Ubuntu 12.04 Graylog2 Installation

I recently wanted to check out Graylog2 for gathering syslog messages because I have heard good things about it. Well the issue was that I was not able to find any good articles on how to accomplish this. I did find some installation scripts that looked promising, but they would not work correctly for whatever reason. So I took pieces of some scripts and other sources to compile what should be a completely accurate setup for now. I will be updating this post as time goes on. For the most part you can copy the text below and use it as a shell script. I created and tested this script using a fresh install of Ubuntu 12.04 x64. There is also a working Debian 6.0 install script that is available from github which is method 1 below. Method 1 is the preferred method as it will always be the most current. Using this setup will configure rsyslog to listen on udp/514 and reformat correctly and then pass on to Graylog2 listening on udp/10514. This works great for ESXi 5 and other Linux rsyslog clients. For Windows read the bottom of this post for Windows Event Logging. Let’s go. Choose one of the methods below.

Update *** This script will be maintained in GitHub Repository for future releases. https://github.com/mrlesmithjr/graylog2 **Update** Ubuntu 12.10 support added to github. Method 1 below will work for Ubuntu 12.04/12.10/13.04.

Method 1 **Preferred** All updates will be in Github

*** Update 07/10/2013. I have added the latest version 0.12.0 of graylog2 to the script on github. Please let me know if you run into issues. For Ubuntu only now that is.

*** Update 10/12/2013. The issue around installing Ruby on Ubuntu 12.04 has now been resolved. The ubuntu script from GitHub below has the updates included.

*** Update 10/18/2013. Sudo has been removed from within the script so now you can execute the script using sudo and never be prompted again during the install.

**UPDATE 12/11/2013** Preview script added to github

**UPDATE 01/16/2014** Preview script updated to include 0.20.0-rc.1

**UPDATE 02/20/2014** The release of 0.20.0 is now available. The preferred script to use is further down under v0.20.0 Release.

**UPDATE 02/24/2014** Updated to v0.20.1

The following is not for the Preview/RC version or v0.20.1 but for deprecated v0.12.0 (Not recommended any longer as it is no longer maintained but available for archival reasons)

Open a terminal

sudo apt-get -y install git
cd ~
git clone https://github.com/mrlesmithjr/graylog2/
chmod +x ./graylog2/install_graylog2_ubuntu.sh

To change your ip address of the server you are installing on you will need to edit the script or let the script auto detect your IP for you. The default is auto detect. If you use the default of auto detect skip editing the file and continue on.

To edit the file file enter the following

nano ./graylog2/install_graylog2_ubuntu.sh

00-05-02

Save the file with ctrl^x. Now enter the following to start running the script.

cd ~
sudo ./graylog2/install_graylog2_ubuntu.sh

The following is for the Preview and rc.1 version ONLY (Use method above if you want to use the stable current version)

The following is for v0.20.1 Release

For a quick one liner you can enter the following to do everything in one line of code!

cd ~ && sudo apt-get -y install git && git clone https://github.com/mrlesmithjr/graylog2 && chmod +x ./graylog2/install_graylog2_20_ubuntu.sh && sudo ./graylog2/install_graylog2_20_ubuntu.sh

If you want to do all of the command individually you can use the following commands.

sudo apt-get -y install git
cd ~
git clone https://github.com/mrlesmithjr/graylog2/
chmod +x ./graylog2/install_graylog2_20_ubuntu.sh
sudo ./graylog2/install_graylog2_20_ubuntu.sh

If you start getting scrolling java type errors after installing one or more critical services are not running. You can either reboot or try the following.

sudo service graylog2-web-interface stop
sudo service mongodb status
sudo service elasticsearch status
sudo service graylog2 status

If any of the above do not return as running and a PID then you will need to start the service not running by running the following.

sudo service servicename start

You can also run the following and the ports should show the services running. (Reference screenshot below command window)

netstat -ltnp

Screenshot from 2014-02-21 14:50:17

Open your browser of choice and connect to http://ip.or.nameofgraylog2server:9000

Login with username admin and password is password123

16-14-48

Click on system

16-06-32

Click on nodes

16-06-45

Select action and then manage inputs

16-06-57

Select Syslog UDP from dropdown

16-07-16

Give it a name of syslog redirect and port 10514 and then click launch and close. (Rsyslog is listening on UDP/514 and forwarding to Graylog2 which is listening on UDP/10514)

16-07-52

You should now see your new input created and accepting traffic.

16-08-34

****** If you would like to uninstall the Preview/RC/Release version I have created an uninstall script to do this. Please use at your own risk as I am not responsible for anything that may happen by using this incorrectly. ******

To uninstall do the following..

cd ~
mv graylog2 graylog2.old
git clone https://github.com/mrlesmithjr/graylog2
chmod +x ./graylog2/uninstall_graylog2_preview_ubuntu.sh
sudo ./graylog2/uninstall_graylog2_preview_ubuntu.sh

Now you can go back and start over if you would like to.

Want to upgrade from Preview/RC v0.20.0 versions to Final v0.20.0 release? I have a script for that now too. It should preserve all previous syslog messages but I highly recommend taking a snapshot if you are using a VM (Hopefully you are! :) ). **NOT FOR v0.12.0 to v0.20.x releases!!!***

The following will take care of the upgrade for you.

cd ~
mv graylog2 graylog2.old
git clone https://github.com/mrlesmithjr/graylog2/
chmod +x ./graylog2/upgrade_to_graylog2_20_ubuntu.sh
sudo ./graylog2/upgrade_to_graylog2_20_ubuntu.sh

 Debian Installer

Within the github repository there is also a script to automate a Debian 6.0 Graylog2 installation. If you are installing on Debian 6.0 run the following instead.

chmod +x ./graylog2/install_graylog2_debian.sh
cd ~
sudo ./graylog2/install_graylog2_debian.sh

Method 2  **Note this may be outdated**

You can download the script, upload and then extract it to your Ubuntu server from the link below. install_graylog2.tar.gz If you downloaded the file you will now need to run the following in the console.

tar zxvf install_graylog2.tar.gz
chmod +x install_graylog2.sh
nano install_graylog2.sh

Change x.x.x.x to whatever your ip address is of the server you are installing on or let the script auto detect your IP for you. The default is auto detect. 00-05-02

Save the file with ctrl^x. Now run the following to start running the script. You will be prompted for your sudo password once the script starts.

./install_graylog2.sh

 

Method 3  **Note this may be outdated**

Or you can use the following method from a terminal session on your Ubuntu server. **Change Servername and ServerAlias to the IP Address of your server in install_graylog2.sh using nano as below.

cd ~
wget --user-agent "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0" http://everythingshouldbevirtual.com/wp-content/uploads/2013/03/install_graylog2.tar.gz
tar zxvf install_graylog2.tar.gz
chmod +x install_graylog2.sh
nano install_graylog2.sh

Change x.x.x.x to whatever your ip address is of the server you are installing on or let the script auto detect your IP for you. The default is to auto detect. 14-26-35

Method 4  **Note this may be outdated**

Or you can create your own install script as below.

cd ~
#! /bin/bash
#Provided by @mrlesmithjr
#EveryThingShouldBeVirtual.com
#
#
# Ubuntu Install Script
#
# Setup logging
# Logs stderr and stdout to separate files.
exec 2> >(tee "./graylog2/install_graylog2.err")
exec > >(tee "./graylog2/install_graylog2.log")
#
# Checking if running as root (10/16/2013 - No longer an issue - Should be ran as root or with sudo)
# Do not run as root
# if [[ $EUID -eq 0 ]];then
# echo "$(tput setaf 1)DO NOT RUN AS ROOT or use SUDO"
# echo "Now exiting...Hit Return"
# echo "$(tput setaf 3)Run script as normal non-root user and without sudo$(tput sgr0)"
# exit 1
# fi

# Apache Settings
# change x.x.x.x to whatever your ip address is of the server you are installing on or let the script auto detect your IP
# which is the default
# SERVERNAME="x.x.x.x"
# SERVERALIAS="x.x.x.x"
#
#
echo "Detecting IP Address"
IPADDY="$(ifconfig | grep -A 1 'eth0' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"
echo "Detected IP Address is $IPADDY"

SERVERNAME=$IPADDY
SERVERALIAS=$IPADDY

# Disable CD Sources in /etc/apt/sources.list
echo "Disabling CD Sources and Updating Apt Packages and Installing Pre-Reqs"
sed -i -e 's|deb cdrom:|# deb cdrom:|' /etc/apt/sources.list
apt-get -qq update

# Install Pre-Reqs
apt-get -y install git curl apache2 libcurl4-openssl-dev apache2-prefork-dev libapr1-dev libcurl4-openssl-dev apache2-prefork-dev libapr1-dev build-essential openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev automake libtool bison subversion pkg-config python-software-properties software-properties-common

# Install Oracle Java 7
echo "Installing Oracle Java 7"
add-apt-repository -y ppa:webupd8team/java
apt-get -qq update
echo oracle-java7-installer shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections
apt-get -y install oracle-java7-installer

echo "Downloading Elasticsearch"
chown -R $USER:$USER /opt
cd /opt
git clone https://github.com/elasticsearch/elasticsearch-servicewrapper.git

