How to install Graylog on Rocky Linux 9

Alaric Bird

1 month ago

Share on Social Media

Learn how to install Graylog on Rocky Linux 9 with this step-by-step guide. Set up Graylog for efficient log management, monitoring, and security analysis effortlessly. #centlinux #linux #graylog

Introduction

In today’s data-driven world, businesses generate massive amounts of logs from servers, applications, and network devices. Managing these logs effectively is crucial for security, troubleshooting, and operational efficiency. That’s where Graylog comes in—a powerful, open-source log management solution designed to collect, index, and analyze log data in real-time.

With its ability to centralize log management, provide real-time insights, and enhance security, Graylog is a favorite among IT administrators, DevOps teams, and cybersecurity professionals. In this guide, we’ll explore everything you need to know about Graylog, from installation to advanced configurations.

What is Graylog?

Graylog is an open-source log management system that helps businesses collect, store, and analyze log data efficiently. Unlike traditional log management solutions, Graylog is designed for scalability, making it ideal for handling large log volumes across distributed systems.

How Graylog Differs from Other Log Management Tools

Open-source and cost-effective compared to premium solutions like Splunk
User-friendly interface with powerful search and analysis capabilities
Built-in scalability, allowing organizations to handle massive log volumes
Robust alerting and monitoring, ensuring security threats are detected in real time

Who Uses Graylog?

Graylog is widely used across various industries, including:

IT operations – For real-time monitoring of infrastructure and applications
Cybersecurity – Detecting and responding to security incidents
DevOps teams – Debugging and optimizing application performance
Compliance and auditing – Ensuring adherence to industry regulations

Why Use Graylog?

Centralized Log Management

Managing logs across multiple servers and applications can be chaotic. Graylog centralizes logs from different sources, providing a unified dashboard to search, analyze, and visualize log data.

Enhanced Security & Threat Detection

With cybersecurity threats on the rise, Graylog helps detect anomalies, security breaches, and unauthorized access by analyzing logs in real-time. Security teams can set up alerts to respond to potential threats immediately.

Faster Troubleshooting & Debugging

Graylog’s powerful search functionality allows IT teams to quickly pinpoint issues within logs, reducing downtime and improving system reliability.

Cost-Effective Solution

Compared to enterprise solutions like Splunk, Graylog is affordable while still offering enterprise-grade features.

Key Features of Graylog

Log Collection and Parsing

Graylog supports multiple input sources, including:

Syslog
JSON and structured logs
AWS CloudTrail
Windows Event Logs

It also provides log parsing capabilities to extract relevant data from unstructured logs.

Powerful Search & Analysis

Full-text search to find relevant logs instantly
Custom filters and queries for in-depth analysis
Correlation of logs from different sources for better insights

Alerting and Notifications

Custom alerts for critical events
Email and webhook notifications
Integration with Slack, PagerDuty, and more

Scalability and Performance

Supports high log volumes with efficient indexing
Elasticsearch backend for fast searching
Distributed architecture for enterprise-scale deployments

How Graylog Works?

Graylog’s architecture consists of three key components:

1. Graylog Server

The core processing unit that manages log collection, storage, and search queries.

2. MongoDB

Stores Graylog’s metadata, including user configurations and dashboards.

3. Elasticsearch

Indexes and retrieves log data efficiently, enabling fast searches and queries.

How Logs Are Collected and Stored

Logs are collected from different sources (e.g., Syslog, API, applications).
Graylog parses and indexes the logs in Elasticsearch.
Users can search, filter, and analyze logs via the Graylog dashboard.

Recommended Training: Complete Guide to Elasticsearch from Bo Andersen

Graylog vs. Other Log Management Tools

Feature	Graylog	Splunk	ELK Stack
Cost	Free (Open Source)	Expensive	Free (but complex setup)
Ease of Use	User-friendly	Advanced	Complex configuration
Scalability	High	Very High	High
Built-in Alerting	Yes	Yes	No (requires extra setup)

Best Practices for Using Graylog

Use structured logging to improve search efficiency
Set up role-based access control (RBAC) for security
Optimize Elasticsearch performance by managing indices properly
Regularly update and maintain Graylog for security and performance improvements

Common Issues and Troubleshooting

High CPU usage? Tune Elasticsearch settings
Slow searches? Optimize Graylog queries
Parsing issues? Adjust log extractors and pipelines

Use Cases and Real-World Applications

DevOps – Debug applications efficiently
Enterprise IT monitoring – Monitor network and server logs
Cybersecurity – Detect threats in real-time

Prerequisites

Before we begin, ensure you have:

A Rocky Linux 9 system
A sudo user or root access
Minimum 4GB RAM and 2 CPU cores
Java 17, MongoDB, Elasticsearch (OpenSearch)
Firewall and SELinux configured appropriately

Step 1: Update Your Linux System

Before installing Graylog, update your Rocky Linux 9 system:

sudo dnf update -y

Reboot if necessary:

sudo reboot

Step 2: Install Java 17 on Rocky Linux

Graylog requires Java 17 to run. Install it using dnf command:

sudo dnf install java-17-openjdk -y

Verify the installation by executing following command:

java -version

Expected output:

openjdk version "17.0.x"

Read more: How to install Java on Linux 9

Step 3: Install MongoDB on Rocky Linux

MongoDB stores configuration and metadata for Graylog.

