As a Linux administrator, you usually need to run Graylog Server to store logs. The logs generated from applications ensure that the system is working. To manage these logs, learn how to run Graylog Server in Docker containers in this article.
When there are several applications and servers generating logs, it gets difficult to manage logs. Graylog is a free log management tool that is used to manage all the logs from several devices over different networks. It is capable of analyzing both the unstructured and structured logs. Graylog utility consists of MongoDB, Elasticsearch, and a server. In addition, the server receives the data from the clients installed on several servers.
Let’s take a look at a step-by-step guide on how to run Graylog Server in Docker containers.
Graylog Server Features
Graylog Server offers the following features:
- Log collection: Graylog offers to capture log messages and network traffic from Syslog, AWS, JSON paths, and Plain/Raw texts.
- Log Analysis: Graylog ensures advanced search, workflows, and dashboards for data analysis.
- Extracting Data: This log management tool also offers summary data that can be used in Operations Center.
- Enhance Security: The Graylog Server is secure, accessible, and speedy as it handles sensitive and regulated data.
Prerequisites
For this tutorial, you will need a system with root access or sudo privileges. Also, make sure that the Docker container and Docker Compose are running on your system.
Run Graylog Server in Docker Containers
There are several steps involved in running a Graylog Server in Docker containers successfully. So, let’s get started.
1. Update the System
Before we start with the installation, the first step is to update the package manager. Use the following commands to update the system as per the operating system installed on your system.
## On Debian/Ubuntu
sudo apt update && sudo apt upgradeYou will get a similar output:
## On RHEL/CentOS/RockyLinux 8
sudo yum -y update
## On Fedora
sudo dnf update2. Install the Required Packages
We will also install the curl, vim, and git packages required to run the Graylog server. Use the install command with apt, yum, or dnf package. For example:
## On Debian/Ubuntu
sudo apt install curl vim gitThe output would look something like this:
Use the following commands for different versions of Linux:
## On RHEL/CentOS/RockyLinux 8
sudo yum -y install curl vim git
## On Fedora
sudo dnf -y install curl vim git3. Check the Docker Version to Run Graylog Server
Since the article requires Docker Engine running on the system, check the docker version using the docker command. For instance:
docker -vYou will get a similar output:
Now, add the user to the docker group. This will give sudo privilege to the current user logged in on the system. Use the usermod command for this step. For example:
sudo usermod -aG docker $USER
newgrp docker
Next, verify the Docker Compose version on your system:
docker compose versionLastly, start the docker service and enable it to run automatically when the system starts. For this step, use the start and enable command. Specifically, type:
sudo systemctl start docker && sudo systemctl enable docker4. Provision the Graylog Container
The Graylog application consists of a server, Elasticsearch, and MongoDB. To set it up, we will create a YAML file first. Use your favorite text editor to create a docker-compose.yml file as shown below:
vim docker-compose.ymlAdd the following lines to the file:
version: '2'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:4.2
networks:
- graylog
#DB in share for persistence
volumes:
- /mongo_data:/data/db
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
#data folder in share for persistence
volumes:
- /es_data:/usr/share/elasticsearch/data
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
networks:
- graylog
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:4.2
#journal and config directories in local NFS share for persistence
volumes:
- /graylog_journal:/usr/share/graylog/data/journal
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=e1b24204830484d635d744e849441b793a6f7e1032ea1eef40747d95d30da592
- GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.205.4:9000/
entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh
networks:
- graylog
links:
- mongodb:mongo
- elasticsearch
restart: always
depends_on:
- mongodb
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
# Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
mongo_data:
driver: local
es_data:
driver: local
graylog_journal:
driver: local
networks:
graylog:
driver: bridge
Make sure to replace the following variables in the file:
GRAYLOG_PASSWORD_SECRETwith your own password.GRAYLOG_ROOT_PASSWORD_SHA2with a SHA2 password. Obtain that password using the command given below:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1The output would look something like this:
GRAYLOG_HTTP_EXTERNAL_URIwith the IP address of your server. Alternatively, you can replace it with thelocalhost.
5. Create Persistent Volumes
Since you want to store logs, you will need an external volume for MongoDB, Elasticsearch, and Graylog. For this step, create the directories first, as shown below:
sudo mkdir /mongo_data
sudo mkdir /es_data
sudo mkdir /graylog_journal
Secondly, set the read, write and execute permissions to each of these directories using the chmod command. Type:
sudo chmod 777 -R /mongo_data
sudo chmod 777 -R /es_data
sudo chmod 777 -R /graylog_journal
Lastly, set the SElinux in the permissive mode so that the paths can be accessed. For this step, type:
sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
6. Run the Graylog Server in Docker Containers
Now that all the configurations are complete, let’s run the Docker container. Use the command given below:
docker compose up -dYou will get a similar output:
Wait for the Docker container to pull and run all the required packages.
Final output:
Next, check the container status using the ps command. For example:
docker psIf you get a firewall error, make sure to enable it and allow Graylog service. For instance, type:
##For Firewalld
sudo firewall-cmd --zone=public --add-port=9000/tcp --permanent
sudo firewall-cmd --reload
##For UFW
sudo ufw allow 9000/tcp7. Access the Graylog User Interface
Now, access the web interface using the IP address you mentioned in the docker-compose.yml file. Make sure to use the 9000 port. For example:
http://IP_address:9000Log in using the same username and SHA2 password you configured in the YAML file.
From the dashboard, create the first input.
Next, choose the “Raw/Plain Text” and click the “Launch” button. After that, change the input port’s name and select “Global” for the location. Modify the port number to 1514 in the popup window and leave the other details. Next, save the file and send a plain text message to Graylog Server using the command given below:
echo 'First log message' | nc localhost 1514Alternatively, If you are using another server, replace the localhost with the server IP Address.
echo 'First log message' | nc 192.168.205.4 1514You will receive a message like this:
You can also export this message to the dashboard from the Dashboards tab.
Finally, you have run Graylog Server!
You have learned how to set up Graylog Server and run it in Docker Container. In addition, you also learned how to access it using its web UI. Now you can monitor and access logs easily from your machines, applications, and network. We hope the article was useful to you.
If this guide helped you, please share it.