# Download Elasticsearch, Graylog2-Server and Graylog2-Web-Interface
echo "Downloading Elastic Search, Graylog2-Server and Graylog2-Web-Interface to /opt"
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.20.6.tar.gz
wget https://github.com/Graylog2/graylog2-server/releases/download/0.12.0/graylog2-server-0.12.0.tar.gz
wget https://github.com/Graylog2/graylog2-web-interface/releases/download/0.12.0/graylog2-web-interface-0.12.0.tar.gz

# Extract files
echo "Extracting Elasticsearch, Graylog2-Server and Graylog2-Web-Interface to /opt"
for f in *.tar.gz
do
tar zxf "$f"
done

# Create Symbolic Links
echo "Creating SymLinks for elasticsearch and graylog2-server"
ln -s elasticsearch-0.20.6/ elasticsearch
ln -s graylog2-server-0.12.0/ graylog2-server

# Install elasticsearch
echo "Installing elasticsearch"
mv *servicewrapper*/service elasticsearch/bin/
rm -Rf *servicewrapper*
/opt/elasticsearch/bin/service/elasticsearch install
ln -s `readlink -f elasticsearch/bin/service/elasticsearch` /usr/bin/elasticsearch_ctl
sed -i -e 's|# cluster.name: elasticsearch|cluster.name: graylog2|' /opt/elasticsearch/config/elasticsearch.yml
/etc/init.d/elasticsearch start

# Test elasticsearch
# curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

# Install mongodb
echo "Installing MongoDB"
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
echo "deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen" | tee /etc/apt/sources.list.d/10gen.list
apt-get -qq update
apt-get -y install mongodb-10gen

# Install graylog2-server
echo "Installing graylog2-server"
cd graylog2-server-0.12.0/
cp /opt/graylog2-server/elasticsearch.yml{.example,}
ln -s /opt/graylog2-server/elasticsearch.yml /etc/graylog2-elasticsearch.yml
cp /opt/graylog2-server/graylog2.conf{.example,}
ln -s /opt/graylog2-server/graylog2.conf /etc/graylog2.conf
sed -i -e 's|mongodb_useauth = true|mongodb_useauth = false|' /opt/graylog2-server/graylog2.conf

# Create graylog2-server startup script
echo "Creating /etc/init.d/graylog2-server startup script"
(
cat <<'EOF' #!/bin/sh # # graylog2-server: graylog2 message collector # # chkconfig: - 98 02 # description: This daemon listens for syslog and GELF messages and stores them in mongodb # CMD=$1 NOHUP=`which nohup` JAVA_CMD=/usr/bin/java GRAYLOG2_SERVER_HOME=/opt/graylog2-server start() {  echo "Starting graylog2-server ..." $NOHUP $JAVA_CMD -jar $GRAYLOG2_SERVER_HOME/graylog2-server.jar > /var/log/graylog2.log 2>&1 &
}

stop() {
PID=`cat /tmp/graylog2.pid`
echo "Stopping graylog2-server ($PID) ..."
kill $PID
}

restart() {
echo "Restarting graylog2-server ..."
stop
start
}

case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage $0 {start|stop|restart}"
RETVAL=1
esac
EOF
) | tee /etc/init.d/graylog2-server

# Make graylog2-server executable
chmod +x /etc/init.d/graylog2-server

# Start graylog2-server on bootup
echo "Making graylog2-server startup on boot"
update-rc.d graylog2-server defaults

# Install graylog2 web interface
echo "Installing graylog2-web-interface"
cd /opt/
ln -s graylog2-web-interface-0.12.0 graylog2-web-interface

# Install Ruby
echo "Installing Ruby"
apt-get -y install libgdbm-dev libffi-dev ruby1.9.3

# Install Ruby Gems
echo "Installing Ruby Gems"
cd /opt/graylog2-web-interface
gem install bundler --no-ri --no-rdoc
bundle install

# Set MongoDB Settings
echo "Configuring MongoDB"
echo "
production:
 host: localhost
 port: 27017
 username: grayloguser
 password: password123
 database: graylog2" | tee /opt/graylog2-web-interface/config/mongoid.yml

# Create MongoDB Users and Set Passwords
echo Creating MongoDB Users and Passwords
mongo admin --eval "db.addUser('admin', 'password123')"
mongo admin --eval "db.auth('admin', 'password123')"
mongo graylog2 --eval "db.addUser('grayloguser', 'password123')"
mongo graylog2 --eval "db.auth('grayloguser', 'password123')"

# Test Install
# cd /opt/graylog2-web-interface
# RAILS_ENV=production script/rails server

# Install Apache-passenger
echo Installing Apache-Passenger Modules
gem install passenger
/var/lib/gems/1.9.1/gems/passenger-4.0.20/bin/passenger-install-apache2-module --auto

# Add passenger modules for Apache2
echo "Adding Apache Passenger modules to /etc/apache2/httpd.conf"
echo "LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger-4.0.20/buildout/apache2/mod_passenger.so" | tee -a /etc/apache2/mods-available/passenger.load
echo "PassengerRoot /var/lib/gems/1.9.1/gems/passenger-4.0.20" | tee -a /etc/apache2/mods-available/passenger.conf
echo "PassengerRuby /usr/bin/ruby1.9.1" | tee -a /etc/apache2/mods-available/passenger.conf

# Enable passenger modules
a2enmod passenger

# Restart Apache2
echo "Restarting Apache2"
service apache2 restart
# If apache fails and complains about unable to load mod_passenger.so check and verify that your passengerroot version matches

# Configure Apache virtualhost
echo "Configuring Apache VirtualHost"
echo "
ServerName ${SERVERNAME}
ServerAlias ${SERVERALIAS}
DocumentRoot /opt/graylog2-web-interface/public

#Allow from all
Options -MultiViews

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined" | tee /etc/apache2/sites-available/graylog2

# Enable virtualhost
echo "Enabling Apache VirtualHost Settings"
a2dissite 000-default
a2ensite graylog2
service apache2 reload

# Restart apache
echo "Restarting Apache2"
service apache2 restart

# Now we need to modify some things to get rsyslog to forward to graylog. this is useful for ESXi syslog format to be correct.
echo "Updating graylog2.conf, rsyslog.conf"
sed -i -e 's|syslog_listen_port = 514|syslog_listen_port = 10514|' /etc/graylog2.conf
sed -i -e 's|mongodb_password = 123|mongodb_password = password123|' /etc/graylog2.conf
sed -i -e 's|#$ModLoad immark|$ModLoad immark|' /etc/rsyslog.conf
sed -i -e 's|#$ModLoad imudp|$ModLoad imudp|' /etc/rsyslog.conf
sed -i -e 's|#$UDPServerRun 514|$UDPServerRun 514|' /etc/rsyslog.conf
sed -i -e 's|#$ModLoad imtcp|$ModLoad imtcp|' /etc/rsyslog.conf
sed -i -e 's|#$InputTCPServerRun 514|$InputTCPServerRun 514|' /etc/rsyslog.conf
sed -i -e 's|*.*;auth,authpriv.none|#*.*;auth,authpriv.none|' /etc/rsyslog.d/50-default.conf
# echo '$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n"' | tee /etc/rsyslog.d/32-graylog2.conf
echo '$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %FROMHOST% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n"' | tee /etc/rsyslog.d/32-graylog2.conf
echo '$ActionForwardDefaultTemplate GRAYLOG2' | tee -a  /etc/rsyslog.d/32-graylog2.conf
echo '$PreserveFQDN on' | tee -a  /etc/rsyslog.d/32-graylog2.conf
#echo '*.err;*.crit;*.alert;*.emerg;cron.*;auth,authpriv.* @localhost:10514' | tee -a  /etc/rsyslog.d/32-graylog2.conf
# Log syslog levels info and above
echo '*.info @localhost:10514' | tee -a  /etc/rsyslog.d/32-graylog2.conf

#Fixing issue with secret_token in /opt/graylog2-web-interface/config/initializers/secret_token.rb
sed -i -e "s|Graylog2WebInterface::Application.config.secret_token = 'CHANGE ME'|Graylog2WebInterface::Application.config.secret_token = 'b356d1af93673e37d6e21399d033d77c15354849fdde6d83fa0dca19608aa71f2fcd9d1f2784fb95e9400d8eeaf6dd9584d8d35b8f0b5c231369a70aac5e5777'|" /opt/graylog2-web-interface/config/initializers/secret_token.rb

# Restart All Services
echo "Restarting All Services Required for Graylog2 to work"
service elasticsearch restart
service mongodb restart
service graylog2-server restart
service rsyslog restart
service apache2 restart

# All Done
echo "Installation has completed!!"
echo "Browse to IP address of this Graylog2 Server Used for Installation"
echo "IP Address detected from system is $IPADDY"
echo "Browse to http://$IPADDY"
echo "You Entered $SERVERNAME During Install"
echo "Browse to http://$SERVERNAME If Different"
echo "EveryThingShouldBeVirtual.com"
echo "@mrlesmithjr"
chmod +x install_graylog2.sh
./install_graylog2.sh

Once the script completes connect to the ip/hostname of your Graylog2 server with your favorite browser and create your first login account. Or if you have installed on Ubuntu Desktop 12.04 you can just open firefox and type in http://localhost. You will then be prompted to create your first user.

