November 24, 2020
How to install Graylog On CentOS 8

How To Install Graylog On CentOS 8

On this article we will discuss how to install Graylog Open Source version 3.3.81 on CentOS 8.


Graylog is open-source log management tools which is centrally captures, stores, and enables real-time search and log analysis from any component in the IT infrastructure and applications. Graylog was founded in 2009 by Lennart Koopmann and began as an open-source project in Hamburg, Germany. The headquarters are in Houston, Texas. Graylog released its first commercial offering in 2016 making its enterprise product available. Graylog has grown to over 35,000 installations worldwide on 2018. The software uses a three-tier architecture and scalable storage based on Elasticsearch and MongoDB.

Graylog Installation On CentOS 8

On this article we will deploy a minimum setup, the minimum Graylog setup can be used for smaller, non-critical, or test setups. None of the components are redundant, and they are easy and quick to setup, as described on Graylog Architectural considerations.

Graylog minimum setup architecture

The installation of Graylog on CentOS 8 requrires any application to be deployed first, namely : Java, Elasticsearch and MongoDB.

  • Elasticsearch – Stores the log messages received from the Graylog server and provides a facility to search them whenever required. Elasticsearch is a resource monger as it does indexing of data, so allocate more memory and use SAS or SAN disks.
  • MongoDB – Stores the configurations and meta information.
  • Graylog server – Receive and parsing the logs then provides built-in Web Interface to handle those logs.

The Graylog installation steps will be divided into several steps :


To install Graylog on CentOS 8, there are many prerequisite to be fulfilled first. Here are the prerequisites to be met :

  1. CentOS 8 Operating system with sufficient space
  2. root account or user with sudo privilege
  3. Java installed on the system at lest version 8 or newer (for OpenJDK or Oracle Java)
  4. Elasticsearch (5.x or 6.x), where Graylog 3 does not work with Elasticsearch 7.x!
  5. MongoDB (3.6, 4.0 or 4.2)

At the section below, we will discuss how fulfill the requirement for no. 3,4 and 5.

Java installed on the system

To verify the Java was installed on the system, we just issue the command line java --version, as described below:

[mpik@diginetapp02 ~]$ java --version
openjdk 11.0.8 2020-07-14 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.8+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10-LTS, mixed mode, sharing)
java version 11.0.8 installed on the system

The OpenJDK version 11.0.8 has been installed on our system. For Java installation, could be found on installing OpenJDK on CentOS 8 or installing OpenJDK on Ubuntu 20.04 LTS or install Oracle Java on Ubuntu articles.

Installing Elasticsearch 6.x On CentOS 8

As mentioned on Graylog documentation, if Graylog is only supported by Elasticsearch version 5.x and version 6.x. On our system there is no Elasticesearch version 5.x or 6.x has been installed, so we have to install it first. On this section we will install Elasticsearch version 6.x.

  1. Install Elastic GPG key
    The first step is starting with installing Elastic GPG Key. We have to install it first, by submitting commad below : sudo rpm --import
    Add GPG Elasticsearch
  2. Add Elasticsearch Repository File
    We have to acknowledge the system with Elasticsearch 6.x software by adding new file. We will create a new file by submitting command line : sudo vi /etc/yum.repos.d/elasticsearh.repo.
    Elasticsearch 6.x yml
  3. Install Elasticsearch version 6.x
    Then we will install the Ealsticsearch by submitting command line : sudo dnf install elasticsearch-oss
    Install Elasticsearch 6.x
    the output will be :
    Elasticsearch 6.x installation completed
  4. Configuring Elasticsearch
    After Elasticsearch installation was completed, then we have to configure it to be fit with Graylog application need. We will update the /etc/elasticsearch/elasticsearch.yml file and update the parameter to be graylog. = graylog = graylog
  5. Enabling and Starting Elasticsearch Services
    The next step is to enable and start the Elasticsearch service and verify it has been met with Graylog application.
    We will be using systemctl command line for this purposes. The command line will be as below:
    sudo systemctl [enable | restart | status] elasticsearch
    enable, reload and start Elasticsearch services
    then we will verify the Elasticsearch has been running by submitting command line curl -X GET "localhost:9200/" or using web browser by hitting its url and port. It will show the “graylog” for cluster name parameter as shown below :
    Elasticsearch URL

The Elasticsearch 6.x installation has been completed done successfully. Then next step we will install MongoDB version 4.2.

