How to Install Graylog from the OVA file

February 22, 2019

In this video we will teach you how to install Graylog version 3+ using the OVA file that you can find on our website. You fill find out how quick and easy is to get it up and running in no time.

Importing the OVA file

We start by downloading the OVA, logging in the ISX infrastructure, and importing the file (we named it graylog_ova). Select the storage location and network for the installation, and verify that all the correct settings are selected properly before proceeding. The import process will start, and as soon as the download is finished, the process will be launched automatically in the ISX infrastructure.

Now, launch the console so it’s opened in a new panel. As you can see, it’s already booted up and it has the user name and password of how to get to it. Up top is also the IP address of what that has found. Note that this overlay is built to have DCP on the network. So if you don't have DCP you would have to log on and configure an IP address.

Setting up the input

Is you switch to your web browser using that address, and you'll see the Graylog panel will instantly come up. Type in the user name (admin) and then copy password that you found in the console screen. Click on “Sign in” to get started. Everything is pre-configured for you in this OVA, including ElasticSearch and MongoDB.

The only thing that you need to do as soon as you get in, is to actually configure an input – i.e., how to accept data in. You can find more info in the Getting Started Guide that is shown up in the Help screen, or read our Documentation section. Now, it’s time to create an input since we got a notification about no inputs getting created. We’re going to ssh into that box and configure it with a few settings.

Configuring the Syslog

The first one is to configure our Syslog so that logs will come in and validate that this system is up and working. Let’s go to the bottom of this screen and edit the configuration file by doing a *.* and point all logs to the local host – which in this case is Graylog. Type in the IP we saw earlier  (, the port that you’re going to use (in this case it’s 1514), and the RsyslogProtocol123 format, which is a format understood by Graylog that can be parsed out easily.

Setting up iptables

After you restarted your Syslog to make those changes effective, we must set up the iptables. Just paste this line:

iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

These are just NAT statements that say that anything pointed to this device on Port 514 should be redirected to port 1514. We create one standard listener on Port 1514 because it’s a requirement to access all the privileged ports (i.e., anything lower than port 1024). This way Graylog can run as a user instead of as route. We now save the iptables rules so they take effect upon boot.

Now we're going to create a startup script called iptables that that is bound to the OVA file so that these statements always takes effect. It's just a simple bash statement here. Just saying iptables-restore will bring back those iptables rules. Then make that file executable. All these steps are optional, and you can skip them if you don’t want to put anything into 514.

Final touches

Let’s go back to the web interface now, and have a look at the little error message that we saw before (the red dot on the top bar). It still says there’s a node running without inputs, so you need to configure one. Click on the “System/Inputs” menu, and then on the “Inputs” tab. Select the Syslog UDP input towards the very bottom from the dropdown list.

Now launch that new input, make it a global one, title it Syslog UDP, and don’t forget to set the port to 1514. Once you’ve finished, you will see that now you got one input running that is listening on port 1514. You can start sending Syslog data into it. Let’s run a quick sudo to generate a log message, then go back to the “Search” page to check if anything has came in. As you can see, those logs are coming in into the Graylog infrastructure.

We hope that video helped you, if you still have questions, feel free to ask them on our community section!

Ready to get started?

Get Graylog
Contact Sales