How To Install Graylog on AlmaLinux 10

Graylog stands as one of the most powerful open-source log management platforms available today, offering robust capabilities for capturing, storing, and analyzing massive volumes of structured and unstructured data in real-time. This comprehensive guide will walk you through the complete process of installing Graylog on AlmaLinux 10, ensuring you have a fully functional centralized logging solution for your enterprise environment.

The installation process requires careful attention to system prerequisites, dependency management, and security configuration. By following this detailed guide, you’ll establish a production-ready Graylog deployment that can handle terabytes of log data while maintaining optimal performance and security standards.

Table of Contents

Prerequisites and System Requirements

Hardware Requirements

Before beginning the Graylog installation on AlmaLinux 10, ensure your system meets the minimum hardware specifications. A successful deployment requires at least 4GB of RAM, though 8GB is recommended for production environments handling moderate log volumes. The system must utilize a 64-bit architecture, as 32-bit systems are not supported by current Graylog versions.

CPU requirements include a multi-core processor capable of handling concurrent operations. For environments processing 1-10GB of logs daily, consider allocating 8 CPU cores to the Graylog server. Storage planning is crucial – allocate adequate disk space not only for the operating system and applications but also for log retention based on your organizational requirements.

Software Prerequisites

Your AlmaLinux 10 server must be properly configured with root or sudo access for administrative tasks. Network connectivity and proper hostname configuration are essential for component communication. Ensure all system packages are updated to their latest versions before proceeding with the installation.

Consider the network topology and firewall requirements. Graylog operates on multiple ports: the web interface typically uses port 9000, OpenSearch communicates on port 9200, and MongoDB utilizes port 27017. Plan your network security accordingly, ensuring these ports are accessible while maintaining security best practices.

Version Compatibility Matrix

Understanding component compatibility is crucial for a stable installation. Current Graylog 6.x versions require MongoDB 5.0.7 through 8.x for metadata storage and user management. OpenSearch compatibility spans versions 1.1.x through 2.19.3, providing the search and analytics engine functionality. Java requirements specify a minimum of Java 8 or higher, though newer versions offer improved performance and security features.

AlmaLinux 10, being a RHEL-based distribution, benefits from Graylog’s official support for Red Hat Enterprise Linux systems. This compatibility ensures stable operation and access to enterprise-grade support resources when needed.

Security Considerations

Security planning begins during the prerequisite phase. Create a dedicated non-root user with administrative privileges for managing Graylog services. This approach follows security best practices by limiting exposure of root account credentials.

SELinux configuration requires specific attention on AlmaLinux 10. The security framework must be properly configured to allow Graylog components to communicate while maintaining system security. Plan for SSL/TLS implementation if deploying in production environments, as encrypted communication protects sensitive log data during transmission.

Setting Up Repositories

Adding Required Repositories

Repository configuration forms the foundation for package management during Graylog installation. Begin by installing the curl package, which facilitates repository management and package downloads. Execute the following command to ensure curl availability:

sudo dnf install curl -y

MongoDB repository configuration requires adding the official MongoDB 6.x repository to your system. Create the repository configuration file and add the appropriate repository information for AlmaLinux 10 compatibility. This step ensures access to supported MongoDB versions that integrate seamlessly with Graylog.

OpenSearch 2.x repository setup follows a similar pattern. Add the OpenSearch repository configuration to enable installation of the search engine component. The repository provides access to compatible OpenSearch versions that meet Graylog’s requirements.

Complete the repository setup by installing the Graylog 6.x repository package. This package provides access to the latest stable Graylog releases and ensures compatibility with your AlmaLinux 10 system.

Repository Verification

After adding repositories, verify their successful integration using the dnf repolist command. This verification step confirms that your system can access the necessary packages for installation. Troubleshoot any repository configuration issues before proceeding to prevent installation failures.

GPG key import and verification represent critical security measures. These keys ensure package authenticity and prevent installation of tampered software. Import the required GPG keys for each repository and verify their integrity before continuing with component installation.