15-31-43

Once you have created a user account you can then login and you will have a great looking Graylog2 web ui like below.

13-01-30

If you get a ruby error page like screenshot below when connecting to the web interface that says unable to authorize grayloguser in mongo graylog2 db do the following in code box below. On a few occasions the script is failing to create the mongo db and users. I have only had this issue when doing an apt-get upgrade prior to running this script.

12-55-10

mongo admin --eval "db.addUser('admin', 'password123')"
mongo admin --eval "db.auth('admin', 'password123')"
mongo graylog2 --eval "db.addUser('grayloguser', 'password123')"
mongo graylog2 --eval "db.auth('grayloguser', 'password123')"
sudo service elasticsearch restart
sudo service mongodb restart
sudo service graylog2-server restart
sudo service rsyslog restart
sudo service apache2 restart

For Windows logging to get sent to Graylog2 check out NXLog. It supports the GELF format as well. Below is an example nxlog.conf file for Windows to be sent to Graylog2 in Gelf format.

<Extension gelf>
    Module      xm_gelf
</Extension>

<Input in>
    # Use 'im_mseventlog' for Windows XP and 2003
    Module      im_msvistalog
</Input>

<Output out>
    Module      om_udp
    Host        192.168.1.1
    Port        12201
    OutputType  GELF
</Output>

<Route r>
    Path        in => out
</Route>

Another thing that I have found is that the graylog2-server by default listens on IPv6 for UDP/TCP. I was having issues with sending logs to the udp/10514 port directly. The following code added to /etc/init.d/graylog2-server will force it to run on IPv4 ports.

-Djava.net.preferIPv4Stack=true

Add the code above to the section under echo “Starting  graylog2-server …” It should look like the below.

$NOHUP $JAVA_CMD -Djava.net.preferIPv4Stack=true -jar $GRAYLOG2_SERVER_HOME/graylog2-server.jar > /var/log/graylog2.log 2>&1 &

Restart graylog2-server service to take affect.

sudo /etc/init.d/graylog2-server restart

Using Graylog2 (version 0.11.0) I am seeing high CPU usage all the time. Apparently this is a known thing and will be fixed in a future release by setting processor_wait_strategy = blocking. The default is currently processor_wait_strategy = sleeping. Run the following to make this change.

sudo sed -i -e 's|processor_wait_strategy = sleeping|processor_wait_strategy = blocking|' /etc/graylog2.conf
sudo /etc/init.d/graylog2-server restart

To set the TTL (Time To Live) for Graylog2 messages within Elasticsearch to keep from filling up all of the disk space. Run the following.

curl -XPUT 'http://localhost:9200/graylog2/'
curl -XPUT "http://localhost:9200/graylog2/message/_mapping" -d'{"message": {"_ttl" : { "enabled" : true, "default" : "30d" }}}'

The first line builds the index and the second line sets the TTL to 30 days.
To clear all of your messages and hosts from graylog2 do the following.

cd /opt/elasticsearch/data/graylog2
sudo rm -rf *
mongo
use graylog2
db.message_counts.remove()
db.hosts.remove()
exit
sudo /etc/init.d/elasticsearch restart

I just had an issue with my graylog2 server and it was a java process taking about 90-100 percent CPU even after a reboot. It was caused by almost all of the disk space used where the mongodb grew too large for my system. Now you can add more space or just clear the db using the process above which is what I did. All good now.

Enjoy!

275 thoughts on “Ubuntu 12.04 Graylog2 Installation

  1. when I type in http://locahost
    and the browser show these:
    It works!
    This is the default web page for this server.

    The web server software is running but no content has been added, yet.

    in install log show:
    action “configtest” failed

  2. First of all thanks for taking this project on. I was (and still am) having issues getting graylog2 installed and working.

    I’m currently working with a KVM virtual guest running Ubuntu 12.04LTS 64bit with only sshd installed and updates. I ran method #1 and with no changes to the install script and I’m getting the following errors (cut out of the install_graylog2.err file):

    ——————————————————————————————-
    ./graylog2/install_graylog2_ubuntu.sh: line 168: /home/root/.rvm/scripts/rvm: No such file or directory
    ./graylog2/install_graylog2_ubuntu.sh: line 169: rvm: command not found
    ./graylog2/install_graylog2_ubuntu.sh: line 175: gem: command not found
    ./graylog2/install_graylog2_ubuntu.sh: line 176: bundle: command not found
    ./graylog2/install_graylog2_ubuntu.sh: line 204: gem: command not found
    ./graylog2/install_graylog2_ubuntu.sh: line 205: passenger-install-apache2-module: command not found
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    cat: /tmp/graylog2.pid: No such file or directory
    /etc/init.d/graylog2-server: 20: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]… or
    kill -l [exitstatus]
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    ——————————————————————————————-

    It looks like there are other dependencies. Probably with ruby…

    Let me know what is missing or add the additional dependencies to the install script.

    Thanks!

    -Glen

    • Glen,
      It looks like you are either running as root or running sudo ./install_graylog2_ubuntu.sh which is why you are getting these errors. Root’s home folder is /root and not /home/root which is where the script is going. The best way I have seen this far is to simply login to your ubuntu server and execute the script without sudo. The script will prompt for you to enter the sudo password when a command needs sudo.

      • Thanks for the update. I was able to install it as a normal user with sudo access.

        The one issue I’m seeing now is, I have two servers, one is the clone of the other and is used only as a backup for now. The backup server is currently not getting any data but is using about 80% CPU. I would expect high cpu on the server that is getting lots of msgs but the backup should have very low cpu usage.

        This is from top:
        PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
        1019 root 20 0 1774m 161m 12m S 130 8.1 18:38.89 java

        Any ideas as to why its using so much cpu?

        Thanks,

        -Glen

        • Glen,
          At the end of the post there is information on what I found on high CPU usage and what fixed mine. Have you tried that?

          Using Graylog2 (version 0.11.0) I am seeing high CPU usage all the time. Apparently this is a known thing and will be fixed in a future release by setting processor_wait_strategy = blocking. The default is currently processor_wait_strategy = sleeping.

          Run the following to make this change.

          sudo sed -i -e ‘s|processor_wait_strategy = sleeping|processor_wait_strategy = blocking|’ /etc/graylog2.conf
          sudo /etc/init.d/graylog2-server restart

          • The sed scritp didn’t work (not sure why) but I changed it by hand and it fixed the issue! :) I did this to both the backup and active servers and cpu usage dropped on both of them.

            Thanks!

            -Glen

  3. Hello, i’m french so my english is not very well..

    i’m try to install graylog2 on virtual machine with ubuntu.

    so i start the script, but when all it’s finished, i’m try to browse on my ip address. i create the first user but after i have this error :
    “Could not connect to ElasticSearch

    Make sure it is running and that you correctly configured this Graylog2 web interface.”

    so i try to restart elasticsearch with the command : service elasticsearch start. But nothing happen, elasticsearch don’t want to start. Can you help me ?

    And sorry for my english..

  4. Ran this on centos, got

    Phusion Passenger is a trademark of Hongli Lai & Ninh Bui.

    Adding Apache Passenger modules to /etc/httpd/conf.d/passenger.conf
    LoadModule passenger_module /usr/local/rvm/gems/ruby-2.0.0-p0/gems/passenger-3.0.19/ext/apache2/mod_passenger.so
    PassengerRoot /usr/local/rvm/gems/ruby-2.0.0-p0/gems/passenger-3.0.19
    PassengerRuby /usr/local/rvm/gems/ruby-2.0.0-p0/gems/passenger-3.0.19/ruby
    Restarting Apache2
    Stopping httpd: [FAILED]
    Starting httpd: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/passenger.conf: Cannot load /usr/local/rvm/gems/ruby-2.0.0-p0/ge ms/passenger-3.0.19/ext/apache2/mod_passenger.so into server: /usr/local/rvm/gems/ruby-2.0.0-p0/gems/passenger-3.0.19/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    [FAILED]
    Configuring Apache VirtualHost

    ServerName 192.168.10.45
    ServerAlias 192.168.10.45
    DocumentRoot /opt/graylog2-web-interface/public

  5. Thanks for this script, it worked amazingly!

    I had one question, when i do “netstat -napt | grep -i LISTEN” It doesnt list anything listening on port 514? Should i see rsyslog listening on 514?

    What would be the best way to get linux rsyslog logs to graylog, send to 514 or 12201 directly?

    Thanks for the help and this great script!

    • Awesome. Port 514 for rsyslog is UDP/514. Run a netstat -lun and you should see it listed. I would send all rsyslog logs to 514 so the rules in place can do some proper formatting and such.

