How to Run Graylog Server in Docker Containers

As a Linux administrator, you usually need to run Graylog Server to store logs. The logs generated from applications ensure that the system is working. To manage these logs, learn how to run Graylog Server in Docker containers in this article. 

When there are several applications and servers generating logs, it gets difficult to manage logs. Graylog is a free log management tool that is used to manage all the logs from several devices over different networks. It is capable of analyzing both the unstructured and structured logs. Graylog utility consists of MongoDB, Elasticsearch, and a server. In addition, the server receives the data from the clients installed on several servers. 

Let’s take a look at a step-by-step guide on how to run Graylog Server in Docker containers.

Graylog Server Features

Graylog Server offers the following features:

  • Log collection: Graylog offers to capture log messages and network traffic from Syslog, AWS, JSON paths, and Plain/Raw texts. 
  • Log Analysis: Graylog ensures advanced search, workflows, and dashboards for data analysis.
  • Extracting Data: This log management tool also offers summary data that can be used in Operations Center. 
  • Enhance Security: The Graylog Server is secure, accessible, and speedy as it handles sensitive and regulated data. 

Prerequisites

For this tutorial, you will need a system with root access or sudo privileges. Also, make sure that the Docker container and Docker Compose are running on your system. 

Run Graylog Server in Docker Containers

There are several steps involved in running a Graylog Server in Docker containers successfully. So, let’s get started.

1. Update the System

Before we start with the installation, the first step is to update the package manager. Use the following commands to update the system as per the operating system installed on your system. 

## On Debian/Ubuntu
sudo apt update && sudo apt upgrade

You will get a similar output:

Run Graylog Server in Docker
## On RHEL/CentOS/RockyLinux 8
sudo yum -y update

## On Fedora
sudo dnf update

2. Install the Required Packages

We will also install the curl, vim, and git packages required to run the Graylog server. Use the install command with apt, yum, or dnf package. For example:

## On Debian/Ubuntu
sudo apt install curl vim git

The output would look something like this:

Run Graylog Server in Docker

Use the following commands for different versions of Linux:

## On RHEL/CentOS/RockyLinux 8
sudo yum -y install curl vim git

## On Fedora
sudo dnf -y install curl vim git

3. Check the Docker Version to Run Graylog Server

Since the article requires Docker Engine running on the system, check the docker version using the docker command. For instance:

docker -v

You will get a similar output:

Run Graylog Server in Docker

Now, add the user to the docker group. This will give sudo privilege to the current user logged in on the system. Use the usermod command for this step. For example:

sudo usermod -aG docker $USER
newgrp docker

Next, verify the Docker Compose version on your system:

docker compose version

Lastly, start the docker service and enable it to run automatically when the system starts. For this step, use the start and enable command. Specifically, type:

sudo systemctl start docker && sudo systemctl enable docker

4. Provision the Graylog Container

The Graylog application consists of a server, Elasticsearch, and MongoDB. To set it up, we will create a YAML file first. Use your favorite text editor to create a docker-compose.yml file as shown below:

vim docker-compose.yml

Add the following lines to the file:

version: '2'
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongodb:
    image: mongo:4.2
    networks:
      - graylog
  #DB in share for persistence
    volumes:
      - /mongo_data:/data/db
   # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    #data folder in share for persistence
    volumes:
      - /es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
    networks:
      - graylog
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:4.2
    #journal and config directories in local NFS share for persistence
    volumes:
      - /graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=e1b24204830484d635d744e849441b793a6f7e1032ea1eef40747d95d30da592
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.205.4:9000/
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh
    networks:
      - graylog
    links:
      - mongodb:mongo
      - elasticsearch
    restart: always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
# Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
networks:
    graylog:
      driver: bridge

Make sure to replace the following variables in the file:

  • GRAYLOG_PASSWORD_SECRET with your own password.
  • GRAYLOG_ROOT_PASSWORD_SHA2 with a SHA2 password. Obtain that password using the command given below: 
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

The output would look something like this:

Enable SHA2 Password
  • GRAYLOG_HTTP_EXTERNAL_URI with the IP address of your server. Alternatively, you can replace it with the localhost.

5. Create Persistent Volumes

Since you want to store logs, you will need an external volume for MongoDB, Elasticsearch, and Graylog. For this step, create the directories first, as shown below: 

sudo mkdir /mongo_data
sudo mkdir /es_data
sudo mkdir /graylog_journal

Secondly, set the read, write and execute permissions to each of these directories using the chmod command. Type:

sudo chmod 777 -R /mongo_data
sudo chmod 777 -R /es_data
sudo chmod 777 -R /graylog_journal

Lastly, set the SElinux in the permissive mode so that the paths can be accessed. For this step, type: 

sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

6. Run the Graylog Server in Docker Containers

Now that all the configurations are complete, let’s run the Docker container. Use the command given below: 

docker compose up -d

You will get a similar output: 

Provision Docker Container

Wait for the Docker container to pull and run all the required packages. 

Run Graylog Server in Docker

Final output:

Run Graylog Server in Docker

Next, check the container status using the ps command. For example: 

docker ps

If you get a firewall error, make sure to enable it and allow Graylog service. For instance, type: 

##For Firewalld
sudo firewall-cmd --zone=public --add-port=9000/tcp --permanent
sudo firewall-cmd --reload
##For UFW
sudo ufw allow 9000/tcp

7. Access the Graylog User Interface

Now, access the web interface using the IP address you mentioned in the docker-compose.yml file. Make sure to use the 9000 port. For example:

http://IP_address:9000

Log in using the same username and SHA2 password you configured in the YAML file. 

Graylog Web UI

From the dashboard, create the first input. 

Graylog First Log

Next, choose the “Raw/Plain Text” and click the “Launch” button. After that, change the input port’s name and select “Global” for the location. Modify the port number to 1514 in the popup window and leave the other details. Next, save the file and send a plain text message to Graylog Server using the command given below:

echo 'First log message' | nc localhost 1514

Alternatively, If you are using another server, replace the localhost with the server IP Address. 

echo 'First log message' | nc 192.168.205.4 1514

You will receive a message like this:

Graylog Log Message

You can also export this message to the dashboard from the Dashboards tab. 

Finally, you have run Graylog Server!

You have learned how to set up Graylog Server and run it in Docker Container. In addition,  you also learned how to access it using its web UI. Now you can monitor and access logs easily from your machines, applications, and network. We hope the article was useful to you. 

If this guide helped you, please share it.

Leave a Reply
Related Posts