Learn how to install Graylog on Rocky Linux 9 with this step-by-step guide. Set up Graylog for efficient log management, monitoring, and security analysis effortlessly. #centlinux #linux #graylog
Table of Contents
Introduction
In today’s data-driven world, businesses generate massive amounts of logs from servers, applications, and network devices. Managing these logs effectively is crucial for security, troubleshooting, and operational efficiency. That’s where Graylog comes in—a powerful, open-source log management solution designed to collect, index, and analyze log data in real-time.
With its ability to centralize log management, provide real-time insights, and enhance security, Graylog is a favorite among IT administrators, DevOps teams, and cybersecurity professionals. In this guide, we’ll explore everything you need to know about Graylog, from installation to advanced configurations.
What is Graylog?
Graylog is an open-source log management system that helps businesses collect, store, and analyze log data efficiently. Unlike traditional log management solutions, Graylog is designed for scalability, making it ideal for handling large log volumes across distributed systems.

How Graylog Differs from Other Log Management Tools
- Open-source and cost-effective compared to premium solutions like Splunk
- User-friendly interface with powerful search and analysis capabilities
- Built-in scalability, allowing organizations to handle massive log volumes
- Robust alerting and monitoring, ensuring security threats are detected in real time
Who Uses Graylog?
Graylog is widely used across various industries, including:
- IT operations – For real-time monitoring of infrastructure and applications
- Cybersecurity – Detecting and responding to security incidents
- DevOps teams – Debugging and optimizing application performance
- Compliance and auditing – Ensuring adherence to industry regulations
Why Use Graylog?
Centralized Log Management
Managing logs across multiple servers and applications can be chaotic. Graylog centralizes logs from different sources, providing a unified dashboard to search, analyze, and visualize log data.
Enhanced Security & Threat Detection
With cybersecurity threats on the rise, Graylog helps detect anomalies, security breaches, and unauthorized access by analyzing logs in real-time. Security teams can set up alerts to respond to potential threats immediately.
Faster Troubleshooting & Debugging
Graylog’s powerful search functionality allows IT teams to quickly pinpoint issues within logs, reducing downtime and improving system reliability.
Cost-Effective Solution
Compared to enterprise solutions like Splunk, Graylog is affordable while still offering enterprise-grade features.
ASUS RT-BE92U BE9700 Tri-Band WiFi 7 Router, Supports New 320MHz Bandwidth & 4096-QAM, MLO, AI WAN Detection, AiMesh Support, Subscription-Free Network Security & Comprehensive VPN Features
$212.99 (as of March 15, 2025 15:44 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Key Features of Graylog
Log Collection and Parsing
Graylog supports multiple input sources, including:
- Syslog
- JSON and structured logs
- AWS CloudTrail
- Windows Event Logs
It also provides log parsing capabilities to extract relevant data from unstructured logs.
Powerful Search & Analysis
- Full-text search to find relevant logs instantly
- Custom filters and queries for in-depth analysis
- Correlation of logs from different sources for better insights
Alerting and Notifications
- Custom alerts for critical events
- Email and webhook notifications
- Integration with Slack, PagerDuty, and more
Scalability and Performance
- Supports high log volumes with efficient indexing
- Elasticsearch backend for fast searching
- Distributed architecture for enterprise-scale deployments
How Graylog Works?
Graylog’s architecture consists of three key components:
1. Graylog Server
The core processing unit that manages log collection, storage, and search queries.
2. MongoDB
Stores Graylog’s metadata, including user configurations and dashboards.
3. Elasticsearch
Indexes and retrieves log data efficiently, enabling fast searches and queries.
How Logs Are Collected and Stored
- Logs are collected from different sources (e.g., Syslog, API, applications).
- Graylog parses and indexes the logs in Elasticsearch.
- Users can search, filter, and analyze logs via the Graylog dashboard.
