Quick guide for setting up latest Graylog2 docker from Docker Hub

[dnoyeb]

Me and one of the guys at work went through the process to get this working and figured we'd share since there isn't an unraid community apps setup done for this...

 

First up, make sure you turn on the Docker hub search feature for community apps...

 

You'll install three seperate dockers, all outlined below... 

 

MongoDB Docker setup
Add MongoDB from Community apps
change name for MongoDB docker to some-mongo

 

Elasticsearch Docker setup
Add Elasticsearch (official) from docker hub
Change Repository for Elastic to:  elasticsearch:2 elasticsearch -Des.cluster.name="graylog"
change name for Elasticsearch docker to some-elasticsearch
Set path /mnt/user/appdata/graylog/data/elasticsearch for /usr/share/elasticsearch/data

 

Graylog2 Docker Setup
Install graylog2 from DockerHUB (graylog2/server)
Put these in extra parameters: --link some-mongo:mongo --link some-elasticsearch:elasticsearch 
create variable with key= GRAYLOG_WEB_ENDPOINT_URI and set key’s value to = http://127.0.0.1:9000/api
Add TCP port 9000
add UDP port 514
add UDP port 12201 
Set path /mnt/user/appdata/graylog/data/journal for /usr/share/graylog/data/journal
Set path /mnt/user/appdata/graylog/config for /usr/share/graylog/data/config
On unraid box, cd into your /mnt/user/appdata/graylog/config folder and run the following two commands:
wget https://raw.githubusercontent.com/Graylog2/graylog2-images/2.1/docker/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog2-images/2.1/docker/config/log4j2.xml

 

 

Anyways, after doing that, you'll have the three dockers all communicating at each other... you have to setup an input in Graylog (I use syslog UDP 514) and point your various servers at it... 

 

Going to play more with getting all the other dockers to dump their syslogs into that setup next and will update the post once I do.

 

Edited February 28, 2017 by dnoyeb

[LEXmono]

Confirmed working! Thanks!

[LEXmono]

So adding the following to "Extra Parameters" on each docker will allow you to offload the syslog to the IP and port specified. Make sure you change the value of tag to something notable so you can sort in Graylog and your IP of course. 

 

 

--log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=udp://192.168.1.55:514

 

 

If you are using TCP on your input you can use:

--log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=tcp://192.168.1.55:514

 

[WiFivomFranMan]

Elasticsearch Docker setup

 

How do you install the elasticsearch?

[drsparks68]

On 2/28/2017 at 12:14 PM, LEXmono said:

So adding the following to "Extra Parameters" on each docker will allow you to offload the syslog to the IP and port specified. Make sure you change the value of tag to something notable so you can sort in Graylog and your IP of course. 

 

 

--log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=udp://192.168.1.55:514

 

 

If you are using TCP on your input you can use:

--log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=tcp://192.168.1.55:514

 

 

 

I tried doing this once I had my syslog server up and it seemed to cause all of my dockers to become orphaned after they were automatically updated and restarted.  I pulled this string out of the Extra Parameters field and they started up again.  

[dnoyeb]

yea, they've changed docker up a bit so i'm guessing my old directions are no longer valid.  I have since moved on to using Splunk as a VM since I find that I don't come close to the 500mb of data a day limit for free use.  

[ppunraid]

@drsparks68, how did you get graylog working? I get to the graylog front end page and get the following:

We are experiencing problems connecting to the Graylog server running on http://127.0.0.1:9000/api. Please verify that the server is healthy and working correctly.
You will be automatically redirected to the previous page once we can connect to the server.

Do you need a hand? We can help you.
Less details
This is the last response we received from the server:

Error message
Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.
Original Request
GET http://127.0.0.1:9000/api/system/sessions
Status code
undefined
Full error message
Error: Request has been terminated
Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.

In the logs, it appears everything is connecting up.

[Jcloud]

This looks like something fun to play with. Thanks for taking the time to make the write-up.  For me this begged the question, (I looked on webgui, but not forums yet) "is there a way to fork the unRAID log to an optional syslog server?" Secondary question, is there necessarily a reason for this? I.e would such log data (unRaid host) be useful?  Log data is always useful.  

Edited March 23, 2018 by Jcloud
Clarified

[drsparks68]

@ppunraid, I never did.  I ran into similar issues getting it connected.  I ended up using the Splunk Lite container.

[dnoyeb]

19 hours ago, Jcloud said:

This looks like something fun to play with. Thanks for taking the time to make the write-up.  For me this begged the question, (I looked on webgui, but not forums yet) "is there a way to fork the unRAID log to an optional syslog server?" Secondary question, is there necessarily a reason for this? I.e would such log data (unRaid host) be useful?  Log data is always useful.  

 

I too agree it would be nice to fork (not completely redirect) the unraid log to a secondary log server...  Haven't ever seen a way to do that though.

[drsparks68]

31 minutes ago, dnoyeb said:

 

I too agree it would be nice to fork (not completely redirect) the unraid log to a secondary log server...  Haven't ever seen a way to do that though.

 

+1

[flamegrilled]

 

Hi ,

I cannot login.Change passwords and added to the Graylog.conf file.Any clues as to why.Is the password (which is more 16 char) the issue?Pics show containers off atm.

Thanks

 

Got it working by changing password. Modifying timezone.Going to reinstall again to confirm install.