Installing Dependencies

Java Installation and Configuration

Java serves as the runtime environment for Graylog and OpenSearch components. Install Java OpenJDK, ensuring compatibility with minimum version requirements. AlmaLinux 10 repositories typically provide suitable Java versions through the default package manager.

sudo dnf install java-11-openjdk java-11-openjdk-devel -y

Configure the JAVA_HOME environment variable to ensure proper Java detection by Graylog components. Add the following line to your system’s environment configuration:

export JAVA_HOME=/usr/lib/jvm/java-11-openjdk

Verify Java installation and version compatibility by executing java -version. The output should confirm successful installation and display version information compatible with Graylog requirements.

MongoDB Installation and Setup

MongoDB handles metadata storage, user authentication, and configuration management for Graylog. Install MongoDB from the previously configured repository:

sudo dnf install mongodb-org -y

Start and enable the MongoDB service to ensure automatic startup during system boot:

sudo systemctl start mongod
sudo systemctl enable mongod

Basic MongoDB security configuration involves creating dedicated databases and users for Graylog operations. Connect to MongoDB using the mongo shell and create the required database structure. Configure authentication mechanisms to secure database access while allowing Graylog connectivity.

Optimize the MongoDB configuration file located at /etc/mongod.conf. Adjust memory allocation settings, enable security features, and configure network binding according to your environment requirements. Test MongoDB connectivity and functionality before proceeding to ensure proper database operation.

OpenSearch Installation and Configuration

OpenSearch provides the search and analytics engine capabilities essential for Graylog operations. Install OpenSearch packages from the configured repository:

sudo dnf install opensearch -y

Configure OpenSearch cluster settings in /etc/opensearch/opensearch.yml. Set cluster name, node name, and network binding parameters. Memory allocation and JVM heap size optimization significantly impact performance. Allocate approximately 50% of available system memory to OpenSearch, ensuring adequate resources for other components.

sudo systemctl start opensearch
sudo systemctl enable opensearch

Verify OpenSearch cluster health using curl commands to query the cluster status. Successful installation shows a green cluster status with proper node connectivity. Configure index templates for Graylog integration to ensure optimal search performance and data organization.

Additional Dependencies

Install supporting packages required for Graylog operation and system management:

sudo dnf install policycoreutils-python-utils pwgen vim -y

These utilities provide SELinux policy management, password generation capabilities, and text editing functionality essential for configuration tasks.

Installing and Configuring Graylog Server

Graylog Server Installation

Install the Graylog server package and integration plugins to enable full functionality:

sudo dnf install graylog-server graylog-integrations-plugins -y

The integration plugins extend Graylog’s capabilities with additional input sources, output destinations, and processing functions. Verify successful installation by checking package status and confirming file installation in appropriate directories.

Password Generation and Security Setup

Security configuration begins with generating strong authentication credentials. Create a password_secret using pwgen or alternative secure methods:

pwgen -N 1 -s 96

Generate the root_password_sha2 hash for administrator access. This hash secures the default admin account:

echo -n "your_password" | sha256sum

Document these credentials securely, as they’re required for initial Graylog access and ongoing administration.

Graylog Configuration File Setup

Edit the primary configuration file located at /etc/graylog/server/server.conf. Key configuration parameters include:

password_secret: Insert the generated 96-character secret
root_password_sha2: Add the SHA256 hash of your admin password
http_bind_address: Configure web interface binding (typically 0.0.0.0:9000)
mongodb_uri: Specify MongoDB connection parameters
opensearch_hosts: Define OpenSearch cluster endpoints

Advanced configuration options optimize performance and reliability. Configure message journal settings for data durability, adjust input and output buffer sizes based on expected log volume, and set timezone preferences for accurate log timestamps.

Service Management

Start the Graylog server service and enable automatic startup:

sudo systemctl start graylog-server
sudo systemctl enable graylog-server

Monitor service status using systemctl status graylog-server to verify successful startup. Check system logs for any error messages or configuration issues that require attention. Common startup problems include connectivity issues with MongoDB or OpenSearch, insufficient memory allocation, or permission problems.

