How To Install Graylog on Rocky Linux 10

Installing and configuring Graylog on Rocky Linux 10 provides organizations with a powerful centralized log management solution capable of handling massive amounts of machine data in real-time. This comprehensive guide walks you through every step required to successfully deploy Graylog on your Rocky Linux 10 server, from initial prerequisites to advanced troubleshooting techniques.

Graylog stands as one of the leading open-source log management platforms, offering robust capabilities for collecting, storing, and analyzing log data from various sources across your infrastructure. Rocky Linux 10, being an enterprise-grade operating system that maintains compatibility with Red Hat Enterprise Linux, provides the perfect foundation for hosting this critical monitoring solution.

Understanding Graylog and Its Core Components

What is Graylog and why it matters for modern IT infrastructure cannot be overstated. Graylog serves as a centralized logging platform that enables system administrators, DevOps engineers, and security professionals to capture, index, and analyze log data from servers, applications, network devices, and security tools in real-time. The platform excels at processing structured and unstructured log data, making it invaluable for troubleshooting, security monitoring, and compliance reporting.

The Graylog architecture consists of three essential components that work together seamlessly. The Graylog Server acts as the primary application written in Java, responsible for receiving, processing, and presenting log data through its web interface. This server component handles log ingestion from multiple sources, applies parsing rules, and provides the user interface for searching and visualization.

MongoDB serves as the metadata database, storing user accounts, dashboards, saved searches, and configuration settings. While MongoDB doesn’t store the actual log data, it maintains all the essential metadata that makes Graylog functional and user-friendly. The database ensures that user preferences, system configurations, and custom dashboards persist across system restarts.

OpenSearch (or Elasticsearch in older installations) functions as the search and indexing engine, storing the actual log messages and providing lightning-fast search capabilities. This component handles the heavy lifting of indexing massive amounts of log data and executing complex search queries that users perform through the Graylog interface.

Organizations typically deploy Graylog for security incident response, where rapid log analysis helps identify threats and breaches. Application debugging benefits significantly from centralized logging, allowing developers to trace issues across distributed systems. Compliance reporting becomes streamlined when all relevant logs are aggregated in a single, searchable platform with retention policies that meet regulatory requirements.

Prerequisites and System Requirements

Before beginning the Graylog installation process on Rocky Linux 10, your system must meet specific hardware requirements to ensure optimal performance. The minimum recommended configuration includes 4GB of RAM, though 8GB or more is preferred for production environments handling significant log volumes. Your server should have at least a dual-core processor running at 2GHz or higher, with quad-core processors recommended for better performance under load.

Disk space requirements depend heavily on your expected log volume and retention policies. Start with at least 50GB of free disk space for the operating system and basic Graylog installation, but plan for much more based on your log ingestion rates. Organizations processing 1-10GB of logs daily should provision 100GB or more for log storage, with the understanding that this may need scaling as usage grows.

Software prerequisites begin with a freshly installed Rocky Linux 10 system with all available updates applied. You’ll need a non-root user account with sudo privileges for security best practices. Ensure your system has reliable internet connectivity for downloading packages and accessing repositories during the installation process.

Network access considerations include planning for firewall rules that will allow Graylog to communicate with client systems and receive log data. The default Graylog web interface runs on port 9000, while various input types may require additional ports depending on your logging sources. Consider your organization’s network security policies when planning port access and firewall configurations.

Security preparation involves understanding how SELinux operates on Rocky Linux 10, as it may require configuration adjustments for Graylog to function properly. Review your current SELinux policies and prepare to make necessary modifications during the installation process.

Installing Java OpenJDK

Graylog’s dependency on Java makes installing the correct version of Java OpenJDK the first critical step in the installation process. The Graylog application is built on Java and requires Java 8 or higher, with Java 11 being the recommended version for optimal performance and security features.

Begin by updating your Rocky Linux 10 system to ensure all packages are current:

sudo dnf update -y

Check available Java versions in the Rocky Linux repositories to confirm which OpenJDK packages are available for installation:

sudo dnf search openjdk

This command displays all available OpenJDK packages, allowing you to select the appropriate version for your Graylog installation.

