How to Install Graylog for Centralised Log Management on RHEL 9

Graylog is an open-source centralised log management platform that collects, indexes, and analyses log data from across your infrastructure in one place. On RHEL 9, deploying Graylog 5.x gives operations teams powerful search, alerting, and dashboarding capabilities without relying on cloud-based log services. Graylog depends on MongoDB for metadata storage and OpenSearch (or Elasticsearch) for the log index, so this tutorial walks you through standing up all three components before configuring the Graylog server itself. By the end you will have a working web UI on port 9000 and a GELF UDP input ready to receive logs from any source.

Prerequisites

• RHEL 9 server with at least 4 GB RAM and 2 CPU cores (8 GB RAM recommended for production)
• Root or sudo access
• Java 17 installed (dnf install java-17-openjdk-headless)
• Ports 9000 (web UI) and 12201/UDP (GELF) open in firewalld
• pwgen available (dnf install pwgen)

Step 1 — Install MongoDB 6

Graylog 5.x requires MongoDB 5 or 6. Create the official MongoDB repository file and install the server package.

cat > /etc/yum.repos.d/mongodb-org-6.0.repo << 'EOF'
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOF

dnf install -y mongodb-org
systemctl enable --now mongod
systemctl status mongod

Step 2 — Install OpenSearch

Graylog uses OpenSearch as its search and indexing backend. Add the OpenSearch repository, install version 2.x, and apply the required kernel tuning for Elasticsearch-compatible workloads.

curl -o /etc/yum.repos.d/opensearch-2.x.repo 
  https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo

dnf install -y opensearch

# Required kernel setting
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -p

# Minimal opensearch.yml settings
cat >> /etc/opensearch/opensearch.yml << 'EOF'
cluster.name: graylog
action.auto_create_index: false
plugins.security.disabled: true
EOF

systemctl enable --now opensearch
# Verify: curl http://localhost:9200

Step 3 — Install Graylog Server

Add the official Graylog repository for RHEL 9, then install the graylog-server package.

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.rpm
dnf install -y graylog-server

Step 4 — Configure server.conf

Graylog requires two secrets: a random password_secret used for encryption and a SHA-256 hash of your admin password. Generate both, then set the HTTP bind address so the web UI is reachable.

# Generate a 96-character random secret
pwgen -N1 -s 96
# Copy the output and set it as password_secret in server.conf

# Generate SHA-256 hash of your chosen admin password (example: "admin")
echo -n "YourSecurePassword" | sha256sum | awk '{print $1}'
# Copy the hash for root_password_sha2

# Edit the main configuration file
vi /etc/graylog/server/server.conf

# Key settings to configure:
# password_secret = 
# root_password_sha2 = 
# http_bind_address = 0.0.0.0:9000
# elasticsearch_hosts = http://127.0.0.1:9200

Step 5 — Start Graylog and Open Firewall

Enable and start the Graylog server service, then open the required firewall ports for the web interface and GELF UDP input.

systemctl enable --now graylog-server
systemctl status graylog-server

# Open web UI port and GELF UDP port
firewall-cmd --permanent --add-port=9000/tcp
firewall-cmd --permanent --add-port=12201/udp
firewall-cmd --reload

# Tail the log to watch for startup completion (~60 seconds)
journalctl -fu graylog-server | grep "Graylog server up and running"

Step 6 — Create a GELF UDP Input and Send Test Logs

Once the web UI is accessible at http://<server-ip>:9000, log in with username admin and the password you hashed earlier. Navigate to System → Inputs, select GELF UDP, click Launch new input, set the port to 12201, and save. You can then send test messages and set up extractors to parse structured fields from your log lines.

# Send a test GELF message using logger (requires graylog-sidecar or netcat)
echo '{"version":"1.1","host":"testhost","short_message":"Hello Graylog","level":6}' 
  | nc -w1 -u 127.0.0.1 12201

# Alternatively, configure rsyslog to forward to Graylog GELF input
cat > /etc/rsyslog.d/90-graylog.conf << 'EOF'
module(load="omudpspoof")
*.* action(type="omfwd"
           target="127.0.0.1"
           port="12201"
           protocol="udp"
           template="RSYSLOG_SyslogProtocol23Format")
EOF
systemctl restart rsyslog

Conclusion

You now have a fully operational Graylog 5 stack on RHEL 9, with MongoDB providing configuration storage, OpenSearch handling log indexing, and the Graylog server exposing a web dashboard on port 9000. From here you can create streams to route log messages, build extractors to parse custom fields, and configure alert conditions to notify your team when critical events occur. For production deployments, consider placing Graylog behind a reverse proxy with TLS and enabling MongoDB replica sets for high availability.

Next steps: How to Set Up Loki and Promtail for Log Aggregation on RHEL 9, How to Configure Prometheus Node Exporter on RHEL 9, and How to Set Up Grafana Alerting and Notification Channels on RHEL 9.