Firewall and SELinux Configuration

SELinux Policy Configuration

AlmaLinux 10’s SELinux implementation requires specific policy adjustments for Graylog operation. Install SELinux management utilities if not already present:

sudo dnf install policycoreutils-python-utils -y

Configure the httpd_can_network_connect boolean to allow network connections:

sudo setsebool -P httpd_can_network_connect 1

Add port contexts for Graylog services:

sudo semanage port -a -t http_port_t -p tcp 9000
sudo semanage port -a -t http_port_t -p tcp 9200
sudo semanage port -a -t mongod_port_t -p tcp 27017

Verify SELinux policy application using sestatus and getsebool commands to ensure proper configuration.

Firewall Rules Setup

Configure firewall rules to allow necessary communication while maintaining security. Open port 9000 for Graylog web interface access:

sudo firewall-cmd --permanent --add-port=9000/tcp
sudo firewall-cmd --reload

Additional ports may require opening based on your input configuration and monitoring requirements. Implement IP whitelisting for administrative access to limit exposure to authorized personnel only.

Security Best Practices

Apply the principle of least privilege when configuring network access. Restrict administrative interfaces to specific IP ranges or VPN networks. Consider implementing SSL/TLS encryption for production deployments to protect data transmission integrity.

Network segmentation strategies isolate Graylog components from untrusted networks while allowing legitimate log sources to transmit data securely.

Initial Setup and Web Interface Access

Accessing Graylog Web Interface

Navigate to your server’s IP address on port 9000 using a web browser. The initial login screen requires the admin username (typically “admin”) and the password you configured during setup.

Install Graylog on AlmaLinux 10

The web interface provides comprehensive system management capabilities through an intuitive dashboard. Navigation elements include system overview, input management, search functionality, and administrative tools.

Basic System Configuration

Initial system configuration involves setting organizational preferences and operational parameters. Configure email notifications and SMTP settings to enable alerting functionality. This setup ensures timely notification of system issues or log-based alerts.

User management and role-based access control configuration establishes security boundaries within your Graylog deployment. Create user accounts with appropriate permissions based on organizational roles and responsibilities.

License management applies to enterprise features if utilizing Graylog’s commercial offerings. Configure license settings to access advanced functionality beyond the open-source feature set.

First Steps After Installation

Verify system health through the System/Overview page within the web interface. This dashboard displays component connectivity status, including MongoDB and OpenSearch cluster health. Green status indicators confirm proper component communication and operational readiness.

Check system resources and performance metrics to ensure adequate capacity for expected log volumes. Monitor CPU usage, memory consumption, and storage utilization to identify potential bottlenecks before they impact operations.

Setting Up Log Inputs

Understanding Graylog Inputs

Graylog inputs define how log data enters your centralized logging system. Multiple input types support different log sources and protocols, including Syslog, GELF, Raw/Plaintext, and various application-specific formats. Input configuration determines data parsing, processing, and routing within your Graylog environment.

Global inputs receive logs from any source, while local inputs restrict log reception to specific Graylog nodes in clustered deployments. Choose input types based on your log sources and organizational requirements.

Configuring Syslog UDP Input

Syslog UDP input handles traditional system logs from Linux and Unix systems. Create a new Syslog UDP input through the web interface by navigating to System/Inputs and selecting the appropriate input type.

Configure bind address and port settings, typically using port 514 for standard syslog communication. Set up input extractors and processors to parse log messages and extract structured data from unstructured log entries.

Test log reception from your local system by configuring rsyslog to forward messages to your Graylog server. Verify message arrival through the search interface and troubleshoot any connectivity or parsing issues.

Advanced Input Configuration

GELF input setup enables structured logging from applications designed to work with Graylog’s native protocol. This input type provides rich metadata and structured data submission, improving search and analysis capabilities.

Beats input configuration integrates with the Elastic Stack ecosystem, allowing Filebeat, Metricbeat, and other Beat agents to send data to Graylog. JSON input handles pre-structured log data from applications that output JSON-formatted messages.

Custom input processors and extractors transform incoming log data to meet organizational standards and analysis requirements. These tools standardize field names, extract specific data elements, and enrich log messages with additional context.

Client Configuration

Configure rsyslog on client machines to forward logs to your Graylog server. Edit /etc/rsyslog.conf or create dedicated configuration files in /etc/rsyslog.d/ to specify Graylog server details:

*.* @@graylog-server:514

Set up log forwarding from multiple systems to centralize log collection. Test log flow from various sources to ensure proper communication and message delivery. Troubleshoot input connectivity issues by checking network connectivity, firewall rules, and input configuration parameters.