Install Java 11 OpenJDK using the DNF package manager with the development tools included:

sudo dnf install java-11-openjdk-devel -y

The installation process automatically handles dependencies and configures the Java runtime environment for system use.

Verify the Java installation by checking the installed version:

java -version

The output should display Java 11 version information, confirming successful installation. Additionally, verify the Java compiler installation:

javac -version

Configure the JAVA_HOME environment variable to ensure applications can locate the Java installation. Create or edit the system-wide environment configuration:

echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' | sudo tee /etc/environment
source /etc/environment

Troubleshooting Java installation issues typically involves repository problems or conflicting Java versions. If multiple Java versions exist on your system, use the alternatives system to select the correct version:

sudo alternatives --config java

This command allows you to choose which Java version serves as the system default when multiple installations exist.

Installing and Configuring MongoDB

MongoDB’s critical role in the Graylog ecosystem requires careful installation and configuration to ensure reliable metadata storage. As the database backend for user accounts, system configurations, and dashboard definitions, MongoDB must be properly configured before starting the Graylog server.

Repository setup for MongoDB begins with adding the official MongoDB repository to Rocky Linux 10. Create the repository configuration file:

sudo tee /etc/yum.repos.d/mongodb-org-8.0.repo << EOF
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/8.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-8.0.asc
EOF

This configuration adds the MongoDB 6.0 repository, which provides stable packages compatible with Rocky Linux 10.

Verify repository addition and update the package cache:

sudo dnf repolist
sudo dnf makecache

Install MongoDB packages using the DNF package manager:

sudo dnf install mongodb-org -y

The installation includes the MongoDB server, client tools, and necessary dependencies for database operation.

Configure MongoDB for Graylog use by editing the main configuration file:

sudo nano /etc/mongod.conf

Ensure the configuration allows local connections and has appropriate security settings. The default configuration typically works for basic Graylog installations, but review the bindIp setting to confirm it allows connections from the Graylog server.

Start and enable MongoDB services to ensure the database starts automatically with the system:

sudo systemctl daemon-reload
sudo systemctl start mongod
sudo systemctl enable mongod

Verify MongoDB service status to confirm proper operation:

sudo systemctl status mongod

The output should show the MongoDB service as active and running without errors.

Test MongoDB connectivity using the MongoDB client:

mongo --eval 'db.runCommand({ connectionStatus: 1 })'

This command confirms that MongoDB is accepting connections and responding to queries properly.

Basic security configuration involves creating administrative users and enabling authentication if required by your security policies. For development environments, the default configuration may suffice, but production deployments should implement proper authentication mechanisms.

Installing and Configuring OpenSearch

OpenSearch overview as the successor to Elasticsearch provides the search and analytics engine that powers Graylog’s ability to index and query massive amounts of log data efficiently. This component handles the storage and retrieval of actual log messages, making fast searches across terabytes of data possible.

Repository setup for OpenSearch requires adding the official OpenSearch repository to your Rocky Linux 10 system. Import the GPG key first:

sudo rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp

Create the OpenSearch repository configuration:

sudo tee /etc/yum.repos.d/opensearch-2.x.repo << EOF
[opensearch-2.x]
name=OpenSearch repository for 2.x packages
baseurl=https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/yum/
gpgcheck=1
gpgkey=https://artifacts.opensearch.org/publickeys/opensearch.pgp
enabled=1
autorefresh=1
type=rpm-md
EOF

Install OpenSearch packages using DNF:

sudo dnf install opensearch -y

Configuration setup for OpenSearch requires editing the main configuration file to work properly with Graylog:

sudo nano /etc/opensearch/opensearch.yml

Configure essential settings for single-node operation:

cluster.name: graylog
node.name: node-1
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 127.0.0.1
http.port: 9200
discovery.type: single-node
plugins.security.disabled: true

Memory configuration is crucial for OpenSearch performance. Edit the JVM options file:

sudo nano /etc/opensearch/jvm.options

Set heap size to approximately half of available system RAM, but not exceeding 32GB:

-Xms2g
-Xmx2g

Service management involves starting and enabling OpenSearch:

sudo systemctl daemon-reload
sudo systemctl start opensearch
sudo systemctl enable opensearch

Verify OpenSearch installation by checking the service status:

sudo systemctl status opensearch

Test OpenSearch functionality using curl to query the REST API:

curl -X GET "localhost:9200/"

The response should include cluster information confirming OpenSearch is running properly.

