How to install Graylog on Rocky Linux 9

Share on Social Media

Learn how to install Graylog on Rocky Linux 9 with this step-by-step guide. Set up Graylog for efficient log management, monitoring, and security analysis effortlessly. #centlinux #linux #graylog



Introduction

In today’s data-driven world, businesses generate massive amounts of logs from servers, applications, and network devices. Managing these logs effectively is crucial for security, troubleshooting, and operational efficiency. That’s where Graylog comes in—a powerful, open-source log management solution designed to collect, index, and analyze log data in real-time.

With its ability to centralize log management, provide real-time insights, and enhance security, Graylog is a favorite among IT administrators, DevOps teams, and cybersecurity professionals. In this guide, we’ll explore everything you need to know about Graylog, from installation to advanced configurations.


What is Graylog?

Graylog is an open-source log management system that helps businesses collect, store, and analyze log data efficiently. Unlike traditional log management solutions, Graylog is designed for scalability, making it ideal for handling large log volumes across distributed systems.

How to install Graylog on Rocky Linux 9
How to install Graylog on Rocky Linux 9

How Graylog Differs from Other Log Management Tools

  • Open-source and cost-effective compared to premium solutions like Splunk
  • User-friendly interface with powerful search and analysis capabilities
  • Built-in scalability, allowing organizations to handle massive log volumes
  • Robust alerting and monitoring, ensuring security threats are detected in real time

Who Uses Graylog?

Graylog is widely used across various industries, including:

  • IT operations – For real-time monitoring of infrastructure and applications
  • Cybersecurity – Detecting and responding to security incidents
  • DevOps teams – Debugging and optimizing application performance
  • Compliance and auditing – Ensuring adherence to industry regulations

Why Use Graylog?

Centralized Log Management

Managing logs across multiple servers and applications can be chaotic. Graylog centralizes logs from different sources, providing a unified dashboard to search, analyze, and visualize log data.

Enhanced Security & Threat Detection

With cybersecurity threats on the rise, Graylog helps detect anomalies, security breaches, and unauthorized access by analyzing logs in real-time. Security teams can set up alerts to respond to potential threats immediately.

Faster Troubleshooting & Debugging

Graylog’s powerful search functionality allows IT teams to quickly pinpoint issues within logs, reducing downtime and improving system reliability.

Cost-Effective Solution

Compared to enterprise solutions like Splunk, Graylog is affordable while still offering enterprise-grade features.


Key Features of Graylog

Log Collection and Parsing

Graylog supports multiple input sources, including:

  • Syslog
  • JSON and structured logs
  • AWS CloudTrail
  • Windows Event Logs

It also provides log parsing capabilities to extract relevant data from unstructured logs.

Powerful Search & Analysis

  • Full-text search to find relevant logs instantly
  • Custom filters and queries for in-depth analysis
  • Correlation of logs from different sources for better insights

Alerting and Notifications

  • Custom alerts for critical events
  • Email and webhook notifications
  • Integration with Slack, PagerDuty, and more

Scalability and Performance

  • Supports high log volumes with efficient indexing
  • Elasticsearch backend for fast searching
  • Distributed architecture for enterprise-scale deployments

How Graylog Works?

Graylog’s architecture consists of three key components:

1. Graylog Server

The core processing unit that manages log collection, storage, and search queries.

2. MongoDB

Stores Graylog’s metadata, including user configurations and dashboards.

3. Elasticsearch

Indexes and retrieves log data efficiently, enabling fast searches and queries.

How Logs Are Collected and Stored

  1. Logs are collected from different sources (e.g., Syslog, API, applications).
  2. Graylog parses and indexes the logs in Elasticsearch.
  3. Users can search, filter, and analyze logs via the Graylog dashboard.

Recommended Training: Complete Guide to Elasticsearch from Bo Andersen

693188 6360 3
show?id=oLRJ54lcVEg&bids=1074530

Graylog vs. Other Log Management Tools

FeatureGraylogSplunkELK Stack
CostFree (Open Source)ExpensiveFree (but complex setup)
Ease of UseUser-friendlyAdvancedComplex configuration
ScalabilityHighVery HighHigh
Built-in AlertingYesYesNo (requires extra setup)

Best Practices for Using Graylog

  • Use structured logging to improve search efficiency
  • Set up role-based access control (RBAC) for security
  • Optimize Elasticsearch performance by managing indices properly
  • Regularly update and maintain Graylog for security and performance improvements

Common Issues and Troubleshooting

  • High CPU usage? Tune Elasticsearch settings
  • Slow searches? Optimize Graylog queries
  • Parsing issues? Adjust log extractors and pipelines

Use Cases and Real-World Applications

  • DevOps – Debug applications efficiently
  • Enterprise IT monitoring – Monitor network and server logs
  • Cybersecurity – Detect threats in real-time

Prerequisites

Before we begin, ensure you have:

  • A Rocky Linux 9 system
  • A sudo user or root access
  • Minimum 4GB RAM and 2 CPU cores
  • Java 17, MongoDB, Elasticsearch (OpenSearch)
  • Firewall and SELinux configured appropriately

Step 1: Update Your Linux System

Before installing Graylog, update your Rocky Linux 9 system:

sudo dnf update -y

Reboot if necessary:

sudo reboot

Step 2: Install Java 17 on Rocky Linux

Graylog requires Java 17 to run. Install it using dnf command:

sudo dnf install java-17-openjdk -y

Verify the installation by executing following command:

java -version

Expected output:

openjdk version "17.0.x"

Read more: How to install Java on Linux 9


Step 3: Install MongoDB on Rocky Linux

MongoDB stores configuration and metadata for Graylog.