  6. I have a problem with installation. I get an apache error so I checked apache logs and i get this message:

    [Wed Jun 05 13:28:22 2013] [error] [client 192.168.105.x] File does not exist: /var/www/graylog2
    [Wed Jun 05 13:28:28 2013] [error] [client 192.168.105.x] File does not exist: /var/www/graylog2-web
    [Wed Jun 05 13:55:34 2013] [notice] caught SIGTERM, shutting down

    How to repair it?

  7. Ive been having a problem getting mail and apache logs into graylog2. Everything looks correct in rsyslog (looks default)

    I noticed this in the script:
    “echo ‘*.err;*.crit;*.alert;*.emerg;cron.*;auth,authpriv.* @localhost:10514′ | sudo tee -a /etc/rsyslog.d/32-graylog2.conf”
    And thats pretty much all i see in graylog.

    If i wanted ALL logs going into graylog, can i just put a *.* in there and replace the stuff you have in there?

    I could be way off, but its all ive seen that could possibly be preventing everything from getting into graylog.

    Thanks for the help.

      • Awesome! Thanks for that, i had done that with the rsyslog.conf file but for some reason it was ignoring it.

        Thanks for your help, this is an awesome blog and your are very responsive. I appreciate all you’ve done to help all of us out that are still learning.

  8. Hi,

    I had the message: “no active graylog2 node running” in the Graylog2 webpage.

    Then I found some information that you could change your “/etc/graylog2-elasticsearch.yml”
    Then it started without any problem.

    # i only have 1 node
    discovery.zen.minimum_master_nodes: 1

    # still turning off multicast
    # 1. Disable multicast discovery (enabled by default):
    discovery.zen.ping.multicast.enabled: false

    # set this to your servername or ip:9300
    # 2. Configure an initial list of master nodes in the cluster
    # to perform discovery when new nodes (master or data) are started:
    discovery.zen.ping.unicast.hosts: ["YOURSERVERHERE:9300"]

  9. ubuntu 12.04 x64 lattest update

    gets error
    * Starting web server apache2 apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    Action ‘start’ failed.
    The Apache error log may have more information.

  10. Hi! This is script is pretty good, however there seems to be a problem with the ubuntu script:

    curl: (22) The requested URL
    Could not download ‘https://github.com/wayneeseguin/rvm/archive/stable.tar.gz’.
    curl returned status ’22′.

    returned error: 502 Bad Gateway
    ./graylog2/install_graylog2_ubuntu.sh: line 159: /home/hosting/.rvm/scripts/rvm: No such file or directory
    ./graylog2/install_graylog2_ubuntu.sh: line 160: rvm: command not found
    Installing Ruby Gems
    ./graylog2/install_graylog2_ubuntu.sh: line 165: gem: command not found
    ./graylog2/install_graylog2_ubuntu.sh: line 166: bundle: command not found
    Configuring MongoDB …

    Seems like the ‘https://github.com/wayneeseguin/rvm/archive/stable.tar.gz’ file has gone missing…

    Improvement wishes: some sanity checks. like if something fails, it breaks.

    Thanks, Arakiz

  11. Hi, Firstly, great script! The install worked without error.
    I do have a problem though – no syslog messages are coming in. When I do a netstat -lun there is no port 514 in the list.
    I’ve also setup the PartyLog applicance in a VM and that is working although the GrayLog version is out of date so I know my test server is sending syslog messages (via syslog-ng).
    Any ideas how to get port 514 UDP working?
    Thanks

  12. hi admin
    i tried method 1
    and installation complete i saw this error
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    Action ‘start’ failed.

    • apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/pa ssenger.load: Cannot load /root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into serv er: /root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file : No such file or directory
      Action ‘configtest’ failed.
      root@graylog2:~# The Apache error log may have more information.
      …fail!
      Installation has completed!!
      Browse to IP address of this Graylog2 Server Used for Installation
      IP Address detected from system is 192.168.2.111
      Browse to http://192.168.2.111
      You Entered 192.168.2.111 During Install
      Browse to http://192.168.2.111 If Different
      EveryThingShouldBeVirtual.com
      @mrlesmithjr

  13. Pingback: Collecting vSphere Syslog Data with Graylog2 | Everything Should Be Virtual

  14. hi admin i tried method 1 and when i run http://server ip address i see this error
    It works!

    This is the default web page for this server.

    The web server software is running but no content has been added, yet.

  15. ha admin my apache can’t work
    root@Log-server:~# /etc/init.d/apache2 restart
    apache2: Syntax error on line 214 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/httpd.conf: Cannot load /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /home/root/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
    Action ‘configtest’ failed.
    The Apache error log may have more information.
    …fail!

    • It looks like you are running the script as root. Did you pull the install script from github? And are you using Ubuntu or other Linux distro?

      • This is not an issue running as sudo or root sir, we are all having this issue, same here for me as well, ruby is breaking on ubuntu 12.04

        Here is where the break begins, its under “compiling and installing Apache2 module”

        output:
        ——————————————–
        Compiling and installing Apache 2 module…
        cd /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18
        /home/ubuntu/.rvm/wrappers/ruby-2.0.0-p247/rake apache2:clean apache2 RELEASE=yes
        # /home/ubuntu/.rvm/wrappers/ruby-2.0.0-p247/rake apache2:clean apache2 RELEASE=yes
        rake aborted!
        cannot load such file — rubygems/builder
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/build/gempackagetask.rb:12:in `require’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/build/gempackagetask.rb:12:in `’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/build/basics.rb:41:in `require’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/build/basics.rb:41:in `’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/Rakefile:24:in `require’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/Rakefile:24:in `’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/bin/ruby_executable_hooks:15:in `eval’
        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/bin/ruby_executable_hooks:15:in `’
        (See full trace by running task with –trace)

        ——————————————–

        It looks like something went wrong

        Please read our Users guide for troubleshooting tips:

        /home/ubuntu/.rvm/gems/ruby-2.0.0-p247/gems/passenger-3.0.18/doc/Users guide Apache.html

        If that doesn’t help, please use our support facilities at:

        https://www.phusionpassenger.com

        We’ll do our best to help you.
        Adding Apache Passenger modules to /etc/apache2/httpd.conf
        LoadModule passenger_module /home/ubuntu/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so
        PassengerRoot /home/ubuntu/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18
        PassengerRuby /home/ubuntu/.rvm/wrappers/ruby-1.9.2-p320/ruby
        Module passenger already enabled
        Restarting Apache2
        apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /home/ubuntu/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so into server: /home/ubuntu/.rvm/gems/ruby-1.9.2-p320/gems/passenger-3.0.18/ext/apache2/mod_passenger.so: cannot open shared object file: No such file or directory
        Action ‘configtest’ failed.
        …fail!

  16. Thanks for the script! However I am having an issue with the Debian version.

    After installing, and browsing to the localhost, all that loads is the contents of /opt/graylog2-web-interface-0.11.0/public

    This includes the following files

    404.html
    422.html
    500.html
    /assets
    elasticsearch_noconnection.html
    elasticsearch_noindex.html
    favicon.ico
    mongo_connectionfailure.html
    robots.txt

    And after looking at the apache log, i see the following:
    [error] [client 10.10.10.100] File does not exist: /opt/graylog2-web-interface/public/login

    Even after downloading a fresh copy of the graylog2 i dont see a login file anywhere…

    thoughts?

      • Hi,
        I installed Graylog2 on a brand new Ubuntu 12.04 server running in vSphere 5. The script ran and completed, but I am experiencing the exact same issue where when I traverse to the server address I just get the index of / page instead of the login prompt. Were you ever able to find a resolution to this issue?

        The script is fantastic, BTW. The only thing I had to tweak was the version of passenger from 3.0.18 to 4.0.19. Other than that it worked perfectly aside from the issue mentioned above.

        Thanks in advance for any assistance, and thank you very much for the script.

    • I am getting EXACTLY the same problem while working onmy debian server.

      The login file is missing or not being created in /opt/graylog2-web-interface/public/

      • @Awais Try the Debian installer again now. I have cleaned it up and it is working correctly for me again now so it should be fine now.

  17. hello.
    I did a little bit by changing the setup script manually. but I get the following error message.
    Can you help please?

    Web application could not be started

    /usr/local/lib/ruby/gems/2.0.0/gems/passenger-4.0.14/helper-scripts/rack-preloader.rb:39:in `split’: invalid byte sequence in US-ASCII (ArgumentError)
    from /usr/local/lib/ruby/gems/2.0.0/gems/passenger-4.0.14/helper-scripts/rack-preloader.rb:39:in `handshake_and_read_startup_request’
    from /usr/local/lib/ruby/gems/2.0.0/gems/passenger-4.0.14/helper-scripts/rack-preloader.rb:125:in `’
    from /usr/local/lib/ruby/gems/2.0.0/gems/passenger-4.0.14/helper-scripts/rack-preloader.rb:6:in `’
    from /usr/local/lib/ruby/gems/2.0.0/gems/passenger-4.0.14/helper-scripts/rack-preloader.rb:5:in `’

    Application root
    /opt/graylog2/graylog2-web-interface
    Environment (value of RAILS_ENV, RACK_ENV, WSGI_ENV and PASSENGER_ENV)
    ‘production’
    Ruby interpreter command

    /usr/local/bin/ruby

  18. I was able to get everything installed, which took several tries with doing nothing different each time, and logged in to the web interface. After I rebooted the server, I log in and get the error message “Could not connect to ElasticSearch”. I then tried manually running ElasticSearch from the install directory and I get the error “Could not locate the following binaries” with several of the ElasticSearch binaries listed. I then noticed that the install path to the binaries was wrong, it was looking for the binaries in “/home/user/graylog2/bin/service/exec/”. The correct path to the binaries was “/home/user/graylog2/elasticsearch-servicewrapper/service/exec/”. So I edited the elasticsearch file and changed the location to the correct path anywhere listed in that file and I still come up empty with trying to log in to Graylog2.

