🪵 Setup Graylog — Centralized Log Management
Deploy Graylog on Ubuntu for centralized log aggregation with full-text search, stream-based routing, custom dashboards, and alerting across all your infrastructure.
4 GB RAM for a stable setup.📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along with the video.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/monitoring/graylog/graylog-ubuntu.sh
chmod +x graylog-ubuntu.sh
sudo bash graylog-ubuntu.sh
Tutorial Steps
1 Download the Script
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/monitoring/graylog/graylog-ubuntu.sh
2 Make it Executable
chmod +x graylog-ubuntu.sh
3 Run the Installer
The script installs Docker if needed, then deploys Graylog alongside MongoDB and OpenSearch automatically.
sudo bash graylog-ubuntu.sh
4 Access the Web UI
Open your browser and navigate to:
http://<your-server-ip>:9000
5 Create a Log Input
Go to System → Inputs and create a GELF UDP or Syslog TCP input to start receiving logs from your services.
Ports Used
| Port | Purpose |
|---|---|
| 9000 | Graylog Web UI |
| 12201 | GELF Input (UDP — internal) |
| 1514 | Syslog Input (TCP — internal) |
Overview
Graylog is an enterprise-grade centralized log management platform that collects, indexes, and analyzes logs from all your infrastructure. It accepts GELF, syslog, plain text, and Beats inputs, provides full-text search powered by OpenSearch, and lets you build streams, dashboards, pipelines, and alert conditions. It is the most mature open-source log management platform alongside the ELK stack.
Why Use It
Graylog fills the gap between basic log viewers and the complex ELK stack. It provides full-text search, structured field extraction, and a clean UI for searching millions of log events per second, without requiring Elasticsearch expertise. Its stream-based routing and built-in alerting make it practical for security monitoring and compliance use cases.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Graylog web UI is on port 9000. GELF UDP input is typically on 12201 (internal only — restrict to your log sources). Syslog TCP is on 1514 (internal only). Only open 9000 to your admin network; keep input ports internal and firewall-protected.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
Loki + Grafana (label-based, extremely lightweight, cheaper), OpenObserve (lighter, unified observability), ELK stack (more powerful querying, more complex setup), Seq (Windows-friendly, .NET focused). Graylog is the best choice for teams that need full-text search with a purpose-built log management UI.
When Not to Use It
If your log volume is low (under 1 GB/day) and you only need basic search, Loki + Grafana is far lighter and simpler. If you need APM-grade distributed tracing, Graylog doesn't provide that — SigNoz or Tempo is more appropriate.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
What is GELF and how does it work with Graylog?
GELF (Graylog Extended Log Format) is a structured JSON log format that includes fields like host, timestamp, level, and arbitrary custom fields. Docker supports GELF natively via its log driver — set `--log-driver=gelf --log-opt gelf-address=udp://your-server:12201` to ship all container logs to Graylog automatically.
How much RAM does Graylog need?
Graylog itself needs ~512 MB. OpenSearch needs 1–2 GB JVM heap (minimum). MongoDB needs ~256 MB. Total recommended: 4 GB RAM minimum for a stable single-node setup. For higher log volumes, 8 GB+ is advisable.
Can I use Elasticsearch instead of OpenSearch?
Modern versions of Graylog (4.x+) prefer OpenSearch due to Elasticsearch's license change. OpenSearch is an Apache-2.0 fork of Elasticsearch and is fully compatible with Graylog's queries. Use OpenSearch for new deployments.
How do I retain logs for 90 days?
In System → Indices, set your default index set rotation strategy (e.g. time-based, daily) and retention action (delete oldest) with a max age of 90 days. Graylog will automatically rotate and clean up old indices on schedule.
Can Graylog send alerts to Slack?
Yes. Install the Slack Graylog plugin or use the built-in HTTP alert notification. Configure an event definition with a condition (e.g. 'more than 10 ERROR logs in 5 minutes') and attach a Slack webhook URL as the notification target.
What is the difference between Graylog and the ELK stack?
Graylog is a purpose-built log management application with a clean UI for operations teams. The ELK stack (Elasticsearch + Logstash + Kibana) is a general-purpose data pipeline — far more flexible but also far more complex to configure and maintain. For log management specifically, Graylog is easier to operate.
Can I ship Windows event logs to Graylog?
Yes. Install Winlogbeat or NXLog on your Windows servers and configure them to forward event logs to Graylog's Beats input (port 5044). This gives you Windows authentication events, system errors, and application logs in Graylog.
How do I update Graylog?
Run `docker compose pull && docker compose up -d`. Graylog sometimes requires a server journal migration on first boot after a major version update — monitor `docker logs graylog` and wait for 'Graylog server up and running' before accessing the UI.
