Install and Configure Gravwell on Ubuntu 24.04

By Anurag Singh

Updated on Nov 22, 2025

Install and Configure Gravwell on Ubuntu 24.04

In this tutorial, we'll learn how to install and configure Gravwell on Ubuntu 24.04.

What Gravwell Is?

Gravwell is a self-hosted log and security analytics platform. It collects data from servers, applications, firewalls and more, then lets us search, analyze and build dashboards. This gives full ownership of security data and keeps sensitive information inside our infrastructure.

This guide explains the installation in a clear, simple way with all important commands included.

Prerequisites

Before we begin, ensure we have the following:

  • An Ubuntu 24.04 dedicate server or KVM VPS.
  • Basic Linux Command Line Knowledge.
  • A domain name, pointing A record to server IP.

How to Install and Configure Gravwell on Ubuntu 24.04

1. Update the system:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget gnupg ca-certificates

2. Add Gravwell Repository

sudo wget -O /usr/share/keyrings/gravwell.asc https://update.gravwell.io/debian/update.gravwell.io.gpg.key

Add repository:

echo 'deb [ arch=amd64 signed-by=/usr/share/keyrings/gravwell.asc ] https://update.gravwell.io/debian community main' \
| sudo tee /etc/apt/sources.list.d/gravwell.list

Update package list:

sudo apt update

3. Install Gravwell

sudo apt install -y gravwell

During installation:

  • Accept EULA
  • Allow it to generate secrets automatically

4. Allow Web Access (UFW Firewall)

If UFW is active:

sudo ufw allow http
sudo ufw allow https
sudo ufw reload

5. Install File Follow Ingester (Collect System Logs)

sudo apt install -y gravwell-file-follow
sudo systemctl enable --now gravwell-file-follow

This automatically starts collecting system logs such as /var/log/auth.log and /var/log/syslog.

6. Run First Search

In the Gravwell UI:

Search Linux authentication logs:

tag=auth

This confirms log ingestion works.

Running Gravwell over HTTPS is better for security and professional deployments.

7. Get the SSL certificate and key

First we need to stop gravwell_webserver.service to release HTTP port to obtain certificate:

sudo systemctl stop gravwell_webserver.service

You can use Certbot or another tool to generate the cert, even if you’re not using Nginx. Example using certbot:

sudo apt install -y certbot
sudo certbot certonly --standalone -d example.com

This will stop any process listening on port 80 temporarily (so note: make sure Gravwell web port is off or will conflict). After it finishes, your certs will typically be at:

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem

Copy certificate + key to a path Gravwell can use

For example:

sudo mkdir -p /etc/gravwell/certs
sudo cp /etc/letsencrypt/live/example.com/fullchain.pem /etc/gravwell/certs/cert.pem
sudo cp /etc/letsencrypt/live/example.com/privkey.pem /etc/gravwell/certs/key.pem
sudo chown gravwell:gravwell /etc/gravwell/certs/cert.pem /etc/gravwell/certs/key.pem
sudo chmod 640 /etc/gravwell/certs/key.pem

8. Edit Gravwell config to point at the certificate + key

Open /opt/gravwell/etc/gravwell.conf (or the path where Gravwell’s main config is) and make these changes:

Uncomment or add these lines:

Certificate-File=/etc/gravwell/certs/cert.pem
Key-File=/etc/gravwell/certs/key.pem

Change the web-port to 443 (if you want HTTPS on default secure port):

Web-Port=443

Comment out or remove the insecure HTTP directive (if exists), e.g.:

#Insecure-Disable-HTTPS

If you also want encrypted connections for ingesters/search-agent, set:

TLS-Ingest-Port=4024

9. Restart Gravwell services

sudo systemctl start gravwell_webserver.service
sudo systemctl restart gravwell_indexer.service
sudo systemctl restart gravwell_searchagent.service

10. Access Gravwell Web UI

Open browser:

https://example.com

gravwell first screen hostmycode

Upload Community Edition license (if you don’t have one, request it from Gravwell’s website).

Default login:

Username: admin
Password: changeme

Immediately change the admin password.

Check browser shows valid cert (no warning). Also check log files under /opt/gravwell/log/ for any errors like “certificate name mismatch”.

11. Renew certificate & update Gravwell

Since you’re using Let’s Encrypt, certs expire every 90 days. You’ll need to renew and then reload Gravwell so it picks up the new files.

Example cron or systemd timer (certbot adds automatically) and then:

sudo systemctl reload gravwell_webserver.service

(or restart if reload not supported).

Notes & Warning (because this stuff bites if you’re sloppy)

  • Make sure your certificate’s CN or SAN includes the hostname you’ll access Gravwell by. If you access by IP and cert is for a domain, browser will complain.
  • If Gravwell has other components (ingesters, search agents) using HTTP, switching to HTTPS may break them unless you reconfigure them. Docs warn about this.
  • Because port 80 is already in use, you may need to temporarily stop the Gravwell webserver to let Certbot listen on port 80 for the challenge (unless you use a DNS-based challenge).
  • Make sure permissions on key file are correct, if Gravwell cannot read the key, HTTPS will fail.

Conclusion

We installed Gravwell on Ubuntu 24.04, connected our server logs, and secured the web interface with HTTPS using Nginx and Certbot. This setup is simple, scalable and ready for real security monitoring work.

HostMyCode shared hosting Ad

Featured Category

All Categories

Latest Chapters