Recommended Training: Complete Guide to Elasticsearch from Bo Andersen

Graylog vs. Other Log Management Tools
Feature | Graylog | Splunk | ELK Stack |
---|---|---|---|
Cost | Free (Open Source) | Expensive | Free (but complex setup) |
Ease of Use | User-friendly | Advanced | Complex configuration |
Scalability | High | Very High | High |
Built-in Alerting | Yes | Yes | No (requires extra setup) |
Best Practices for Using Graylog
- Use structured logging to improve search efficiency
- Set up role-based access control (RBAC) for security
- Optimize Elasticsearch performance by managing indices properly
- Regularly update and maintain Graylog for security and performance improvements
Common Issues and Troubleshooting
- High CPU usage? Tune Elasticsearch settings
- Slow searches? Optimize Graylog queries
- Parsing issues? Adjust log extractors and pipelines
Use Cases and Real-World Applications
- DevOps – Debug applications efficiently
- Enterprise IT monitoring – Monitor network and server logs
- Cybersecurity – Detect threats in real-time
Prerequisites
Before we begin, ensure you have:
- A Rocky Linux 9 system
- A sudo user or root access
- Minimum 4GB RAM and 2 CPU cores
- Java 17, MongoDB, Elasticsearch (OpenSearch)
- Firewall and SELinux configured appropriately
Redragon K719 Wireless Gasket Gaming Keyboard w/Hype Screen & Knob, 95 Keys Mechanical Keyboard, Easy-Control 1.14’’ TFT Info Display, 5-Layer Noise Dampening, Custom Linear Switch, Jade Cloud Color
$74.99 (as of March 15, 2025 15:44 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Step 1: Update Your Linux System
Before installing Graylog, update your Rocky Linux 9 system:
sudo dnf update -y
Reboot if necessary:
sudo reboot
Step 2: Install Java 17 on Rocky Linux
Graylog requires Java 17 to run. Install it using dnf command:
sudo dnf install java-17-openjdk -y
Verify the installation by executing following command:
java -version
Expected output:
openjdk version "17.0.x"
Read more: How to install Java on Linux 9
Step 3: Install MongoDB on Rocky Linux
MongoDB stores configuration and metadata for Graylog.
Add MongoDB Repository
To install MongoDB, you must first configure the official MongoDB YUM repository.
Execute following command to add MongoDB yum repository.
sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo <<EOF
[mongodb-org-6.0]
name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc EOF
Install MongoDB Server
Execute following dnf command at Linux Bash to install MongoDB server.
sudo dnf install mongodb-org -y
Start and Enable MongoDB
After successful installation, you must enable and start the MongoDB service.
sudo systemctl enable --now mongod
Verify MongoDB Status
sudo systemctl status mongod
Read more: How to install MongoDB on Linux Server 9
Step 4: Install OpenSearch on Rocky Linux 9
Graylog 5.0+ supports OpenSearch instead of Elasticsearch for better security and performance.
Add OpenSearch Repository
To install MongoDB, you must first configure the official OpenSearch YUM repository.
You can use following command to add OpenSearch yum repository.
sudo tee /etc/yum.repos.d/opensearch.repo <<EOF
[opensearch]
name=OpenSearch repository baseurl=https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/rpm/ gpgcheck=1 gpgkey=https://artifacts.opensearch.org/publickeys/opensearch.pgp enabled=1 EOF
Install OpenSearch
You can now use dnf command to install OpenSearch on your Rocky Linux 9 system.
sudo dnf install opensearch -y
Configure OpenSearch
Edit the OpenSearch configuration file by using a text editor:
sudo nano /etc/opensearch/opensearch.yml
Modify or add the following lines:
cluster.name: graylog
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node
action.auto_create_index: false
Save and exit.
