How To Install Graylog 4 on CentOS 7|RHEL 7

Posted on 140 views

In this guide, I’ll take you through  the steps to install Graylog 4 on CentOS 7|RHEL 7 Linux system. Graylog is an open source log management platform which enables you to aggregate up to terabytes of log data, from multiple log sources, DCs, and geographies with the capability to scale horizontally in your data center, cloud, or both.

The Graylog search function is really fast and powerful, so you can group your servers into streams for easy log searching. Graylog UI is simple and intuitive with a complete user management and support for LDAP. It also has support for alerting and reporting.

Graylog 4.x has full support for Elasticsearch 7.x and any latest version of MongoDB – 4.x. If you are an Ubuntu and CentOS 8 user, check:

Graylog depends on Java, Elasticsearch, and MongoDB for its functions. Elasticsearch is responsible for logs storage and MongoDB is for storing Graylog related configurations.

Step 1: Configure SELinux

If you’re using SELinux on your system, set following settings:

sudo yum -y install curl vim policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Step 2: Add required repositories:

Enable EPEL repository.

CentOS 7:

sudo yum -y install epel-release


sudo subscription-manager repos --enable rhel-*-optional-rpms \
                           --enable rhel-*-extras-rpms \
                           --enable rhel-ha-for-rhel-*-server-rpms
sudo yum -y install

Add MongoDB Repository:

sudo tee /etc/yum.repos.d/mongodb-org-4.4.repo <

Add Elasticsearch Repository:

sudo tee /etc/yum.repos.d/elasticsearch.repo <

Update YUM package index cache:

sudo yum clean all
sudo yum -y makecache

Confirm all repositories added are functional:

$ yum repolist
repo id                                                                             repo name                                                                                                 status
base/7/x86_64                                                                       CentOS-7 - Base                                                                                           10072
droplet-agent/x86_64                                                                DigitalOcean Droplet Agent                                                                                    8
elasticsearch-7.x                                                                   Elasticsearch repository for 7.x packages                                                                  1058
extras/7/x86_64                                                                     CentOS-7 - Extras                                                                                           509
mongodb-org-4.4                                                                     MongoDB Repository                                                                                          172
updates/7/x86_64                                                                    CentOS-7 - Updates                                                                                         3573
repolist: 15392

Step 3: Install Java, Elasticsearch, and MongoDB

Run this command to install all required packages.

sudo yum -y install vim pwgen java-11-openjdk java-11-openjdk-devel
sudo yum -y install pwgen elasticsearch-oss mongodb-org

Check if Java and other packages are now installed:

$ java -version
openjdk version "" 2022-02-08 LTS
OpenJDK Runtime Environment 18.9 (build
OpenJDK 64-Bit Server VM 18.9 (build, mixed mode, sharing)

Start and enable MongoDB service.

Start mongod service and set it to start on boot.

sudo systemctl enable --now mongod
sudo systemctl status mongod

MongoDB paths:

File system path
Configuration /etc/mongod.conf
Data files /var/lib/mongodb/
Log files /var/log/mongodb/

Step 4: Configure Elasticsearch for Graylog

You need to modify the Elasticsearch configuration file and set the cluster name to graylog, Additionally you need to uncomment (remove the # as first character) the line, and add action.auto_create_index: false to the configuration file:

The file to edit is /etc/elasticsearch/elasticsearch.yml.

$ sudo vi /etc/elasticsearch/elasticsearch.yml graylog
action.auto_create_index: false

Start and enable elasticsearch service:

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch

Confirm service status:

$ systemctl status elasticsearch
 elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2022-03-19 05:07:48 UTC; 4s ago
 Main PID: 8722 (java)
   CGroup: /system.slice/elasticsearch.service
           └─8722 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=tr...

Mar 19 05:07:32 centos-01 systemd[1]: Starting Elasticsearch...
Mar 19 05:07:48 centos-01 systemd[1]: Started Elasticsearch.

The default Elasticsearch file locations are:

File system path
Configuration /etc/elasticsearch
JVM settings /etc/sysconfig/elasticsearch
Data files /var/lib/elasticsearch/data
Log files /var/log/elasticsearch/

Step 5: Install Graylog Server on CentOS 7|RHEL 7

Now install the Graylog repository and Graylog itself with the following commands:

sudo rpm -Uvh
sudo yum -y install graylog-server

You also need to set add password_secret and root_password_sha2 variables under /etc/graylog/server/server.conf. 

### Generate root_password_sha2
$ echo -n "Enter Password: " && head -1 
Enter Password: password 

Sha2 password is printed to the screen. We’ll use it in the configuration file to update it.


Generate password_secret using pwgen tool installed earlier.

$ pwgen -N 1 -s 96

These settings are mandatory and without them, Graylog will not start!

$ sudo vi /etc/graylog/server/server.conf
password_secret = Replace-me-with-generated-password-secret
root_password_sha2 = Replace-me-with-generated-hashed-root-secret


password_secret = pYJuHjPD0166gUEzhL3XUpTkacYAu26FFxVIRjvczINydWF7WwBbUEUaD5KukCUBIKpklbYn85ebWTOQg4UMMS0twWqB7Rep
root_password_sha2 = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Let’s also bind address to the network interface used by the Graylog HTTP interface

$ sudo vi /etc/graylog/server/server.conf
#line 105
http_bind_address =

Restart graylog service for it to bind to all addresses on the system

sudo systemctl restart graylog-server

Graylog directory structure:

File system path
Configuration /etc/graylog/server/server.conf
Logging configuration /etc/graylog/server/log4j2.xml
Plugins /usr/share/graylog-server/plugin
JVM settings /etc/sysconfig/graylog-server
Message journal files /var/lib/graylog-server/journal
Log Files /var/log/graylog-server/

Step 6: Start Graylog service on CentOS 7|RHEL 7

Now start graylog service and enable it to start on system boot up

sudo systemctl daemon-reload
sudo systemctl enable --now graylog-server.service

Confirm service status:

$ systemctl status  graylog-server.service
 graylog-server.service - Graylog server
   Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2022-03-19 08:25:09 UTC; 13s ago
 Main PID: 19249 (graylog-server)
   CGroup: /system.slice/graylog-server.service
           ├─19249 /bin/sh /usr/share/graylog-server/bin/graylog-server
           └─19250 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+C...

Sep 16 09:08:11 cent701.novalocal systemd[1]: Stopped Graylog server.
Sep 16 09:08:11 cent701.novalocal systemd[1]: Started Graylog server.

Configure Graylog Firewalld

For a single node installation, you only need to open port 9000 for UI access and API. To do this on CentOS 7|RHEL 7, use firewalld.

sudo firewall-cmd --add-port=9000/tcp --permanent
sudo firewall-cmd --reload

You can now access Graylog web interface using http://public_ip:9000. You should get an interface like below.


We have come to the end of Install Graylog 4.x with Elasticsearch 7.x on CentOS 7|RHEL 7. Read next article on configure Graylog Nginx reverse proxy with Let’s Encrypt SSL.

Progress to learn how to ingest messages into your Graylog and extract the messages with extractors or use the Pipelines to work with the messages.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.