    I just never understand why some people, with the exact same version of Debian can get totally different results with the same script installing the same software. Hopefully someone could shed some light on this issue, any help is much appreciated.

    • I just wanted to add one more thing that I just noticed, when I manually run ElasticSearch by running “/home/user/graylog2/elasticsearch-servicewrapper/service/./elasticsearch”, after I modified the file to the correct path, it endless loops trying to load ElasticSearch. I opened up a second session and everything I run “ps -ef” the list grows larger and larger. Not sure what that is happening, but this has got to be a simple issue.

  19. It would be cool if you would add any *Prerequisites to the top of this article. Thank you!

    You will need to have the following services installed on either the host you are running graylog2-server on or on dedicated machines:

    ElasticSearch v0.20.4
    MongoDB (as recent stable version as possible, at least v2.0)

      • Ah, ok thank you. I ended up having to install them myself, something must have failed when the script ran. I ended up having to install ElasticSearch and MongodB manually after it ran. Rebooed, Voila! It worked.

        Did I forget to say Thank You>?

        THANK YOU! ROCKIN’ SCRIPT!
        Cap’n Chris

        • Cool deal. I have seen a few times where the url to pull external sources from has failed. Usually if you look at the log file created using the script you should be able to identify what failed. However this script is not 100% ironed out either :) But pretty close to working successful consistently. Always open to modifications from anyone as well.

      • Marcio M. come on man this guy spent a great deal of time preparing this for us. If you ran this script on a production server that is not his fault, please install this using something like Vagrant/AWS or Vagrant/Vbox then you can simply destroy the small instance if something goes wrong. Just my thoughts.

  20. Great thing….
    but doesn’t work…. have the same error like others with apache…

    tested 3 times… 2 x vm 1 x physical…. no luck.
    have sent you the error log.

    • Any luck yet? I am going to sit down and go through the script and see if I can duplicate the issue lately with 12.04 install. I have not installed in a few months so sounds like some of the modules pulled down are not the same which could explain some of this. Anyone with info would be much appreciated.

      • No luck sir! Is there somewhere I can send you the .log file for the install? I tried this on 13.04 and 12.04 no luck..keep in mind this is on AWS will that pose an issue with the default ubuntu user? I am loggind in with ssh only not password, I went through some updates and installs, one was ripping out ruby and updating manually, but the script rips out my changes and goes back to 1.9,2 lol we may need to get 1.9.3 or higher in there.

        sudo apt-get –purge remove ruby-rvm
        sudo rm -rf /usr/share/ruby-rvm /etc/rvmrc /etc/profile.d/rvm.sh

        open new terminal and validate environment is clean from old RVM settings (should be no output):

        env | grep rvm

        if there was output, try to open new terminal, if it does not help then restart your computer.

        install RVM:

        \curl -L https://get.rvm.io |
        bash -s stable –ruby –autolibs=enable –auto-dotfiles

        • Cool. Let me know. It is working for me now. I rebuilt my Ubuntu 12.04 VM from scratch and did apt-get upgrade, rebooted and ran the script and it works perfect now. The .sh link is the same as it was before. I just made all of the changes to it.

          • is the reboot necessary after apt-get update? or is that just a habbit of yours ; ). It’s running now without a restart.

  21. After the script completed and after I created first user I logged in and got this message “Sorry, but something went wrong”

    So I checked (/var/log/apache2/error.log) and saw this:
    ActionView::Template::Error (Permission denied – /opt/graylog2-web-interface-0.12.0/tmp):

    So I looked and found no tmp directory in /opt/graylog2-web-interface-0.12.0/ so I created the tmp folder and set the permissions for nobody:nogroup

    sudo /opt/graylog2-web-interface-0.12.0/tmp/
    sudo chown nobody:nogroup /opt/graylog2-web-interface-0.12.0/tmp/

    Then the web GUI loaded.

  22. I keep hitting a snag when running the script. This has happened with 3 different Ubuntu installs (two 12.04 and one 13.04). These were fresh installs, and on the last try I didn’t even update it as I thought perhaps the updating the packages was affecting the install. This is where it dies:

    Installing Apache-Passenger Modules
    Building native extensions. This could take a while…
    Successfully installed passenger-4.0.21
    1 gem installed
    Installing ri documentation for passenger-4.0.21…
    Installing RDoc documentation for passenger-4.0.21…
    ./graylog2/install_graylog2_ubuntu.sh: line 199: /var/lib/gems/1.9.1/gems/passenger-4.0.20/bin/passenger-install-apache2-module: No such file or directory

    Any insight or assistance would be appreciated.

    • you installed passenger-4.0.21
      and you tried to open /var/lib/gems/1.9.1/gems/passenger-4.0.20

      You can change this in the script. or change the files manually

  23. Nice script.

    For the people how got a “Could not connect to ElasticSearch” error.
    The default required memory for elasticseach is 1024. You can change this in the conf file. Or expand your virtual machine memory.
    nano /opt/elasticsearch/bin/service/elasticsearch.conf
    ES_HEAP_SIZE from 1024 to 512

  24. Hello,

    First of all, thank you for this nice script. I am using Ubuntu 12.04 and the installation of graylog2 worked. I can login to graylog2, but it says “Warning! It seems like you have no active Graylog2 node running.” I have restarted Apache a few times and I have set the timezone to CET for the webinterface (found this issue somewhere in Google). But it´s still not working. Do you have any ideas?
    Thank you.

  25. Hello All,

    What do you think will be the best way to monitor my Graylog2 server from Nagios? I have nrpe checking the status of ElasticSearch, but how do I check that syslog messages are actually being accepted? Because it uses UDP 514 .

    I found a good script here https://github.com/lbosque/check_syslog but my problem is I can’t find where to configure the “syslog” server on my graylog2 install for the return message back…

    Any help?

    Thanks

  26. to follow the example of the above post installation was okay , but I found this error in the log graylog2 ( / var/log/graylog2.log ) :

    11.21.2013 13:45:17,681 WARN : org.elasticsearch.discovery – [ graylog2 - server] Waited for 30s and no initial state was Set by the discovery
    Exception in thread “main ” org.elasticsearch.discovery.MasterNotDiscoveredException : Waited for [ 30s ]
    at
    at
    at java.util.concurrent.ThreadPoolExecutor.runWorker ( ThreadPoolExecutor.java : 1145 )
    at java.util.concurrent.ThreadPoolExecutor $ Worker.run ( ThreadPoolExecutor.java : 615)
    at java.lang.Thread.run ( Thread.java : 744 )

    What could be causing this? I’ve seen other answers to this problem and none of them worked.

    I’m using ubuntu lts 12.04

  27. nice … ty
    one comment.
    line 199: /var/lib/gems/1.9.1/gems/passenger-4.0.24/bin/passenger-install-apache2-module: No such file or directory

    4.0.24 >> 4.0.25

      • apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/passenger.load: Cannot load /var/lib/gems/1.9.1/gems/passenger-/buildout/apache2/mod_passenger.so into server: /var/lib/gems/1.9.1/gems/passenger-/buildout/apache2/mod_passenger.so: cannot open shared object file: No such file or directory

        • this works i think..

          # Install Apache-passenger
          echo “Installing Apache-Passenger Modules”
          gem install passenger
          ln -s /var/lib/gems/1.9.1/gems/passenger-$passengerver /var/lib/gems/1.9.1/gems/passenger
          /var/lib/gems/1.9.1/gems/passenger-$passengerver/bin/passenger-install-apache2-module –auto

          # Add passenger modules for Apache2
          echo “Adding Apache Passenger modules to /etc/apache2/httpd.conf”
          echo “LoadModule passenger_module /var/lib/gems/1.9.1/gems/passenger/buildout/apache2/mod_passenger.so” | tee -a /etc/apache2/mods-available/passenger.load
          echo “PassengerRoot /var/lib/gems/1.9.1/gems/passenger” | tee -a /etc/apache2/mods-available/passenger.conf
          echo “PassengerRuby /usr/bin/ruby1.9.1″ | tee -a /etc/apache2/mods-available/passenger.conf

          • I think i messed it up some more by trying to insert the pre-realease …. lol

            gonna try it now :)

          • @n00blet I have not tried the new pre-release with it yet but let me know if you have success or not.