Add MongoDB Repository

To install MongoDB, you must first configure the official MongoDB YUM repository.

Execute following command to add MongoDB yum repository.

sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo <<EOF
[mongodb-org-6.0]
name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc EOF

Install MongoDB Server

Execute following dnf command at Linux Bash to install MongoDB server.

sudo dnf install mongodb-org -y

Start and Enable MongoDB

After successful installation, you must enable and start the MongoDB service.

sudo systemctl enable --now mongod

Verify MongoDB Status

sudo systemctl status mongod

Read more: How to install MongoDB on Linux Server 9


Step 4: Install OpenSearch on Rocky Linux 9

Graylog 5.0+ supports OpenSearch instead of Elasticsearch for better security and performance.

Add OpenSearch Repository

To install MongoDB, you must first configure the official OpenSearch YUM repository.

You can use following command to add OpenSearch yum repository.

sudo tee /etc/yum.repos.d/opensearch.repo <<EOF
[opensearch]
name=OpenSearch repository baseurl=https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/rpm/ gpgcheck=1 gpgkey=https://artifacts.opensearch.org/publickeys/opensearch.pgp enabled=1 EOF

You can now use dnf command to install OpenSearch on your Rocky Linux 9 system.

sudo dnf install opensearch -y

Edit the OpenSearch configuration file by using a text editor:

sudo nano /etc/opensearch/opensearch.yml

Modify or add the following lines:

cluster.name: graylog
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node
action.auto_create_index: false

Save and exit.

Enable and start OpenSearch service:

sudo systemctl enable --now opensearch

Verify OpenSearch Status

Check status of OpenSearch service:

sudo systemctl status opensearch

To check if OpenSearch is working:

curl -X GET "http://localhost:9200"

Expected output:

{
  "name" : "node-1",
  "cluster_name" : "graylog",
  "version" : {
    "number" : "2.x",
    "build_type" : "rpm"
  }
}

Read more: How to install OpenSearch on Rocky Linux 9


Step 5: Install Graylog on Rocky Linux 9

Add Graylog Repository

Add Graylog YUM repository by using following command:

sudo tee /etc/yum.repos.d/graylog.repo <<EOF
[graylog]
name=Graylog repository baseurl=https://packages.graylog2.org/repo/el/stable/5.0/x86_64/ gpgcheck=1 gpgkey=https://packages.graylog2.org/repo/debian/keyring.gpg enabled=1 EOF

Install Graylog

Now you can install Graylog server by using dnf command as follows:

sudo dnf install graylog-server -y

Step 6: Configure Graylog

Generate a Secret Key

pwgen -N 1 -s 96

Copy the generated key and add it to Graylog’s configuration file:

sudo nano /etc/graylog/server/server.conf

Find the following line and add your key:

password_secret = YOUR_GENERATED_SECRET

Set Admin Password Hash

Generate a SHA256 hash for the admin password:

echo -n "YourPassword" | sha256sum

Copy the generated hash and add it to server.conf:

root_password_sha2 = YOUR_GENERATED_HASH

Configure OpenSearch in Graylog

Modify these lines in /etc/graylog/server/server.conf:

http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://127.0.0.1:9200

Save and exit.


Step 7: Start Graylog Service

Enable and start Graylog:

sudo systemctl enable --now graylog-server

Check the status:

sudo systemctl status graylog-server

Step 8: Configure Firewall

Allow the Graylog web interface and syslog ports in Linux firewall:

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --add-port=1514/tcp --permanent
sudo firewall-cmd --add-port=1514/udp --permanent
sudo firewall-cmd --reload

Step 9: Access Graylog Web Interface

Open a web browser and go to:

http://<YOUR_SERVER_IP>:9000

Login with:

  • Username: admin
  • Password: (the password you set in Step 6)

Final Thoughts

Installing Graylog on Rocky Linux 9 is a crucial step in setting up a powerful and efficient log management system. By following the step-by-step guide, you can successfully configure MongoDB, Elasticsearch, and Graylog to centralize, analyze, and monitor logs in real-time.

Graylog offers scalability, powerful search capabilities, and advanced security features, making it an excellent choice for IT administrators, DevOps teams, and security professionals. Once installed, you can customize dashboards, set up alerts, and integrate Graylog with other tools to enhance your logging and monitoring experience.

With Graylog up and running on Rocky Linux 9, you can take full control of your log data, improve system performance, and strengthen security monitoring.

Need a dependable Linux system administrator? I specialize in managing, optimizing, and securing Linux servers to keep your operations running flawlessly. Check out my services on Fiverr!


Frequently Asked Questions (FAQs)

1. How do I check Graylog logs for troubleshooting?

Use the following command:

sudo journalctl -u graylog-server -f

2. Can I use Elasticsearch instead of OpenSearch?

Yes, but OpenSearch is recommended for better security and compatibility with Graylog 5.0+.

3. How do I reset the Graylog admin password?

Modify /etc/graylog/server/server.conf with a new SHA256 password hash and restart Graylog.

4. How can I increase OpenSearch memory allocation?

Edit /etc/opensearch/jvm.options and modify:

-Xms4g
-Xmx4g

Restart OpenSearch:

sudo systemctl restart opensearch

5. What ports should be open for Graylog?

  • 9000/TCP – Web Interface
  • 1514/TCP & UDP – Syslog Inputs

Looking for something?

Leave a Reply