Start and Enable OpenSearch
Enable and start OpenSearch service:
sudo systemctl enable --now opensearch
Verify OpenSearch Status
Check status of OpenSearch service:
sudo systemctl status opensearch
To check if OpenSearch is working:
curl -X GET "http://localhost:9200"
Expected output:
{
"name" : "node-1",
"cluster_name" : "graylog",
"version" : {
"number" : "2.x",
"build_type" : "rpm"
}
}
Read more: How to install OpenSearch on Rocky Linux 9
Step 5: Install Graylog on Rocky Linux 9
Add Graylog Repository
Add Graylog YUM repository by using following command:
sudo tee /etc/yum.repos.d/graylog.repo <<EOF
[graylog]
name=Graylog repository baseurl=https://packages.graylog2.org/repo/el/stable/5.0/x86_64/ gpgcheck=1 gpgkey=https://packages.graylog2.org/repo/debian/keyring.gpg enabled=1 EOF
Install Graylog
Now you can install Graylog server by using dnf command as follows:
sudo dnf install graylog-server -y
Step 6: Configure Graylog
Generate a Secret Key
pwgen -N 1 -s 96
Copy the generated key and add it to Graylog’s configuration file:
sudo nano /etc/graylog/server/server.conf
Find the following line and add your key:
password_secret = YOUR_GENERATED_SECRET
Set Admin Password Hash
Generate a SHA256 hash for the admin password:
echo -n "YourPassword" | sha256sum
Copy the generated hash and add it to server.conf
:
root_password_sha2 = YOUR_GENERATED_HASH
Configure OpenSearch in Graylog
Modify these lines in /etc/graylog/server/server.conf
:
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://127.0.0.1:9200
Save and exit.
Step 7: Start Graylog Service
Enable and start Graylog:
sudo systemctl enable --now graylog-server
Check the status:
sudo systemctl status graylog-server
Step 8: Configure Firewall
Allow the Graylog web interface and syslog ports in Linux firewall:
sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --add-port=1514/tcp --permanent
sudo firewall-cmd --add-port=1514/udp --permanent
sudo firewall-cmd --reload
Step 9: Access Graylog Web Interface
Open a web browser and go to:
http://<YOUR_SERVER_IP>:9000
Login with:
- Username:
admin
- Password: (the password you set in Step 6)
KALI LINUX OSINT: Fundamentals and Advanced Applications (CyberExtreme Book 18)
$6.29 (as of March 15, 2025 15:44 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Final Thoughts
Installing Graylog on Rocky Linux 9 is a crucial step in setting up a powerful and efficient log management system. By following the step-by-step guide, you can successfully configure MongoDB, Elasticsearch, and Graylog to centralize, analyze, and monitor logs in real-time.
Graylog offers scalability, powerful search capabilities, and advanced security features, making it an excellent choice for IT administrators, DevOps teams, and security professionals. Once installed, you can customize dashboards, set up alerts, and integrate Graylog with other tools to enhance your logging and monitoring experience.
With Graylog up and running on Rocky Linux 9, you can take full control of your log data, improve system performance, and strengthen security monitoring.
Need a dependable Linux system administrator? I specialize in managing, optimizing, and securing Linux servers to keep your operations running flawlessly. Check out my services on Fiverr!
Frequently Asked Questions (FAQs)
1. How do I check Graylog logs for troubleshooting?
Use the following command:
sudo journalctl -u graylog-server -f
2. Can I use Elasticsearch instead of OpenSearch?
Yes, but OpenSearch is recommended for better security and compatibility with Graylog 5.0+.
3. How do I reset the Graylog admin password?
Modify /etc/graylog/server/server.conf
with a new SHA256 password hash and restart Graylog.
4. How can I increase OpenSearch memory allocation?
Edit /etc/opensearch/jvm.options
and modify:
-Xms4g
-Xmx4g
Restart OpenSearch:
sudo systemctl restart opensearch
5. What ports should be open for Graylog?
- 9000/TCP – Web Interface
- 1514/TCP & UDP – Syslog Inputs
Leave a Reply
You must be logged in to post a comment.