Performance tuning basics include adjusting thread pools, cache sizes, and refresh intervals based on your log ingestion patterns. Monitor OpenSearch performance after Graylog deployment to identify optimization opportunities.

Installing Graylog Server

The Graylog server installation represents the culmination of the prerequisite setup, bringing together all components into a functional log management platform. This process requires careful attention to configuration details that determine how Graylog operates in your environment.

Repository setup begins with adding the official Graylog repository to Rocky Linux 10. Download and install the repository package:

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.1-repository_latest.rpm

This command adds the Graylog 5.x repository and configures GPG keys for package verification.

Update the package cache to recognize the new repository:

sudo dnf makecache

Install Graylog server and integration plugins:

sudo dnf install graylog-server -y

The installation includes the core Graylog server application and commonly used input plugins for various log sources.

Pre-configuration requirements involve generating secure passwords and secrets before editing the configuration file. Generate a password secret for internal encryption:

pwgen -N 1 -s 96

Record this 96-character string as you’ll need it for the configuration file.

Generate the root password hash using SHA-2 encryption. First, choose a strong administrative password, then generate its hash:

echo -n "YourStrongPassword" | sha256sum | awk '{print $1}'

Save both the plaintext password (for logging in) and the hash (for the configuration file).

Configuration file setup requires editing the main Graylog server configuration:

sudo nano /etc/graylog/server/server.conf

Essential configuration parameters include:

# Password secret for encryption
password_secret = [your-96-character-secret]

# Root user password (SHA-2 hash)
root_password_sha2 = [your-generated-hash]

# Web interface binding
http_bind_address = 0.0.0.0:9000

# MongoDB connection
mongodb_uri = mongodb://localhost:27017/graylog

# OpenSearch connection
elasticsearch_hosts = http://127.0.0.1:9200

The http_bind_address setting changes from the default 127.0.0.1 to 0.0.0.0:9000 to allow external access to the web interface.

Advanced configuration options include setting timezone information, configuring email notifications, and adjusting performance parameters based on expected load:

# Timezone setting
root_timezone = UTC

# Message processing
processbuffer_processors = 5
outputbuffer_processors = 3

# Ring buffers
ring_size = 65536

Service management involves reloading the systemd configuration and starting Graylog:

sudo systemctl daemon-reload
sudo systemctl start graylog-server
sudo systemctl enable graylog-server

Monitor the startup process by checking service status and log files:

sudo systemctl status graylog-server
sudo tail -f /var/log/graylog-server/server.log

The Graylog server typically takes 30-60 seconds to fully initialize, during which it connects to MongoDB and OpenSearch, loads configurations, and prepares the web interface.

Verify successful startup by confirming all services are running:

sudo systemctl status mongod opensearch graylog-server

All three services should show as active and running without errors.

Firewall and Security Configuration

Firewall configuration ensures that Graylog components can communicate while maintaining security boundaries appropriate for your network environment. Rocky Linux 10 uses firewalld as the default firewall management service, requiring specific rules to allow Graylog operation.

Open the web interface port to allow administrative access:

sudo firewall-cmd --zone=public --add-port=9000/tcp --permanent

This rule permits access to the Graylog web interface from network clients.

Configure additional ports based on your planned log inputs. Common requirements include:

# Syslog inputs
sudo firewall-cmd --zone=public --add-port=514/udp --permanent
sudo firewall-cmd --zone=public --add-port=514/tcp --permanent

# GELF inputs
sudo firewall-cmd --zone=public --add-port=12201/udp --permanent

# Beats inputs
sudo firewall-cmd --zone=public --add-port=5044/tcp --permanent

Apply firewall changes by reloading the configuration:

sudo firewall-cmd --reload

Verify active firewall rules:

sudo firewall-cmd --list-all

SELinux configuration may require adjustments for Graylog to operate properly on Rocky Linux 10. Check current SELinux status:

sudo sestatus

If SELinux is enabled and enforcing, you may need to create custom policies or adjust contexts for Graylog directories and processes.

Security best practices include changing default passwords immediately after installation. The default root password should be replaced with a strong, unique password that meets your organization’s security requirements.

