Invalid password failure - initial setup

Am first time user setting up Graylog in Docker on Ubuntu getting auth failed trying username = admin and my password.
In docker compose file have the following.
- GRAYLOG_HTTP_EXTERNAL_URI=http://x.x.x.x:9000/

For GRAYLOG_PASSWORD_SECRET I used “pwgen -N 1 -s 96” and entered the 96 character output.

For GRAYLOG_ROOT_PASSWORD_SHA2 I used “echo -n “Enter Password: " && head -1 </dev/stdin | tr -d ‘\n’ | sha256sum | cut -d” " -f1” to type a simple password and obtain sha256 hash.

Have tried different passwords with no luck, maybe something else is wrong?

More info: On Edge browser I get the following error: “You cannot access this resource, missing authorization header!”

What version of Graylog did you install, can you post a picture of the login page it takes you to. Some problem can produce a different login screen.

1 Like


Here is the login screen, have just re-created the instance following this guide:

Still getting password failure. Should I try it without Docker?

Here are the versions of images in docker compose:

So first off, ideally use the opensearch docker as elastic support will be dropped fairly soon, but that is not effecting you today.

That is not the normal Graylog login page, most likely you have reached the preflight login page (it’s some beta stuff you don’t need to worry about) but the most likely reason is that your elastic settings in Graylog server.conf is incorrect or missing all together.

Check out the elastic section of this help doc for the settings you will need to make sure are set. server.conf but then you will need to use this article to cover how to set those settings in your docker Secure Login

Thank you Joel,
I don’t have any of those files, I guess they are variables in docker-compose.yml?
Have mucked around and now get this page:


It looks like you are starting Graylog for the first time and have not configured a data node.
Data nodes allow you to index and search through all the messages in your Graylog message database.

You can either implement a Graylog data node (recommended) or you can configure an OpenSearch node manually. For the manual OpenSearch configuration you need to adjust the Graylog configuration and restart the Graylog server. After the restart this page will not show up again.

You can always skip the configuration and resume startup.

I am trying to follow the bouncing ball but to be honest am bit confused. Is there any guide for setting up Graylog using Docker or maybe it is easier I just install Graylog directly on Ubuntu?

Here is the error if I try to just use Elasticsearch without a Data Node:
graylog_1 | 2023-12-10 07:30:07,114 ERROR: - Unable to retrieve version from Elasticsearch node: Failed to connect to / - Connection refused.

Have also tried using this with no luck yet:

Have followed the official instructions to install on Ubuntu but still get the same login problem - Ubuntu installation

Am using all default settings in server.conf except the pepper, sha password, and IP of server, as per documentation.

The roadblock is this: configure an OpenSearch node manually. For the manual OpenSearch configuration you need to adjust the Graylog configuration and restart the Graylog server. After the restart this page will not show up again.

The link in the error message is dead and if I search the documentation for server.conf there is no mention of Opensearch. There is mentions of data nodes in the error message but not in the Ubuntu installation instructions. =(


So in server.conf all the settings are still called elastic search, but those are the settings you need to set.

You need to tell Graylog where to find opensearch.

So you HAVE to have the setting elasticsearch_hosts = filled out, either in server.conf or in your docker compose file, that second link shows how to set server.conf settings in docker by setting them as variables.

And ya you don’t want to use datanode yet, it’s still in beta, just use pure opensearch.

Thanks Joel,
So I have added the Elasticsearch entry as per the instructions:
4. It is necessary in Graylog 5.2 to manually adjust the elasticsearch_hosts setting to include a list of comma-separated URIs to one or more valid Elasticsearch/OpenSearch nodes.

Am still getting the same login screen and if I choose “resume startup” then get text box
“Are you sure you want to resume startup without a running Graylog data node? This will cause the configuration to fall back to using an Opensearch instance on localhost:9200.”

I select ok then get error:
“Could not resume startup
Resuming startup failed with error: FetchError: There was an error fetching a resource: Method Not Allowed. Additional information: HTTP 405 Method Not Allowed”

Okay good progress! I’m not sure the exact process of exiting the preflight environment, I’ll ask internally and see what the options are.

The other option is since you hopefully have fixed that setting and you are just starting anyway, would be to just delete the MongoDB database and let Graylog think it is brand new and start over, or because you are in docker just purge that location it is storing the MongoDB persistent files

1 Like

Thanks Joel, this is the non Docker version I am trying, just following the Ubuntu install instructions word for word.

Hi, can you confirm that you’re following the instructions at: Ubuntu installation

Also, the first guide you were following (from the the non-graylog source) sadly has an error. Would you mind trying one of our regular docker examples from GitHub - Graylog2/docker-compose: A set of Docker Compose files that allow you to quickly spin up a Graylog instance for testing or demo purposes. ?

These are only examples, not for production use. And they reference the DataNode - which could be fine for you if you just want to testdrive graylog. Was there a special reason why you want elasticsearch, as referenced in the first install guide you followed? You can try an older example that is not using the DataNode here:
make sure to put in “5.2” and the opensearch version you want to test. I recommend 2.10

The Ubuntu install should work just fine, too. If you want to follow that path, can you give some info if you installed OpenSearch or Elasticsearch?

1 Like

Hi, we had also some problems with the Docker setup.

In the newest version of Graylog, there is a bug actually that we discovered. At some point you have in Opensearch you need to change that despite the documentation to . It seems like something did break there. After we fixed that, it did magically work. Hope it works for you too, bud! I would also recommend you to actually set it up with a Debian machine. The Docker Version is just, let’s say, very interesting.
Best regards

1 Like

I didn’t see it but did you install Graylog 5.2.

I just ran into this too.

there are more instructions to setting up the Graylog node.

The current pages are not structured well.
I installed on Ubuntu so used this:

And started Graylog service per the last steps but could not logon.
Then found this on the internet. The temp initial password is at the bottom of the log and not the one I had set with password_secret and ‘root_password_sha2’

Use this command assuming your paths are default.

tail -30 /var/log/graylog-server/server.log

The installation instructions then continue with this page:

This URL is presented at the top of the initial Graylog web page once you login.

good luck

I built another syslog solution as had given up on Graylog.
After a week I decided to login and check the Graylog instance one last time before trashing it and lo and behold it was working.
Thanks for everyone’s help. I don’t have much faith in the product (yet) but do have in the people on this forum. Cheers all.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.