(Last Updated On: May 2, 2018)

In this guide, I’ll take you through How to Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7. Graylog 2.4 has full support for Elasticsearch 5.x and any latest version of MongoDB.

What’s Graylog?

Graylog is an open source log management platform which enables you to aggregate up to terabytes of log data, from multiple log sources, DCs, and geographies with the capability to scale horizontally in your data center, cloud, or both.

The Graylog search function is really fast and powerful, so you can group your servers into streams for easy log searching. Graylog UI is simple and intuitive with a complete user management and support for LDAP. It also has support for alerting and reporting.

Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7

Graylog depends on Java, Elasticsearch, and MongoDB for its functions. Elasticsearch is responsible for logs storage and MongoDB is for storing Graylog related configurations. You may need to disable SELinux to avoid permission issues when you change data directories for Graylog and port labeling.

To disable SELinux, run the commands:

setenforce 0
sed -i 's/(^SELINUX=).*/SELINUX=disabled/' /etc/selinux/config
cat /etc/selinux/config

A reboot is required to effect changes but setting setenforce 0 puts SELinux in permissive mode preventing any SELinux related issues.

Add required repositories:

Enable EPEL repository.

# yum -y install epel-release

Add MongoDB Repository:

cat << EOT > /etc/yum.repos.d/mongodb-org-3.6.repo
name=MongoDB Repository

Add Elasticsearch Repository:

cat << EOT > /etc/yum.repos.d/elasticsearch.repo
name=Elasticsearch repository for 5.x packages

Install the Elastic GPG key with:

# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

With all these settings done, we can proceed to install Graylog packages.

Install Java, Elasticseach, and MongoDB

Run this command to install all required packages.

# yum install java-1.8.0-openjdk-headless.x86_64
# yum install pwgen  elasticsearch mongodb-org

Start and enable MongoDB service.

Start mongod service and set it to start on boot.

# systemctl enable mongod && systemctl start mongod
# systemctl status mongod
● mongod.service - High-performance, schema-free document-oriented database
 Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
 Active: active (running) since Fri 2018-03-09 04:08:41 EST; 7s ago
 Docs: https://docs.mongodb.org/manual

Configure Elasticsearch for Graylog

You need to modify the Elasticsearch configuration file and set the cluster name to graylog. The file to edit is /etc/elasticsearch/elasticsearch.yml.

# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog

Start and enable elasticsearch service:

You may need to configure a different partition for Elasticsearch data. The default Elasticsearch file locations are:

File system path
Configuration /etc/elasticsearch
JVM settings /etc/default/elasticsearch
Data files /var/lib/elasticsearch/data
Log files /var/log/elasticsearch/

For MongoDB:


File system path
Configuration /etc/mongod.conf
Data files /var/lib/mongodb/
Log files /var/log/mongodb/

I’ll mount a secondary drive under /var/lib/elasticsearch/data.

# lsblk 
sda 8:0 0 50G 0 disk 
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 49G 0 part 
 ├─centos-root 253:0 0 45.1G 0 lvm /
 └─centos-swap 253:1 0 3.9G 0 lvm [SWAP]
sdb 8:16 0 200G 0 disk

I’m going to use /dev/sdb for this.

parted -s -a optimal -- /dev/sdb mklabel gpt
parted -s -a optimal -- /dev/sdb mkpart primary 0% 100%
parted -s -- /dev/sdb align-check optimal 1
mkfs.xfs /dev/sdb1
echo "/dev/sdb1 /var/lib/elasticsearch/data xfs defaults 0 0" >> /etc/fstab
mkdir /var/lib/elasticsearch/data
mount -a
chown -R elasticsearch:elasticsearch /var/lib/elasticsearch/data

Confirm that it has been mounted:

# df -hT | grep /dev/sdb1
/dev/sdb1 xfs 200G 33M 200G 1% /var/lib/elasticsearch/data

You can now start elasticsearch and set it to start on reboot.

# systemctl start elasticsearch && systemctl enable elasticsearch

Install Graylog

Now install the Graylog repository and Graylog itself with the following commands:

# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm
# yum install graylog-server

You also need to set add password_secret and root_password_sha2 variables under /etc/graylog/server/server.conf. These settings are mandatory and without them, Graylog will not start!

# cat /etc/graylog/server/server.conf | grep password | grep -v '^ *#'
password_secret =
root_password_sha2 =

Generate password_secret using pwgen tool installed earlier.

#  pwgen -N 1 -s 96

You need to use the following command to create your root_password_sha2:

# echo -n yourpassword | sha256sum

To be able to connect to Graylog you should set:

  • rest_listen_uri
  • web_listen_uri

to the public host name or a public IP address of the machine running graylog service. For more information refer to Configuring the web interface documentation.

Graylog directory structure is:

File system path
Configuration /etc/graylog/server/server.conf
Logging configuration /etc/graylog/server/log4j2.xml
Plugins /usr/share/graylog-server/plugin
JVM settings /etc/sysconfig/graylog-server
Message journal files /var/lib/graylog-server/journal
Log Files /var/log/graylog-server/

Start Graylog service

Now start graylog service and enable it to start on system boot up

# systemctl start graylog-server && systemctl enable graylog-server
# systemctl status graylog-server
● graylog-server.service - Graylog server
 Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
 Active: active (running) since Fri 2018-03-09 06:12:30 EST; 3s ago Docs: http://docs.graylog.org/
 Main PID: 21970 (graylog-server)
 CGroup: /system.slice/graylog-server.service ├─21970 /bin/sh /usr/share/graylog-server/bin/graylog-server └─21971 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeT...

Mar 09 06:12:30  systemd[1]: Started Graylog server.
Mar 09 06:12:30  systemd[1]: Starting Graylog server...
[root@graylog ~]#

Configure Graylog Firewalld

For a single node installation, you only need to open port 9000 for UI access and API. To do this on CentOS 7, use firewalld.

# firewall-cmd --add-port=9000/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-ports | grep 9000

You can now access Graylog web interface using http://public_ip:9000. You should get an interface like below.

 Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7

We have come to the end of Install Graylog 2.4 with Elasticsearch 5.x on CentOS 7. Read next article on Configure Graylog Nginx reverse proxy with Letsencrypt SSL.