service --state=active | grep mongod
sudo netstat -tulpn | grep 27017

Installing ElasticSearch:

wget -qO - | sudo apt-key add -
echo "deb stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install elasticsearch-oss -y


sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT graylog
action.auto_create_index: false

Applying and testing:

sudo systemctl enable elasticsearch && sudo systemctl restart elasticsearch
sudo systemctl --type=service --state=active | grep elasticsearch
sudo netstat -tulpn | grep 9200

Installing GrayLog:

sudo dpkg -i graylog-4.2-repository_latest.deb
sudo apt update && sudo apt install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y

Generate a hash for the Password Secret:

pwgen -N 1 -s 96

Generate the hash for the Admin Password:

echo -n "Enter a STRONG Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Then edit the configuration file:

sudo nano /etc/graylog/server/server.conf

Find the following variables and apply the hashed that you created:

password_secret = 7Eh8mSFuIA2BWtjBdX6Jkh8m6fVSAhRbz0ONB8rAOVQH281wXuvNeBZBBjPQtU2I3qNuH2ALPK0kFat7djAUYGq6mYfXHIHv
root_password_sha2 = 2a5d3f2d632a9969faab939ef7889efd7afd4c193c49d40b9f9f7152faec75d3
http_bind_address =
sudo systemctl enable graylog-server && sudo systemctl start graylog-server
sudo tail -f /var/log/graylog-server/server.log | grep "Graylog server up and running"
sudo systemctl --type=service --state=active | grep graylog
sudo netstat -tulpn | grep 9000

Use the browser to navigate to the IP address of the server on port 9000 (e.g. and enter the password you created previously:

Navigate to System > Inputs > select Syslog UDP > click on Lunch New Input.

Gibe this Local Input a meaningful name and enter the port you want it to listen on:

Wait few seconds until it shows the green alert saying it is Running.

Now your log server is ready to receive log messages.

Create as many inputs as needed to cover all the needs of your infrastructure.

Consider using Log Relay Server depending on the topology of the network or other constrains.


Configure rsyslog to send the logs to the newly created Log Server (or to the closest Log Relay Server):

sudo nano /etc/rsyslog.conf

Append this line to the configuration:

*.* @;RSYSLOG_SyslogProtocol23Format

Note: use @ for UDP and @@ for TCP. Replace with the IP address of the destination server.

Applying the changes and creating a test entry to the log:

sudo systemctl restart rsyslog
echo "Log Event Test" | logger


Navigate to Search > click on the green Search Button.

You might be able to see the test log entries forwarded by rsyslog right away.

Select a frequency for auto refresh the search, if you want to see the incoming traffic.

GrayLog’s search works with Wildcards and RegEx. See emaples:

  • T??t
    • The question mark matches to any character.
  • T*t
    • Asterisk matches with multiple characteres.
  • /[3-4]/
    • Looks for a any file in the range using


Read the post RegEx CheatSheet at [Link].

Read the post Linux Log Management and Audit [Link].