How to Install Graylog for Centralised Log Management on RHEL 7
Centralised log management is essential for any production environment. When servers, applications, and network devices each write logs independently, troubleshooting incidents becomes painfully slow. Graylog solves this by aggregating logs from every source into a single, searchable platform. Built on top of MongoDB and Elasticsearch, Graylog provides real-time log analysis, alerting, and dashboards that give operations teams a complete view of their infrastructure. This guide walks through a full Graylog installation on Red Hat Enterprise Linux 7, including prerequisites, configuration, Nginx reverse proxying, and setting up log forwarding from remote hosts using rsyslog and Filebeat.
Prerequisites
- RHEL 7 with a minimum of 4 GB RAM (8 GB recommended for production)
- Root or sudo access
- A fully qualified hostname and static IP address
- Java 8 installed (required by Elasticsearch)
- Open firewall access on ports 9000 (Graylog web), 9200 (Elasticsearch), 27017 (MongoDB), and your chosen input port
Step 1: Install Java 8
Elasticsearch requires Java. Install the OpenJDK 8 package from the base RHEL repositories.
sudo yum install -y java-1.8.0-openjdk-headless
java -versionConfirm the output shows openjdk version "1.8.0" or similar before continuing.
Step 2: Install and Configure MongoDB
Graylog uses MongoDB to store configuration and metadata. Add the official MongoDB 4.0 yum repository, then install and enable the service.
sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo <<'EOF'
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF
sudo yum install -y mongodb-org
sudo systemctl daemon-reload
sudo systemctl enable mongod
sudo systemctl start mongod
sudo systemctl status mongodMongoDB listens on 127.0.0.1:27017 by default. No additional authentication configuration is required for a single-server Graylog deployment, though you should enable MongoDB authentication in any multi-tenant or internet-facing environment.
Step 3: Install and Configure Elasticsearch
Graylog requires Elasticsearch 6.x or 7.x. Add the Elastic yum repository and install Elasticsearch 7.
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
sudo tee /etc/yum.repos.d/elasticsearch.repo <<'EOF'
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
sudo yum install -y elasticsearchSet the Elasticsearch cluster name that Graylog expects:
sudo sed -i 's/#cluster.name: my-application/cluster.name: graylog/'
/etc/elasticsearch/elasticsearch.yml
sudo sed -i 's/#network.host: 192.168.0.1/network.host: 127.0.0.1/'
/etc/elasticsearch/elasticsearch.ymlsudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
# Verify the cluster is green
curl -s http://127.0.0.1:9200/_cluster/health?pretty | grep statusStep 4: Add the Graylog Yum Repository and Install
Graylog provides an official RPM repository for RHEL-based systems. Install the repository package and then install the server.
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.rpm
sudo yum install -y graylog-serverStep 5: Configure Graylog
The main configuration file is /etc/graylog/server/server.conf. Two values are mandatory before Graylog will start: password_secret and root_password_sha2.
Generate a strong random secret (at least 64 characters):
pwgen -N 1 -s 96
# Example output: 3k9Xz2... (copy this value)Generate the SHA-256 hash of your desired admin password:
echo -n "YourAdminPassword" | sha256sum | cut -d" " -f1Now edit the configuration file:
sudo vi /etc/graylog/server/server.confSet the following key values:
# Mandatory secret — paste the pwgen output here
password_secret = 3k9Xz2...yoursecrethere...
# SHA-256 hash of your admin password
root_password_sha2 = 5e884898da28047151d0e56f8dc6292...
# Bind the web interface
http_bind_address = 127.0.0.1:9000
# Elasticsearch connection
elasticsearch_hosts = http://127.0.0.1:9200
# MongoDB URI
mongodb_uri = mongodb://localhost/graylogsudo systemctl daemon-reload
sudo systemctl enable graylog-server
sudo systemctl start graylog-server
sudo systemctl status graylog-serverGraylog may take 30–60 seconds to fully start. Check the log at /var/log/graylog-server/server.log if it does not come up.
Step 6: Configure Nginx as a Reverse Proxy
Install Nginx and configure it to proxy requests to the Graylog web interface, allowing HTTPS termination and a standard port 80/443 entry point.
sudo yum install -y nginx
sudo tee /etc/nginx/conf.d/graylog.conf <<'EOF'
server {
listen 80;
server_name graylog.example.com;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
}
EOF
sudo systemctl enable nginx
sudo systemctl start nginxOpen the firewall to allow HTTP traffic:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-port=9000/tcp
sudo firewall-cmd --reloadStep 7: Create a Graylog Input
An Input tells Graylog how to receive log data. Log in to the web interface at http://graylog.example.com with username admin and the password you hashed earlier.
Navigate to System → Inputs. From the “Select Input” dropdown, choose GELF UDP (for applications that support GELF) or Syslog UDP (for syslog forwarding). Click Launch new input, set the port (e.g., 12201 for GELF UDP, 5140 for Syslog), give it a title, and click Save.
Open the necessary firewall port on the Graylog server:
sudo firewall-cmd --permanent --add-port=5140/udp
sudo firewall-cmd --permanent --add-port=12201/udp
sudo firewall-cmd --reloadStep 8: Forward Logs with rsyslog
On any RHEL 7 host whose logs you want to centralise, configure rsyslog to forward to Graylog. Create a new rsyslog configuration snippet:
sudo tee /etc/rsyslog.d/90-graylog.conf <<'EOF'
# Forward all logs to Graylog syslog input
*.* @graylog.example.com:5140;RSYSLOG_SyslogProtocol23Format
EOF
sudo systemctl restart rsyslogUse @@ instead of @ for TCP forwarding.
Step 9: Forward Logs with Filebeat
For file-based log forwarding (application logs, custom log files), Filebeat is a lightweight option. Install it from the Elastic repository you added earlier:
sudo yum install -y filebeatEdit /etc/filebeat/filebeat.yml to point to Graylog’s Logstash-compatible input (you would add a Beats input in Graylog on port 5044):
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
- /var/log/messages
- /var/log/secure
output.logstash:
hosts: ["graylog.example.com:5044"]sudo systemctl enable filebeat
sudo systemctl start filebeatIn Graylog, add a Beats input on port 5044 to receive Filebeat messages. Open that port in the firewall as well.
Conclusion
You now have a fully operational Graylog installation on RHEL 7. MongoDB stores Graylog’s configuration and user data, Elasticsearch indexes every log message for rapid search, and Nginx exposes the web interface on a standard port. Remote hosts forward their logs via rsyslog over Syslog UDP or via Filebeat over the Beats protocol. From the Graylog interface you can build dashboards, write search queries using Graylog’s query language, create stream-based routing rules, and configure alerts to notify your team when error rates or specific log patterns are detected. With this foundation in place, you have the centralised visibility needed to diagnose incidents, audit security events, and monitor application health across your entire RHEL 7 fleet.