MongoDB 4.2 Installation on CentOS 8

As mentioned otn Graylog installation if Graylog requires MongoDB version 3.6, 4.0 or 4.2. On this section we will use MongoDB version 4.2 as components for Graylog installation.

  1. Add MongoDB 4.2 Repository File
    We have to acknoledge our CentOS 8 system with MongoDB 4.2 software by adding new file. We will create a /etc/yum.repos.d/mongodb-org.repo file as shown below.
    MongoDB 4.2 Repository
  2. Install MongoDB
    Then we install the MongoDB 4.2 by submitting command line : sudo dnf install mongodb-org
    MongoDB .2 installation on CentOS 8
    The output will be :
    Mongodb 4.2 installation was completed
  3. Enabling and Starting MongoDB Services.
    The next step is to enable and start the Elasticsearch service. We will be using systemctl command line for this purposes. The command line will be as below:
    sudo systemctl [enable | restart | status] mongod
    MongoDB 4.2 services
    It seems if the MongoDB 4.2 has already running properly on our CentOS 8 system.

Graylog Installation on CentOS 8

After all prerequisites are met, the next step is install and configure Graylog on CentOS 8. We will use Graylog version 3.3.18 on our tutorial. So we will install the Graylog 3.3 repository rpm on our system.

Install Graylog Repository

We will add graylog repository to our system, find out the latest Gaylog repository on Graylog official website.

[mpik@diginetapp02 ~]$ sudo rpm -Uvh
[sudo] password for mpik:
Verifying… ################################# [100%]
Preparing… ################################# [100%]
Updating / installing…
1:graylog-3.3-repository-1-1 ################################# [100%]

Install Graylog 3.3.81 Open Source Edition on Centos 8

Before installing Graylog, we have to update our CentOS 8 system first. Submit the following command lines : sudo dnf update and sudo dnf install graylog-server.

[mpik@diginetapp02 ~]$ sudo dnf update
graylog 1.4 kB/s | 10 kB 00:07
Last metadata expiration check: 0:00:01 ago on Wed 28 Oct 2020 12:21:23 AM PDT.
Dependencies resolved.
Package Arch Version Repo Size
kernel x86_64 4.18.0-193.19.1.el8_2 BaseOS 2.8 M
kernel-core x86_64 4.18.0-193.19.1.el8_2 BaseOS 28 M
kernel-devel x86_64 4.18.0-193.19.1.el8_2 BaseOS 15 M
kernel-modules x86_64 4.18.0-193.19.1.el8_2 BaseOS 23 M

After system updated, then we install the Graylog server package on our system, by submittingon command line below:

[mpik@diginetapp02 ~]$ sudo dnf install graylog-server
[sudo] password for mpik:
Last metadata expiration check: 7:41:23 ago on Wed 28 Oct 2020 12:21:23 AM PDT.
Dependencies resolved.
Package Architecture Version Repository Size
graylog-server noarch 3.3.8-1 graylog 121 M
Transaction Summary
Install 1 Package
Total download size: 121 M
Installed size: 121 M
Is this ok [y/N]: y
Downloading Packages:
graylog-server-3.3.8-1.noarch.rpm 301 kB/s | 121 MB 06:51

Configuring Graylog

On this section we will configure Graylog which was installed. The main focus is configuring the Graylog configuration file which is located on the /etc/graylog/server/server.conf file. I will use the vi editor for editing this file.

On this file we will setting the paremeters:

  • password_secret
  • root_password_sha2
  • root_email
  • root_timezone

password_secret parameter is fulfilled with the secret code generator, pwgen.

mpik@diginetapp02 ~]$ sudo pwgen -N 1 -s 98
[sudo] password for mpik: 

root_password_sha2 parameter is produced by the hashed password which is generated by the