Testing and Verification

System Health Verification

Comprehensive testing validates your Graylog installation and confirms operational readiness. Check Graylog server logs located in /var/log/graylog-server/ for error messages or warnings that indicate configuration issues.

Verify OpenSearch cluster status using REST API calls or the web interface. Monitor cluster health, node connectivity, and index creation to ensure proper search engine operation. Address any cluster issues before proceeding with production log ingestion.

Monitor MongoDB connectivity and performance through database logs and system monitoring tools. Verify proper authentication, database creation, and query performance to ensure metadata storage reliability.

Log Flow Testing

Generate test logs to verify complete log processing pipelines. Create test messages using logger commands or application-generated logs. Verify message reception through Graylog’s search interface, confirming proper parsing and field extraction.

Test alerting and notification functionality by creating simple alert conditions and verifying email delivery or other notification mechanisms. Performance testing with realistic log volumes identifies potential bottlenecks and capacity limitations before production deployment.

Troubleshooting Common Issues

Installation Problems

Repository and GPG key issues commonly occur during initial setup. Verify repository configuration files and ensure GPG key imports completed successfully. Dependency conflicts may require manual resolution or package version adjustments.

Service startup failures often indicate configuration errors or resource constraints. Check system logs, service status output, and configuration file syntax to identify and resolve startup issues. Permission and ownership problems may prevent proper file access and service operation.

Runtime Issues

OpenSearch connectivity problems manifest as search failures or cluster health issues. Verify network connectivity, cluster configuration, and node discovery settings. MongoDB connection failures typically result from authentication problems or network configuration errors.

Memory and performance issues affect system responsiveness and log processing capabilities. Monitor system resources and adjust memory allocation parameters for Java-based components. Log parsing and input processing errors indicate configuration problems or incompatible data formats.

Performance Optimization

Java heap size optimization significantly impacts component performance. Allocate appropriate memory to Graylog server, OpenSearch, and other Java applications based on available system resources and expected workload.

Database indexing and retention tuning balance search performance with storage efficiency. Configure index rotation and retention policies to manage disk space while maintaining search capabilities for required time periods.

Network and I/O optimization improves log ingestion rates and search responsiveness. Monitor network utilization and storage performance to identify bottlenecks that limit system throughput.

Best Practices and Security Considerations

Production Deployment Guidelines

Multi-node cluster setup considerations include load balancing, data distribution, and failure recovery planning. Design cluster architecture to handle expected log volumes while providing redundancy and high availability.

Backup and disaster recovery planning protects against data loss and system failures. Implement regular backup procedures for configuration files, MongoDB databases, and critical system data. Document recovery procedures and test restoration processes regularly.

Capacity planning and scaling strategies accommodate growth in log volume and system complexity. Monitor system performance metrics and plan hardware upgrades or cluster expansion before reaching capacity limits.

Security Hardening

SSL/TLS encryption implementation protects sensitive log data during transmission between components and clients. Configure certificates for web interface access, API communication, and inter-component communication.

Authentication and authorization best practices include multi-factor authentication, strong password policies, and regular access reviews. Implement role-based access control to limit user privileges based on job requirements and organizational policies.

Network security measures isolate Graylog components from unauthorized access while enabling legitimate log sources to transmit data. Regular security updates and patch management maintain system security against emerging threats.

Maintenance and Monitoring

Log rotation and retention policies balance storage costs with compliance and analysis requirements. Configure automatic log rotation and archival to manage disk space while maintaining access to historical data.

Performance monitoring and alerting provide early warning of system issues and capacity constraints. Implement monitoring for key performance indicators including log ingestion rates, search response times, and system resource utilization.

Regular backup procedures protect against data loss and enable rapid recovery from system failures. Document backup and restoration procedures, test recovery processes regularly, and maintain off-site backup copies for disaster recovery scenarios.

Congratulations! You have successfully installed Graylog. Thanks for using this tutorial for installing Graylog on your AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official Graylog website.

VPS Manage Service Offer

If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!