How to: Install Graylog Server on CentOS7

Graylog Server is an incredibly powerful open source log mangement system. It’s built for enterprise scale and support and is incredibly useful for assisting in identifying security threats, meeting compliance requirements or even simply centralizing your logs from various devices and applications.

Today we will go ahead and install Graylog Server on CentOS 7.
We will assume you already have CentOS 7 installed and configured with the basics (storage, networking, etc.).

Step one – install Java:

Graylog Server uses Elasticsearch to power its search functionality, which requires Java.
We’ll install the Oracle Java 8 JDK from the Oracle JDK RPM:

Note: In order to install Oracle Java 8 JDK, you will need to go to the Oracle Java 8 JDK Downloads Page, accept the license agreement, and copy the download link of the appropriate Linux .rpm package. Substitute the copied download link in place of the highlighted part of the wget command.

cd ~
wget –no-cookies –no-check-certificate –header “Cookie:; oraclelicense=accept-securebackup-cookie” “http://oracle_link_here
sudo yum -y localinstall jdk-8u172-linux-x64.rpm

You should now have successfully installed the Java 10 JDK.
We can test this by running this command:

java -version

You should receive the following output:

[[email protected] ~]# java -version
java version “1.8.0_172”
Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)

Step two – install and configure Elasticsearch:

Now that we have the requirements for Elasticsearch, let’s go ahead and install it!

Elasticsearch is not available in the default CentOS repo’s, so we’ll need to add a new repo.
First, create the file – use the editor of your choice. Here, we’ll use Vi:

sudo vi /etc/yum.repos.d/elasticsearch.repo

Then, add the following lines into the file:

name=Elasticsearch Repo for 5.x packages

Import the GPG key:

sudo rpm –import

Now we can go ahead and install Elasticsearch:

sudo yum -y install elasticsearch

Great! Elasticsearch is now installed.
Let’s go ahead and make a few quick config changes before we start and enable it:

sudo vi /etc/elasticsearch/elasticsearch.yml

Look for the following line, uncomment it, and replace “my-application” with a cluster name of your choice: my-application
to graylog

That’s it! Save the file and go ahead and start and enable Elasticsearch:

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

Elasticsearch should now be installed and running.
By default it runs on port 9200. We can check this using something like:

curl ‘http://localhost:9200/?pretty’

You should see the following output:

[[email protected] ~]# curl ‘localhost:9200/?pretty’
“name” : “4ug3pi0”,
“cluster_name” : “graylog”,
“cluster_uuid” : “azIBdKyfTiSjhHq9sAzcyQ”,
“version” : {
“number” : “5.6.10”,
“build_hash” : “b727a60”,
“build_date” : “2018-06-06T15:48:34.860Z”,
“build_snapshot” : false,
“lucene_version” : “6.6.1”
“tagline” : “You Know, for Search”

Step three – install MongoDB:

Graylog Server uses the free, open-source MongoDB to store configuration and other information.
Unlike MySQL, or other alternatives, MogoDB is a “NoSQL” database and does not use tables to store data – instead, it is document-oriented and uses JSON-like documents without schemas. Let’s go ahead and install it.

First, we need to add a new repository for MongoDB, just like we did for Elasticsearch:

sudo vi /etc/yum.reps.d/mongodb-3.6.repo

Fill it with the following:

name=MongoDB Repository

Go ahead and install MongoDB:

sudo yum -y install mongodb-org

Now we need to start and enable it:

sudo systemctl enable mongod
sudo systemctl start mongod

Step four – install Graylog Server:

Now that we have all the pre-requisites we get to finally install Graylog Server!

Download the publicly available Graylog Server repo:

sudo rpm -Uvh

Now we can install Graylog Server:

sudo yum -y install graylog-server

Step four – configure Graylog Server:

Okay, we’re nearly there!
Graylog Server has now been installed, but there’s a few things we need to update in the config before we can start it.

Now we want to install the pwgen utility to allow us create a strong password to use in our Graylog config, but like all the great packages out there, it’s not available in the default CentOS repo’s. Go ahead and install the EPEL repo, then install pwgen:

sudo yum -y install epel-release
sudo yum -y install pwgen

Alright, we have pwgen installed, let’s go ahead and create ourselves a super-secure, anti-crackable password:

pwgen -N 1 -s 96

You should see an output similar to this:

[[email protected] ~]# pwgen -N 1 -s 96

We also need to create a 256-bit hash for our admin password – replace yourpassword with a secure password of your choice. This will used later to login as the admin user:

echo -n yourpassword | sha256sum

You should see an output similar to this:

[[email protected] ~]# echo -n yourpassword | sha256sum
e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951 –

Let’s put this info into the Graylog Server config file.

sudo vi /etc/graylog/server/server.conf

Inside this file, locate password_secret = and paste the super-secure password we created using pwgen:

password_secret = wSyyK1lPrvRlLKS1vPql026oLU1AvKhDv1sBFqSZCgWR6IqnxicF469PjVyzsmLWguT2jbuxWsilqFVd8JCuQWQ0AKoLwHUJ

Find root_password_sha2 = and paste the 256-bit SHA hash of the password you created:

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Find root_email and set your root/admin user email address:

root_email = “[email protected]

Find root_timezone and set your timezone (you can find the timezone names here):

root_timezone = Australia/Perth

Find #web_enable = false – uncomment it and set the value to true to enable the web interface:

web_enable = true

Find rest_listen_uri and replace with the server’s IP address:

rest_listen_uri =

Find web_listen_uri – uncomment it, and replace with the server’s IP address:

web_listen_uri =

Finally, we need start and enable Graylog Server:

sudo systemctl enable graylog-server
sudo systemctl start graylog-server

and allow access through the firewall:

sudo firewall-cmd –permanent –zone=public –add-port=9000/tcp
sudo firewall-cmd –permanent –zone=public –add-port=9200/tcp
sudo firewall-cmd –reload

Congratulations! You should now be able to access your Graylog Server from a web browser.

Using the username admin and the password you create the hash for, earlier.

If at first you’re receiving connection errors, give it a minute or two to allow Graylog Server to fully start and the web console to be accesible.