Edited June 29, 2020 by flamegrilled
Text

[ppunraid]

8 hours ago, flamegrilled said:

 

Hi ,

I cannot login.Change passwords and added to the Graylog.conf file.Any clues as to why.Is the password (which is more 16 char) the issue?Pics show containers off atm.

Thanks

 

Got it working by changing password. Modifying timezone.Going to reinstall again to confirm install.

I finally got this setup during lockdown, If this is your first run, you have to login as root which needs to be encrypted as sha2 format in your conf file. Then after that you can use your admin password going forward.

[flamegrilled]

17 hours ago, ppunraid said:

I finally got this setup during lockdown, If this is your first run, you have to login as root which needs to be encrypted as sha2 format in your conf file. Then after that you can use your admin password going forward.

Thank you .That's it. Added the sha2 formatted password to the docker config and it worked.

[capino]

I'm running unRaid 6.9.2 and tried the extra parameters, but nothing is landing In Graylog.

--log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=udp://192.168.1.17:5442
My Graylog server is running as a docker on ip 192.168.1.17.
When I do the same from docker on my MacBook, the logs are landing in Graylog.
I also tried the GELF log-driver, but the same problem within UnRaid, but from MacBook it works.

 

Does anybody have a solution for this?

[capino]

It had to do with the fact that Unraid cannot talk to dockers with a static IP.
I changed Elasticsearch, MongoDB and Graylog to the host IP and now it works.

[idscomm]

Hi folks,

 

Is this still the best way (up to date procedure) to install Graylog to Unraid Docker?

 

I did some research and found this link talking about docker compose...  Just wondering the best way to install Graylog on Unraid.

 

[witalit]

On 8/31/2022 at 3:25 PM, idscomm said:

Hi folks,

 

Is this still the best way (up to date procedure) to install Graylog to Unraid Docker?

 

I did some research and found this link talking about docker compose...  Just wondering the best way to install Graylog on Unraid.

 

 

Did you manage to get Graylog installed? 

[idscomm]

I did not install it no… it’s a project as I’d like to have overtime going but for now I don’t have the time to do it unfortunately. 

[ppunraid]

I've had this running for some time now, but since I moved my docker image, a lot of my dockers are broken, which I'm working through. It still runs ATM, but it appears the database is corrupted.

[lostit]

I have this stack running ,,  here is my docker compose file and some hints for reference..

Things I had to do   Create the directories first,   ensure the graylog journal is on an exclusive access share otherwise the graylog container will lock up occasionally and require to be restarted-

 

Add 

 

--log-driver=syslog --log-opt tag="add the container name here" --log-opt syslog-address=tcp://serveriphere:5140  to extra parameters field in

each container you want to monitor.   I also believe this stack needs to start first otherwise the monitored containers will not start until the stack is up.  

there may be a way to solve this but I don't really have time to dig into it at the moment.

 

I also implemented the nxlog for windows using this guide

 

 

 

version: "3.8"

services:
  mongodb:
    image: "mongo:5.0"
    volumes:
      - "/mnt/user/graylog/mongodb_data:/data/db"
    restart: "on-failure"

  elasticsearch:
    environment:
      ES_JAVA_OPTS: "-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true"
      bootstrap.memory_lock: "true"
      discovery.type: "single-node"
      http.host: "0.0.0.0"
      action.auto_create_index: "false"
    image: "docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2"
    ulimits:
      memlock:
        hard: -1
        soft: -1
      nofile: 65535   ##added to get rid of the elastisearch filelimit warning. 
    volumes:
       - "/mnt/user/graylog/es_data:/usr/share/elasticsearch/data"
    restart: "on-failure"

  graylog:
    image: "graylog/graylog:4.2"
    depends_on:
      elasticsearch:
        condition: "service_started"
      mongodb:
        condition: "service_started"
    entrypoint: "/usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh"
    environment:
      GRAYLOG_TIMEZONE: "Europe/Stockholm"
      TZ: "Europe/Stockholm"
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
      GRAYLOG_PASSWORD_SECRET: "putyourpasswordhere"
      GRAYLOG_ROOT_PASSWORD_SHA2: "youneedtogeneratethis"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
      GRAYLOG_ELASTICSEARCH_HOSTS: "http://elasticsearch:9200"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"

    ports:
    - "5044:5044/tcp"   # Beats
    - "5140:5140/udp"   # Syslog
    - "5140:5140/tcp"   # Syslog
    - "5555:5555/tcp"   # RAW TCP
    - "5555:5555/udp"   # RAW TCP
    - "9000:9000/tcp"   # Server API
    - "12201:12201/tcp" # GELF TCP
    - "12201:12201/udp" # GELF UDP
    - "10000:10000/tcp" # Custom TCP port
    - "10000:10000/udp" # Custom UDP port
    - "13301:13301/tcp" # Forwarder data
    - "13302:13302/tcp" # Forwarder config
    volumes:
      - "/mnt/user/appdata/graylog/graylog_data:/usr/share/graylog/data/data"
      - "/mnt/user/appdata/graylog/graylog_journal:/usr/share/graylog/data/journal"    #my appdata is set as an exclusive share so this works for me
    restart: "on-failure"
volumes:
  mongodb_data:
  es_data:
  graylog_data:
  graylog_journal:

Edited January 26 by lostit