      • it fails here
        cp: cannot stat `/opt/graylog2-server/elasticsearch.yml.example’: No such file or directory

        the only place i find that file is /opt/elasticsearch-0.90.6/config/elasticsearch.yml

          • …. got around the previous comment… but got this
            Bundler::GemfileNotFound

            in short… does the preview install from your script.. no.. not yet

          • Not sure if the new preview version works yet or not. I have not attempted to even install it yet but plan on working on it once the stable release is out.

  28. After third attempt all good, should have read the guidelines first, in the end new install of Ubuntu 12.04.3, ran the script all good, excellent work

  29. Pingback: Ubuntu Logstash Server with Kibana3 Front End Autoinstall | Everything Should Be Virtual

  30. First of all thanks for the great job!
    I installed graylog2 using the script some weeks ago and it worked fine.
    A couple of days ago I try to install it again. installation was successful however, when I login I get the message “Warning! It seems like you have no active Graylog2 node running.” Ufw is disabled (it was enabled during the installation though).
    What can I check? The server is an Ubuntu 12.04.3 x64 (KVM)

    • @skipper
      I had seen this the other day as well. Here is what I did.
      sudo service elasticsearch restart
      sudo service graylog2-server restart

  31. Thank you for the fast response.
    I tried that and nothing changed, I also tried rebooting the server but that didn’t help either.
    I don’t know if this is an error of the web-interface or the logs don’t go to graylog2 server. How can I look if logs are going to mongodb, gaylog2-server?
    If I try to re-install with the script will it overwrite the existing installation?

  32. I have a Ubuntu Server 12.04.3 system and when i’m install ubuntu.sh script, everything is alright, Graylog works perfectly but when i’m trying ubuntu_preview.sh on a fresh system, i have this error :

    “Caused by: java.net.ConnectedException: Connexion refused: /127.0.0.1:12900 to http://127.0.0.1:12900/system/cluster/node at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:103…

    screen here : http://img833.imageshack.us/img833/3012/ubhr.jpg

    thanks in advance for your advise

    oh and sorry for my english, i’m french ;)

    Benjamin

  33. Thanks for this great Job.
    Version 0.12.0 works fine.
    Can´t wait for a functionally preview Version for testing.
    Greetz from Germany.

        • Hi Folks,

          Installation breaks at Java. Connection refused by localhost on port 12900.
          Used System: Ubuntu 12.04.3 64bit Desktop with latest updates.
          I will try it out, perhaps a firewall problem. But there is no firewall by default…

          • @Chris,
            Graylog2 Server is not running so those errors are more than likely coming from the web interface trying to connect. Do the following below and reboot.

            To start graylog2-server and graylog2-web-interface on reboot add the following to /etc/rc.local above the line that is exit 0

            /opt/graylog2-server/bin/graylog2ctl start
            sleep 2m
            nohup /opt/graylog2-web-interface/bin/graylog2-web-interface &

          • Hi,
            preview script works fine.
            Sorry, I did not read all the information above…
            After changing the entries in rc.local, everything works perfect.
            So many thanks for this incredible work. Greatings from Germany…Chris

  34. Great script! Everything install perfectly on a fresh 12.04.3 install.
    However i do get one message after logging in “Warning! It seems like you have multiple Graylog2 master nodes running.”

    I rebooted several times and waited to see if it goes away and it does not.

    Do you know what might be causing this?

    Thanks!

  35. I have installed this on Ubuntu 12.04, then followed the on screen instructions to install Rake, Gems, etc. But then server never starts, and I noticed that the file referenced in the startup scrip does not exist: /opt/graylog2-web-interface/bin/graylog2-web-interface

    the folder “/opt/graylog2-web-interface/” exists, but no BIN folder?

    Thanks for all your work on this!

    • @glenn Which script did you use? You should not have to do anything in regards to following any on screen instructions.

      • I used the latest one GIT. I found the problem. I thought it had finished the installer but it dropped out after it found that rake, ruby gems and 2 others were not installed. Your installer stopped right at the screen showing how to install those items. Once I installed them, I had to re run the installer to pick up where it left off. Of course I had issued as some of the commands like MV did not want to run again as some files already existed. once I worked through that it installed just fine and now works.

        Thanks!

    • ugh, not sure what the problem was…
      it started to work correctly after resetting the “Settings” in the Cisco ASA. Which I know I had correct before. But the SOURCE is correct now.

        • Well, it did work and I thought I knew why but I tried cleaning things up and ended up reinstalling. And now I am not able to get it to work again lol with the Cisco ASA. I installed Ubuntu and then your script, but then updated some packages which might have caused the problem.

        • Ok, for the Cisco ASA with your latest PREVIEW_UBUNTU.sh rc1 script you will have to run all the uncommented code in the section “Updating graylog2.conf and rsyslog.conf”. And restart the rsyslog server. If you create an INPUT with UDP 514 you will get the messed up Cisco events in Graylog2.

          First time I did it another way and got it to work. But you had all the info there anyways :)

          Thanks for this great script.

          • @Frank That makes sense then. If I am following you correctly you are allowing the actual rsyslog process to run on UDP/514 and also rewrite the received syslog messages and then redirect to UDP/10514? I know this works for sure as this is the way that I was doing it in the previous versions of Graylog2. :) I have been playing with the preview script to try and figure out what works best though. Exactly why I left that bit of code in the script but commented out. Great job and hope it works for you now. :)

    • the script completes no errors on 12.04.3
      however, once the PLAY server starts, it errors and outputs this on console.
      [code]
      Caused by: java.net.ConnectException: Connection refused: /127.0.0.1:12900
      at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[na:1.7.0_2 5]
      at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:708 ) ~[na:1.7.0_25]
      at org.jboss.netty.channel.socket.nio.NioClientBoss.connect(NioClientBos s.java:150) ~[io.netty.netty-3.7.0.Final.jar:na]
      at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys( NioClientBoss.java:105) ~[io.netty.netty-3.7.0.Final.jar:na]
      at org.jboss.netty.channel.socket.nio.NioClientBoss.process(NioClientBos s.java:79) ~[io.netty.netty-3.7.0.Final.jar:na]
      at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNi oSelector.java:312) ~[io.netty.netty-3.7.0.Final.jar:na]
      [error] lib.ApiClient - API call failed to execute.
      [/code]

      rebooted && error went away?

  36. I seem to have reached a limit on the number of hosts, 201, is this an actual Graylog2 limit or should I be looking at something else

  37. I followed your instructions and it was working fine for about a week. Today i just keeps getting this message: “no active graylog2 node running”

    I tried the suggestion and still same error

  38. Hi Larry,

    Thanks for the awesome script!
    I do have one problem with syslog data in RC1. all my syslog data is messed up and it uses id field in syslog instead of host name. so I end up having thousands incorrect hosts.

    any suggestion on how to fix this?
    Thanks

    • Remove the input for UDP syslog that you created and then create a new input but instead choose RAW UDP and use 514 as the port. The only issue with this is that you will not have any syslog fields for searching and etc but you can create extractors to manipulate using REGEX. :( I am having a similar issue but have not had the time to start getting this all figured out.

    • @Ricardo what happens if you do the following from a terminal session on your Graylog2 server?
      ps -ef | grep graylog2
      netstat -ltn
      netstat -lun

      paste those results.

      And then run the following
      sudo service graylog2-server start
      Wait about 90 secs and then run the following
      sudo service graylog2-web-interface start

      • ps -ef | grep graylog2:

        ubuntu2:/$ ps -ef | grep graylog2
        root 2323 1 1 15:03 ? 00:00:49 java -Xms1024m -Xmx1024m -XX:MaxPermSize=256m -XX:ReservedCodeCacheSize=128m -Duser.dir=/opt/graylog2-web-interface-0.20.0-rc.1-1 -cp /opt/graylog2-web-interface-0.20.0-rc.1-1/lib/graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1-1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.scala-lang.scala-library-2.10.3.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.sbt-link-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.javassist.javassist-3.18.0-GA.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play-exceptions-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.templates_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.github.scala-incubator.io.scala-io-file_2.10-0.4.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.github.scala-incubator.io.scala-io-core_2.10-0.4.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.jsuereth.scala-arm_2.10-1.3.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play-iteratees_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.scala-stm.scala-stm_2.10-0.7.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.config-1.0.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play-json_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play-functional_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play-datacommons_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/joda-time.joda-time-2.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.joda.joda-convert-1.3.1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.fasterxml.jackson.core.jackson-annotations-2.2.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.fasterxml.jackson.core.jackson-core-2.2.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.fasterxml.jackson.core.jackson-databind-2.2.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.scala-lang.scala-reflect-2.10.3.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/io.netty.netty-3.7.0.Final.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.netty.netty-http-pipelining-1.1.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.slf4j.slf4j-api-1.7.5.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.slf4j.jul-to-slf4j-1.7.5.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.slf4j.jcl-over-slf4j-1.7.5.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/ch.qos.logback.logback-core-1.0.13.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/ch.qos.logback.logback-classic-1.0.13.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.akka.akka-actor_2.10-2.2.0.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.akka.akka-slf4j_2.10-2.2.0.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.apache.commons.commons-lang3-3.1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.ning.async-http-client-1.7.18.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/oauth.signpost.signpost-core-1.2.1.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/commons-codec.commons-codec-1.3.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/oauth.signpost.signpost-commonshttp4-1.2.1.2.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.apache.httpcomponents.httpcore-4.0.1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.apache.httpcomponents.httpclient-4.0.1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/commons-logging.commons-logging-1.1.1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/xerces.xercesImpl-2.11.0.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/xml-apis.xml-apis-1.4.01.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/javax.transaction.jta-1.1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/com.typesafe.play.play-java_2.10-2.2.2-RC1.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.yaml.snakeyaml-1.12.jar:/opt/graylog2-web-interface-0.20.0-rc.1-1/lib/org.hibernate.hibernate-validator
        tristate 3106 2769 0 16:19 pts/0 00:00:00 grep –color=auto graylog2
        \

