Docker

How to run Graylog server in docker containers

by staff

Graylog enables IT admins to manage and analyze log data from multiple sources.

The easiest way to get started with Graylog and test its features is to use Docker images.

Assuming that Docker is already installed and configured on either a Linux system, create a docker-compose.yml file:

version: '3'
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongodb:
    image: mongo:6.0
    networks:
      - graylog
    # DB in share for persistence
    volumes:
      - ./var/lib/mongodb:/data/db
  # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    # data folder in share for persistence
    volumes:
      - ./var/lib/elasticsearch:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
    networks:
      - graylog
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:5.1
    # journal and config directories in local NFS share for persistence
    volumes:
      - ./var/lib/graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.205.4:9000/
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh
    networks:
      - graylog
    links:
      - mongodb:mongo
      - elasticsearch
    restart: always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
# Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
networks:
    graylog:
      driver: bridge

Make sure to replace the following variables in the file:

  • GRAYLOG_PASSWORD_SECRET with your password.
  • GRAYLOG_ROOT_PASSWORD_SHA2 with a SHA2 password. Obtain that password using the command given below:
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
  • GRAYLOG_HTTP_EXTERNAL_URI with the IP address of your server. Alternatively, you can replace it with the localhost.

Since you want to store logs, you need an external volume for MongoDB, Elasticsearch, and Graylog. For this step, create the directories first, as shown below:

mkdir var/lib/mongodb
mkdir var/lib/elasticsearch
mkdir var/lib/graylog_journal


Secondly, set the read, write, and execute permissions to each directory using the chmod command. Type:

chmod 777 -R var/lib/mongodb
chmod 777 -R var/lib/elasticsearch
chmod 777 -R var/lib/graylog_journal

Now that all the configurations are complete let’s run the Docker container. Use the command given below:

docker compose up -d

Now, access the web interface using the IP address you mentioned in the docker-compose.yml file. Make sure to use the 9000 port. For example:

http://127.0.0.1:9000