Deploy Graylog on Ubuntu for centralized log aggregation with full-text search, stream-based routing, custom dashboards, and alerting across all your infrastructure.
4 GB RAM for a stable setup.Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/monitoring/graylog/graylog-ubuntu.sh
chmod +x graylog-ubuntu.sh
sudo bash graylog-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/monitoring/graylog/graylog-ubuntu.shchmod +x graylog-ubuntu.shThe script installs Docker if needed, then deploys Graylog alongside MongoDB and OpenSearch automatically.
sudo bash graylog-ubuntu.shOpen your browser and navigate to:
http://<your-server-ip>:9000Go to System → Inputs and create a GELF UDP or Syslog TCP input to start receiving logs from your services.
| Port | Purpose |
|---|---|
| 9000 | Graylog Web UI |
| 12201 | GELF Input (UDP — internal) |
| 1514 | Syslog Input (TCP — internal) |
Graylog is an enterprise-grade centralized log management platform that collects, indexes, and analyzes logs from all your infrastructure. It accepts GELF, syslog, plain text, and Beats inputs, provides full-text search powered by OpenSearch, and lets you build streams, dashboards, pipelines, and alert conditions. It is the most mature open-source log management platform alongside the ELK stack.
Graylog fills the gap between basic log viewers and the complex ELK stack. It provides full-text search, structured field extraction, and a clean UI for searching millions of log events per second, without requiring Elasticsearch expertise. Its stream-based routing and built-in alerting make it practical for security monitoring and compliance use cases.
Graylog web UI is on port 9000. GELF UDP input is typically on 12201 (internal only — restrict to your log sources). Syslog TCP is on 1514 (internal only). Only open 9000 to your admin network; keep input ports internal and firewall-protected.
Loki + Grafana (label-based, extremely lightweight, cheaper), OpenObserve (lighter, unified observability), ELK stack (more powerful querying, more complex setup), Seq (Windows-friendly, .NET focused). Graylog is the best choice for teams that need full-text search with a purpose-built log management UI.
If your log volume is low (under 1 GB/day) and you only need basic search, Loki + Grafana is far lighter and simpler. If you need APM-grade distributed tracing, Graylog doesn't provide that — SigNoz or Tempo is more appropriate.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
GELF (Graylog Extended Log Format) is a structured JSON log format that includes fields like host, timestamp, level, and arbitrary custom fields. Docker supports GELF natively via its log driver — set `--log-driver=gelf --log-opt gelf-address=udp://your-server:12201` to ship all container logs to Graylog automatically.
Graylog itself needs ~512 MB. OpenSearch needs 1–2 GB JVM heap (minimum). MongoDB needs ~256 MB. Total recommended: 4 GB RAM minimum for a stable single-node setup. For higher log volumes, 8 GB+ is advisable.
Modern versions of Graylog (4.x+) prefer OpenSearch due to Elasticsearch's license change. OpenSearch is an Apache-2.0 fork of Elasticsearch and is fully compatible with Graylog's queries. Use OpenSearch for new deployments.
In System → Indices, set your default index set rotation strategy (e.g. time-based, daily) and retention action (delete oldest) with a max age of 90 days. Graylog will automatically rotate and clean up old indices on schedule.
Yes. Install the Slack Graylog plugin or use the built-in HTTP alert notification. Configure an event definition with a condition (e.g. 'more than 10 ERROR logs in 5 minutes') and attach a Slack webhook URL as the notification target.
Graylog is a purpose-built log management application with a clean UI for operations teams. The ELK stack (Elasticsearch + Logstash + Kibana) is a general-purpose data pipeline — far more flexible but also far more complex to configure and maintain. For log management specifically, Graylog is easier to operate.
Yes. Install Winlogbeat or NXLog on your Windows servers and configure them to forward event logs to Graylog's Beats input (port 5044). This gives you Windows authentication events, system errors, and application logs in Graylog.
Run `docker compose pull && docker compose up -d`. Graylog sometimes requires a server journal migration on first boot after a major version update — monitor `docker logs graylog` and wait for 'Graylog server up and running' before accessing the UI.