        ubuntu2:/$ netstat -ltn
        Active Internet connections (only servers)
        Proto Recv-Q Send-Q Local Address Foreign Address State
        tcp 0 0 127.0.0.1:32000 0.0.0.0:* LISTEN
        tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN
        tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
        tcp 0 0 0.0.0.0:28017 0.0.0.0:* LISTEN
        tcp 0 0 127.0.0.1:5939 0.0.0.0:* LISTEN
        tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
        tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
        tcp6 0 0 :::9000 :::* LISTEN
        tcp6 0 0 :::9200 :::* LISTEN
        tcp6 0 0 :::9300 :::* LISTEN
        tcp6 0 0 ::1:631 :::* LISTEN

        ubuntu2:/$ netstat -lun
        Active Internet connections (only servers)
        Proto Recv-Q Send-Q Local Address Foreign Address State
        udp 0 0 0.0.0.0:514 0.0.0.0:*
        udp 0 0 127.0.0.1:53 0.0.0.0:*
        udp 0 0 0.0.0.0:68 0.0.0.0:*
        udp 0 0 0.0.0.0:59462 0.0.0.0:*
        udp 0 0 0.0.0.0:41067 0.0.0.0:*
        udp 0 0 0.0.0.0:36471 0.0.0.0:*
        udp 0 0 0.0.0.0:5353 0.0.0.0:*
        udp6 0 0 :::514 :::*
        udp6 0 0 :::54328 :::*
        udp6 0 0 :::5353 :::*
        udp6 0 0 :::54647 :::*

          • ubuntu2:~$ sudo service graylog2-server start
            Starting graylog2-server …
            ubuntu2:~$

            Same issue.

            How can I completely remove it and start from the beginning? I mean it was working fine for a week.

          • I think I figured it out. check and see if there is a graylog2.pid file in /tmp. If so do an rm /tmp/graylog2.pid and then sudo service graylog2-server start. I have modified the graylog2-server init script to check for this file now. I also have an uninstall script ready to post but for some reason I cannot commit it to github right now.

          • It looks like there is also something wrong with elasticsearch starting on boot correctly which makes graylog2-server fail. I will try to figure this out in the next few days if I can. For now you can do the following.
            sudo service elasticsearch restart
            wait about a minute or so for it to completely start then..
            sudo service graylog2-server restart
            wait about another minute or so and then…
            sudo service graylog2-web-interface restart
            give it a few minutes and then you should be able to connect to http://graylog2server.name.or.ip:9000

          • I tried your suggestion and didn’t work.

            I ended up doing a fresh ubuntu/graylog2 install and is working again. Let see how long it last.

            Thanks for your help

          • @Ricardo that is great to know. I am interested if you reboot if it will stop working. I am seeing some funkiness with the latest builds and elasticsearch.

  39. hmmm yea i get that error also now…

    echo ‘/opt/graylog-server/bin/graylog2ctl start’ >> /etc/rc.local
    update.rc graylog-server disable
    service elasticsearch restart

      • /etc/init.d/graylog2-server: 14: [: missing ]

        [error] lib.ApiClient – API call failed to execute.

        Caused by: java.net.ConnectException: Connection refused: /127.0.0.1:12900
        at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[na:1.7.0_51]
        at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:739) ~[na:1.7.0_51]
        at org.jboss.netty.channel.socket.nio.NioClientBoss.connect(NioClientBoss.java:150) ~[io.netty.netty-3.7.0.Final.jar:na]
        at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys(NioClientBoss.java:105) ~[io.netty.netty-3.7.0.Final.jar:na]
        at org.jboss.netty.channel.socket.nio.NioClientBoss.process(NioClientBoss.java:79) ~[io.netty.netty-3.7.0.Final.jar:na]
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312) ~[io.netty.netty-3.7.0.Final.jar:na]

        • found my issue :D
          grep ERROR /var/log/graylog2.log
          2014-02-07 07:23:01,655 ERROR: org.graylog2.Main -
          ERROR: No ElasticSearch master was found.

          • So you confirmed some funkiness with Elasticsearch that I have been seeing as well. The last two releases of Elasticsearch have not been starting correctly 100% of the time.

  40. So if you are using sending rsyslog entries from client systems directly through UDP port 514 on Graylog2 0.20 versus having them go to a central rsyslog server and forward to graylog? Doesnt seem to do hostnames and the end results is a useless mess. Am I missing some step?

    • The script has been updated to now forward from rsyslog running on UDP/514 to Graylog2 running on UDP/10514. This is how the old version of Graylog2 worked as well. So if you can follow the uninstall section for Preview/RC and then reinstall from scratch it will work this way. Or if you would rather not uninstall/reinstall then you can do the following.
      Remove current input of UDP/514 on Graylog2
      Add a new input Syslog UDP/10514 on Graylog2
      Run the following commands on your Graylog2 server terminal.
      sudo bash
      sed -i -e ‘s|#$ModLoad immark|$ModLoad immark|’ /etc/rsyslog.conf
      sed -i -e ‘s|#$ModLoad imudp|$ModLoad imudp|’ /etc/rsyslog.conf
      sed -i -e ‘s|#$UDPServerRun 514|$UDPServerRun 514|’ /etc/rsyslog.conf
      sed -i -e ‘s|#$ModLoad imtcp|$ModLoad imtcp|’ /etc/rsyslog.conf
      sed -i -e ‘s|#$InputTCPServerRun 514|$InputTCPServerRun 514|’ /etc/rsyslog.conf
      sed -i -e ‘s|*.*;auth,authpriv.none|#*.*;auth,authpriv.none|’ /etc/rsyslog.d/50-default.conf
      echo ‘$template GRAYLOG2,”< %PRI%>1 %timegenerated:::date-rfc3339% %hostname% %syslogtag% – %APP-NAME%: %msg:::drop-last-lf%\n”‘ | tee /etc/rsyslog.d/32-graylog2.conf
      echo ‘$ActionForwardDefaultTemplate GRAYLOG2′ | tee -a /etc/rsyslog.d/32-graylog2.conf
      echo ‘$PreserveFQDN on’ | tee -a /etc/rsyslog.d/32-graylog2.conf
      echo ‘*.info @localhost:10514′ | tee -a /etc/rsyslog.d/32-graylog2.conf
      service rsyslog restart

      Now you should be getting what you are looking for.

  41. Hello!
    I used your script on fresh Ubuntu 12.4.4 LTS.
    Script runned as “root”
    It stoped at
    “Starting ElasticSearch…
    Waiting for ElasticSearch…
    WARNING: ElasticSearch may have failed to start.”
    How can I start ElasticSearch manualy and resume installation script?

  42. so I ran the install script
    and I got this error
    [error] lib.ApiClient – API call failed to execute.
    Connection refused: /127.0.0.1:12900

    if I start graylog2 manually after the script is done, the error goes away.

    gonna try it again on 12.04

  43. Thank you very much for this installation scripts.
    I have one question …
    … hot should the graylog2 server be configured to be able to get nxlog Windows logs? Do you have to configure a listener fpr port 12201? If yes which kind of listener?

    Tank you very much again.

  44. Ran the new script for 0.20.0 Release and received the following error:

    ********************************************************
    W: GPG error: http://ppa.launchpad.net hardy Release: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 665F9AEFE1098513
    W: Failed to fetch http://ppa.launchpad.net/gilir/ubuntu/dists/hardy/universe/binary-i386/Packages 404 Not Found

    E: Some index files failed to download. They have been ignored, or old ones used instead.
    *************************************************

  45. sry :P
    soo i ran script and it seems graylog doesnt start upon boot

    at the web interface
    “No Graylog2 servers available. Cannot log in..”
    /opt/graylog2-server/bin/graylog2ctl status
    graylog2-server not running

  46. Hello.

    I just ran the v0.20.0 Release script on a clean install of Ubuntu.