[mpik@diginetapp02 ~]$ sudo echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
[sudo] password for mpik:
Enter Password: Welcome202!
pwgen and sha256 - graylog generating password
You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
Generate one by using for example: pwgen -N 1 -s 96
ATTENTION: This value must be the same on all Graylog nodes in the cluster.
Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)
password_secret = 4nWed8DrvxOEmCl6AdYXLYGBSpzHdKe8jFhjqrxYdIPgawuwfOT5vDO01RaGhqPe9JoxcmHFNB5tCnzIVt2v10PGHCvGxXAHMp
The default root user is named 'admin'
root_username = admin
You MUST specify a hash password for the root user (which you only need to initially set up the
system and in case you lose connectivity to your authentication backend)
This password cannot be changed using the API or via the web interface. If you need to change it,
modify it in this file.
Create one by using for example: echo -n yourpassword | shasum -a 256
and put the resulting hash value into the following line
root_password_sha2 = 82ff1a0027bcf92a7a4ef8aa9e7541724b50539d35ecc99eb28cf0e204c0b66e
The email address of the root user.
The email address of the root user.
Default is empty
root_email = ""
The time zone setting of the root user. See for a list of valid time zones.
Default is UTC
root_timezone = UTC

Configuring Graylog Web Interface

After all parameter are set, then we will configure Graylog web interface. The default porrt for Graylog is 9000. We will update /etc/graylog/server/server.conf file for enabling Graylog web interface. Update http_bind_address parameter and fill it with your IP Address’s server. (On our server is using IP Address

http_bind_address =

Until this step, we have almost reached the final step. All paramters are set, then we enabling and starting Graylog services.

configure_webinterfaceStarting Graylog Services

As mentioned earlier on this article, if Graylog requires MongoDB and Elasticsearch. These two applications must be started and running well. Then we start the Graylog services.

[mpik@diginetapp02 ~]$ sudo systemctl daemon-reload
[sudo] password for mpik:
[mpik@diginetapp02 ~]$ sudo systemctl restart graylog-server
[mpik@diginetapp02 ~]$ sudo systemctl status graylog-server
● graylog-server.service - Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2020-10-28 08:58:32 PDT; 8s ago
Main PID: 6762 (graylog-server)
Tasks: 16 (limit: 49605)
Memory: 291.7M
CGroup: /system.slice/graylog-server.service
├─6762 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─6787 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+C>
Oct 28 08:58:32 diginetapp02 systemd[1]: Started Graylog server.
Oct 28 08:58:32 diginetapp02 graylog-server[6762]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was >
Oct 28 08:58:33 diginetapp02 graylog-server[6762]: WARNING: sun.reflect.Reflection.getCallerClass is not supported.>
Oct 28 08:58:38 diginetapp02 graylog-server[6762]: WARNING: An illegal reflective access operation has occurred
Oct 28 08:58:38 diginetapp02 graylog-server[6762]: WARNING: Illegal reflective access by>
Oct 28 08:58:38 diginetapp02 graylog-server[6762]: WARNING: Please consider reporting this to the maintainers of co>
Oct 28 08:58:38 diginetapp02 graylog-server[6762]: WARNING: Use --illegal-access=warn to enable warnings of further>
Oct 28 08:58:38 diginetapp02 graylog-server[6762]: WARNING: All illegal access operations will be denied in a futur> 

To enable Graylog server is starting automatically on system startup, just submit this command below.

[mpik@diginetapp02 ~]$ sudo systemctl enable graylog-server

The output log will be located on this file :

tail -f /var/log/graylog-server/server.log

Configuring Firewall

By default, the firewall rules are set to block most of the traffic coming from the external machines, so we have to add a rule to enable the access for Graylog web interface. For this purpose, submit the command line below:

[mpik@diginetapp02 ~]$ sudo firewall-cmd --permanent --add-port=9000/tcp
[mpik@diginetapp02 ~]$ sudo firewall-cmd --reload
Settinf Firewall Graylog on CentOS 8

Access Graylog Web Interface

The Graylog web interface is located on http://ip-address:9000, it could be accessed through web browser. On our tutorial, we will hit url : http://diginetapp02:9000.

We use username : admin and password Welcome202!.

Graylog web interface first appearance. Showing Graylog version 3.3.8.

Graylog system overview :

So far, the installation was completed done successfully. The next thing… learn more in depth to install, configure and operate Graylog so that it can bring benefits to the environment in which we work.


Until here, we have installed the Graylog version 3.3.81 on CentOS 8 successfully. This guide does not cover security settings. As we knows, the security is main issue on this information age. Make sure if the Graylog we have deployed is not breached unwanted information.

Have a nice weekend, stay safe.

Share this article via :

Leave a Reply

Your email address will not be published. Required fields are marked *