How to Install Graylog with Elasticsearch on CentOS 8

Graylog is an open-source log management system that provides alerts and logs history, and search systems using Elasticsearch as the main index database from multiple log sources. Graylog is a log management solution for collecting, storing, indexing, and analyzing real-time data from applications with an intuitive UI, fast and powerful search feature, alerting, and reporting.


  • Java
  • Elastic Search
  • Mongo DB

Update System

sudo dnf update

Install EPEL Repository

sudo dnf -y install

Install Java

Java 8 is pre-requisite for Elasticsearch

sudo dnf install java-11-openjdk java-11-openjdk-devel

Check Java version

$ java -version
openjdk version "11.0.15" 2022-04-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.15+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+9-LTS, mixed mode, sharing)

SELinux Configuration

sudo dnf -y install curl vim policycoreutils policycoreutils-python-utils python3-policycoreutils
sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Install Elasticsearch

For installing Elasticsearch, the Elasticsearch repository needs to install with the below commands.

sudo vim /etc/yum.repos.d/elasticsearch.repo

name=Elasticsearch repository for 7.x packages

Install the Elasticsearch and its dependencies.

sudo dnf -y install elasticsearch-oss

Configure Elasticsearch for Graylog

Modify the Elasticsearch configuration file and set the cluster name to graylog.
Uncomment the line (remove the # as first character) my-application and set it to graylog. Add action.auto_create_index: false to the configuration file

Elastic configuration file: /etc/elasticsearch/elasticsearch.yml

$ sudo vim /etc/elasticsearch/elasticsearch.yml graylog

Start and enable the Elasticsearch services at boot time.

sudo systemctl daemon-reload

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Install MongoDB

MongoDB is used to store Graylog-related configurations. For installing MongoDB, the respective repository needs to install with the below commands.

sudo vim /etc/yum.repos.d/mongodb-org-4.repo

name=MongoDB Repository

Install MongoDB and its dependencies.

sudo dnf -y install mongodb-org

Start and enable the Elasticsearch services at boot time.

sudo systemctl start mongod
sudo systemctl enable mongod

Install Graylog

Install Graylog repository.

sudo rpm -Uvh

Install Graylog and its dependencies.

sudo dnf -y install graylog-server

Generate root_password_sha2 & password_secret variables and add under /etc/graylog/server/server.conf configuration file.

Below command will generate root_password_sha2 value.

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Uncomment the line (remove the # as first character) root_username = admin and set the generated value in root_password_sha2.
In below we have used the generated value of <SHA2Password>. Use your own SHA password generated with above command.

$ sudo vim /etc/graylog/server/server.conf

root_username = admin
root_password_sha2 =

Below command will generate password_secret value.

$ sudo dnf -y install pwgen

$ pwgen -N 1 -s 96

Set password_secret.

$ sudo vim /etc/graylog/server/server.conf

password_secret = x97hMk5iMTN470Q2eYwGOjiqgW2vNUZ3MX7Zb7h7aMLP1E4zGlNKcFV46jULierObsZYYwnGIzBrGUL7S7e1lJzlZvFgYPph

To connect Graylog, set http_bind_address to the public host name or a public IP address of the machine under /etc/graylog/server/server.conf.

$ sudo vim /etc/graylog/server/server.conf

http_bind_address =

Allow http and other ports access from Firewall

sudo firewall-cmd --add-port={9000/tcp,80/tcp,514/udp} --permanent
sudo firewall-cmd --reload

Open browser and navigate to http://<server-ip>:9000


Login with username admin and password configured at graylog server.conf file.