    I saw this error during the installation:
    ********************************************
    Making graylog2-web-interface startup on boot
    update-rc.d: warning: /etc/init.d/graylog2-web-interface missing LSB information
    update-rc.d: see
    ***************************************************************

    Once I go to the logon screen I see the following message:
    ************************************************
    No Graylog2 servers available. Cannot log in.
    **********************************************

    • Either elasticsearch isn’t running which caused graylog2-server to not start or just graylog2-server is not running. The missing LSB information can be disregarded and has nothing to do with the issue. There have been numerous issues with elasticsearch starting correctly or starting, stopping and then starting again. Without elasticsearch running graylog2-server will not start. So do the following.

      sudo service elasticsearch status
      sudo service graylog2-server status

      If elasticsearch shows running and a PID then restart graylog2-server but if elasticsearch is not running you will need to restart elasticsearch and make sure it is running.

      sudo service graylog2-server restart

      also do the following and report back

      netstat -ltn

      • Ubuntu2:/# sudo service elasticsearch status
        * elasticsearch is running
        Ubuntu2:/# sudo service graylog2-server status
        graylog2-server running as pid 11691
        Ubuntu2:/# sudo service graylog2-server restart
        Restarting graylog2-server …
        Stopping graylog2-server (11691) …
        rm: cannot remove `/tmp/graylog2.pid’: No such file or directory

        Starting graylog2-server ..

        *****It takes about 2 minutes then i get:*******

        Ubuntu2:/# /usr/bin/nohup: redirecting stderr to stdout

        I’ll do the uninstall /re-install and report back

        • @Ricardo Well all should have been working with all of those components running. The 2 minutes was a sleep command I had in the graylog2-server startup script to give elasticsearch time to start completely.

          • Did the uinstall/re-install.

            Same issue. I also see the following messages coming up:

            root@Ubuntu2:~# Play server process ID is 13303
            [debug] application – Loading timeout value into cache from configuration for key DEFAULT: Not configured, falling back to default.
            [debug] application – Loading timeout value into cache from configuration for key node_refresh: Not configured, falling back to default.
            [error] lib.ApiClient – API call failed to execute.
            java.util.concurrent.ExecutionException: java.net.ConnectException: Connection refused: /127.0.0.1:12900 to http://127.0.0.1:12900/system/cluster/node
            at com.ning.http.client.providers.netty.NettyResponseFuture.abort(NettyResponseFuture.java:336) ~[com.ning.async-http-client-1.7.18.jar:na]
            at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:107) ~[com.ning.async-http-client-1.7.18.jar:na]
            at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:427) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:418) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:380) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys(NioClientBoss.java:109) ~[io.netty.netty-3.7.0.Final.jar:na]
            Caused by: java.net.ConnectException: Connection refused: /127.0.0.1:12900 to http://127.0.0.1:12900/system/cluster/node
            at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:103) ~[com.ning.async-http-client-1.7.18.jar:na]
            at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:427) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:418) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:380) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.socket.nio.NioClientBoss.processSelectedKeys(NioClientBoss.java:109) ~[io.netty.netty-3.7.0.Final.jar:na]
            at org.jboss.netty.channel.socket.nio.NioClientBoss.process(NioClientBoss.java:79) ~[io.netty.netty-3.7.0.Final.jar:na]
            Caused by: java.net.ConnectException: Connection refused: /127.0.0.1:12900

          • @Ricardo that is coming from graylog2-server not running. is elasticsearch running this time?
            paste the following back.
            netstat -ltn

            Reboot if you need to as well. Also what specs are on your server?

          • @MACscr There is not an upgrade path that I know of. The init.d scripts have been working just fine (other than some tweaks). There are a few people that have had issues but these are mainly due to elasticsearch and not graylog2.

          • So if there is no upgrade path, were supposed to wipe everything and start from scratch every time? That doesnt sound any good.

          • @MACscr You would need to reach out to the developers of Graylog2 about upgrading I suppose. All I am doing is making this an easier process for those who want to use Graylog2. But if you find out a way to upgrade by all means feel free to contribute.

          • Sorry if it seemed I was frustrated with you, not at all and I really appreciate the time you have put into not only these installers, but helping us newbies troubleshoot it.

          • It’s all good. My misunderstanding of the version you wanted to upgrade from. I can work something out on that for sure.

          • @MACscr I just realised you are on preview/RC wanting to go to stable release. I thought you were wanting to upgrade from v0.12.0 Let me do some testing and see what it would take to upgrade. It should just be a matter of upgrading graylog2-server and graylog2-web-interface.

  47. sry for the delay……grrrr change management…..

    so the update script (rc >> .2.1) works and does save data(29m ish)… but
    the wget lines need to be updated…..and the old graylog2-web process needs to be killed manually.

  48. Hi
    Hate to be a pain, really like what I see with the latest version but do have a couple of issues, Blacklists, found them useful in v12 and am aware that this will be coming, deleting hosts, can’t seem to find how to do this, we have over 660 sites and around 2000 pieces of kit which will be logging, from time to time things change and I will need to delete hosts, any help wpuld be appreciated

    Regards

  49. Hi,

    I recently installed graylog2 V0.20.1 from the “install_graylog2_20_ubuntu.sh” script on a fresh ubuntu 12.04.
    The server logs UDP syslog messages on port 514. Everything seems working but after several minutes messages are not refreshed instantly. A reboot of the server is needed.

    I get the following error on the graylog2-web-interface log:

    [ERROR] – from lib.ApiClient in servernodes-refresh-0
    java.util.concurrent.ExecutionException: java.net.ConnectException: Connection refused: /127.0.0.1:12900 to http://127.0.0.1:12900/system/cluster/node

    Services status are :

    $ service mongodb status
    mongodb start/running, process 1464
    $ service elasticsearch status
    * elasticsearch is running
    $ service graylog2-server status
    graylog2-server running as pid 1480
    $ service graylog2-web-interface status
    graylog2-web-interface running as pid 1483

    Listening ports are :

    $ netstat -ltnp
    Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN –
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN –
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN –
    tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN –
    tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN –
    tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN –
    tcp 0 0 0.0.0.0:28017 0.0.0.0:* LISTEN –
    tcp6 0 0 :::9300 :::* LISTEN –
    tcp6 0 0 :::22 :::* LISTEN –
    tcp6 0 0 ::1:631 :::* LISTEN –
    tcp6 0 0 :::12900 :::* LISTEN –
    tcp6 0 0 :::9350 :::* LISTEN –
    tcp6 0 0 :::9000 :::* LISTEN –
    tcp6 0 0 :::9200 :::* LISTEN -

    Any idea?

    Thank you!

    Ludovic

    • Dear Mr Smith,

      I followed the script for Graylog2 v0.12.0 and everything was successful, however with the script for v0.20.0 and v0.20.1rc, there were java errors at the end of installation. I could not start the graylog2-web-interface service, others services were started well.
      Here’s the installation log:
      Oops, cannot start the server.
      @6hmicpe10: Cannot init the Global object
      at play.api.WithDefaultGlobal$$anonfun$play$api$WithDefaultGlobal$$globalInstance$1.apply(Application.scala:55)
      at play.api.WithDefaultGlobal$$anonfun$play$api$WithDefaultGlobal$$globalInstance$1.apply(Application.scala:49)
      at play.utils.Threads$.withContextClassLoader(Threads.scala:18)
      at play.api.WithDefaultGlobal$class.play$api$WithDefaultGlobal$$globalInstance(Application.scala:48)
      at play.api.DefaultApplication.play$api$WithDefaultGlobal$$globalInstance$lzycompute(Application.scala:399)
      at play.api.DefaultApplication.play$api$WithDefaultGlobal$$globalInstance(Application.scala:399)
      at play.api.WithDefaultGlobal$class.global(Application.scala:64)
      at play.api.DefaultApplication.global(Application.scala:399)

      After that I check the status of services:

      nam@graylog2:~$ sudo service mongodb status
      mongodb start/running, process 8925
      nam@graylog2:~$ sudo service elasticsearch status
      nam@graylog2:~$ sudo service graylog2-server status
      graylog2-server running as pid 9436
      nam@graylog2:~$ sudo service graylog2-web-interface status
      graylog2-web-interface not running
      nam@graylog2:~$ sudo service graylog2-web-interface start
      Starting graylog2-web-interface …
      nam@graylog2:~$ /usr/bin/nohup: appending output to `nohup.out’
      nam@graylog2:~$

      After that the terminal hangs-on and I could not start web interface service.
      Can you help me out this problem?

      • @Kutatoto It looks like elasticsearch is not running which is causing your issues possibly. Try the following.
        sudo service elasticsearch restart

        Now wait about a minute and then do the following.
        sudo service graylog2-web-interface restart

        If this does not get you up and running attempt a reboot and then paste the following if that does not work for you either.
        sudo netstat -lunp
        sudo netstat -ltnp

        Hopefully this will get you going.

      • Thanks for your help. I compared the scripts for v0.12 and for v0.21 and see that java7 was missing in the script for v0.21. After install java7, everything works fine now.

  50. Started from a Vm uninstalling Splunk, but got messed up…
    Restarted from scratch from ubuntu 12.04 and latest script for version 0.20.1 and all worked well. Thank you!!

  51. I am get this error message. ln: failed to create symbolic link ‘graylog2-server/graylog2-server-0.20.1′ : file exists
    The version I am using 0.20.1 release

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>