Network access restrictions can be implemented through firewall rules that limit Graylog access to specific IP ranges or subnets:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="9000" accept' --permanent

SSL/TLS configuration should be considered for production deployments, especially when Graylog will be accessed over untrusted networks. This involves obtaining SSL certificates and configuring Graylog to use HTTPS for the web interface.

Accessing and Initial Setup of Graylog Web Interface

Web interface access becomes available once all services are running and firewall rules permit connections. Open a web browser and navigate to your Rocky Linux 10 server’s IP address on port 9000:

http://your-server-ip:9000

Initial login credentials use the username “admin” and the password you configured during the server setup process. This administrative account provides full access to all Graylog features and configuration options.

First login steps include accepting any license agreements presented and reviewing the initial system status dashboard. Graylog displays system health information, showing the status of connected MongoDB and OpenSearch instances.

Time zone configuration ensures that log timestamps display correctly for your location. Navigate to System → Overview → Nodes and verify that the server timezone matches your requirements.

Basic navigation familiarization helps administrators understand the Graylog interface layout. Key sections include Search for querying logs, Streams for organizing log data, Dashboards for visualization, and System for administrative functions.

Initial input configuration involves setting up your first log source to begin receiving data. Navigate to System → Inputs and select an appropriate input type based on your logging sources. Syslog UDP is commonly used for initial testing and basic log collection.

Testing and Verification

System health verification ensures all Graylog components are functioning correctly and communicating properly. Check the System → Overview page in the web interface for component status indicators showing green health status for all services.

Service status monitoring from the command line provides additional verification:

sudo systemctl status mongod opensearch graylog-server

All services should report active status without error conditions.

Log file analysis helps identify any startup issues or configuration problems:

sudo tail -100 /var/log/graylog-server/server.log
sudo journalctl -u graylog-server -f

Look for error messages or warnings that might indicate configuration issues or component communication problems.

Basic log ingestion testing validates that Graylog can receive and process log data. Configure a simple Syslog UDP input and send test messages:

# Create a test log entry
logger -n your-server-ip -P 514 "Test message from $(hostname)"

Search functionality testing confirms that log data is being indexed and retrievable. Use the Graylog search interface to look for your test message, verifying that ingestion, indexing, and search capabilities work correctly.

Performance monitoring includes checking system resource usage during operation. Monitor CPU, memory, and disk utilization to ensure the system can handle expected log volumes without performance degradation.

Database connectivity verification ensures persistent storage is working:

echo 'db.stats()' | mongo graylog

This command should return database statistics confirming MongoDB is properly storing Graylog metadata.

Troubleshooting Common Issues

Service startup problems often stem from configuration errors or dependency issues. If Graylog fails to start, examine the log files for specific error messages:

sudo journalctl -u graylog-server --no-pager

Common startup failures include incorrect MongoDB or OpenSearch connection settings, invalid configuration syntax, or insufficient system resources.

Memory and performance issues typically occur when the system lacks adequate RAM for the configured components. OpenSearch is particularly memory-intensive, requiring proper heap size configuration. If the system becomes unresponsive, consider increasing available memory or adjusting heap size settings.

Network connectivity problems manifest as inability to access the web interface or connect to external log sources. Verify firewall rules, check network interfaces, and confirm that services are binding to the correct IP addresses:

sudo netstat -tlnp | grep -E '(9000|9200|27017)'

Configuration file errors prevent service startup and require careful syntax checking. Graylog configuration uses specific formatting requirements, and small typos can prevent startup. Use configuration validation tools when available, and compare your settings against working examples.

Common error messages and their solutions include:

• “Unable to connect to MongoDB” – Verify MongoDB is running and connection parameters are correct
• “Elasticsearch cluster not available” – Check OpenSearch status and network connectivity
• “Web interface not accessible” – Confirm firewall rules and binding address configuration
• “Out of memory errors” – Increase JVM heap sizes or add system RAM

Log analysis for debugging provides the most reliable method for identifying specific problems. Enable debug logging when necessary by adjusting log levels in the Graylog configuration file.

Congratulations! You have successfully installed Graylog. Thanks for using this tutorial for installing Graylog on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Graylog website.