Add MongoDB Repository

To install MongoDB, you must first configure the official MongoDB YUM repository.

Execute following command to add MongoDB yum repository.

sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo <<EOF
[mongodb-org-6.0]
name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc EOF

Install MongoDB Server

Execute following dnf command at Linux Bash to install MongoDB server.

sudo dnf install mongodb-org -y

Start and Enable MongoDB

After successful installation, you must enable and start the MongoDB service.

sudo systemctl enable --now mongod

Verify MongoDB Status

sudo systemctl status mongod

Step 4: Install OpenSearch on Rocky Linux 9

Graylog 5.0+ supports OpenSearch instead of Elasticsearch for better security and performance.

Add OpenSearch Repository

To install MongoDB, you must first configure the official OpenSearch YUM repository.

You can use following command to add OpenSearch yum repository.

sudo tee /etc/yum.repos.d/opensearch.repo <<EOF
[opensearch]
name=OpenSearch repository baseurl=https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/rpm/ gpgcheck=1 gpgkey=https://artifacts.opensearch.org/publickeys/opensearch.pgp enabled=1 EOF

Install OpenSearch

You can now use dnf command to install OpenSearch on your Rocky Linux 9 system.

sudo dnf install opensearch -y

Configure OpenSearch

Edit the OpenSearch configuration file by using a text editor:

sudo nano /etc/opensearch/opensearch.yml

Modify or add the following lines:

cluster.name: graylog
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node
action.auto_create_index: false

Save and exit.

Start and Enable OpenSearch

Enable and start OpenSearch service:

sudo systemctl enable --now opensearch

Verify OpenSearch Status

Check status of OpenSearch service:

sudo systemctl status opensearch

To check if OpenSearch is working:

curl -X GET "http://localhost:9200"

Expected output:

{
  "name" : "node-1",
  "cluster_name" : "graylog",
  "version" : {
    "number" : "2.x",
    "build_type" : "rpm"
  }
}

Step 5: Install Graylog on Rocky Linux 9

Add Graylog Repository

Add Graylog YUM repository by using following command:

sudo tee /etc/yum.repos.d/graylog.repo <<EOF
[graylog]
name=Graylog repository baseurl=https://packages.graylog2.org/repo/el/stable/5.0/x86_64/ gpgcheck=1 gpgkey=https://packages.graylog2.org/repo/debian/keyring.gpg enabled=1 EOF

Install Graylog

Now you can install Graylog server by using dnf command as follows:

sudo dnf install graylog-server -y

Step 6: Configure Graylog

Generate a Secret Key

pwgen -N 1 -s 96

Copy the generated key and add it to Graylog’s configuration file:

sudo nano /etc/graylog/server/server.conf

Find the following line and add your key:

password_secret = YOUR_GENERATED_SECRET

Set Admin Password Hash

Generate a SHA256 hash for the admin password:

echo -n "YourPassword" | sha256sum

Copy the generated hash and add it to server.conf:

root_password_sha2 = YOUR_GENERATED_HASH

Configure OpenSearch in Graylog

Modify these lines in /etc/graylog/server/server.conf:

http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://127.0.0.1:9200

Save and exit.

Step 7: Start Graylog Service

Enable and start Graylog:

sudo systemctl enable --now graylog-server

Check the status:

sudo systemctl status graylog-server

Step 8: Configure Firewall

Allow the Graylog web interface and syslog ports in Linux firewall:

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --add-port=1514/tcp --permanent
sudo firewall-cmd --add-port=1514/udp --permanent
sudo firewall-cmd --reload

Step 9: Access Graylog Web Interface

Open a web browser and go to:

http://<YOUR_SERVER_IP>:9000

Username: admin
Password: (the password you set in Step 6)

Final Thoughts

Installing Graylog on Rocky Linux 9 is a crucial step in setting up a powerful and efficient log management system. By following the step-by-step guide, you can successfully configure MongoDB, Elasticsearch, and Graylog to centralize, analyze, and monitor logs in real-time.

Graylog offers scalability, powerful search capabilities, and advanced security features, making it an excellent choice for IT administrators, DevOps teams, and security professionals. Once installed, you can customize dashboards, set up alerts, and integrate Graylog with other tools to enhance your logging and monitoring experience.

With Graylog up and running on Rocky Linux 9, you can take full control of your log data, improve system performance, and strengthen security monitoring.

Need a dependable Linux system administrator? I specialize in managing, optimizing, and securing Linux servers to keep your operations running flawlessly. Check out my services on Fiverr!

Frequently Asked Questions (FAQs)

1. How do I check Graylog logs for troubleshooting?

Use the following command:

sudo journalctl -u graylog-server -f

2. Can I use Elasticsearch instead of OpenSearch?

Yes, but OpenSearch is recommended for better security and compatibility with Graylog 5.0+.

3. How do I reset the Graylog admin password?

Modify /etc/graylog/server/server.conf with a new SHA256 password hash and restart Graylog.

4. How can I increase OpenSearch memory allocation?

Edit /etc/opensearch/jvm.options and modify:

-Xms4g
-Xmx4g

Restart OpenSearch:

sudo systemctl restart opensearch

5. What ports should be open for Graylog?

9000/TCP – Web Interface
1514/TCP & UDP – Syslog Inputs

Table of Contents