Public Repository

Last pushed: 8 days ago
Short Description
Official Graylog Docker image – maintained by Graylog, Inc.
Full Description

Graylog Dockerfile

What is Graylog?

Graylog is a centralized logging solution that allows the user to aggregate and search through logs. It provides a powerful query language, a processing pipeline for data transformation, alerting abilities and much more. It is fully extensible through a REST API. Add-Ons can be downloaded from the Graylog Marketplace.

Architecture

Take a look at the minimal Graylog architecture to get the big picture of a Graylog setup. In essence, Graylog needs to talk to MongoDB to store configuration data as well as Elasticsearch to store the actual log data.

How to use this image

Start the MongoDB container

$ docker run --name some-mongo -d mongo:2

Start Elasticsearch

$ docker run --name some-elasticsearch -d elasticsearch:2 elasticsearch -Des.cluster.name="graylog"

Run Graylog server and link with the other two

$ docker run --link some-mongo:mongo --link some-elasticsearch:elasticsearch -p 9000:9000 -e GRAYLOG_WEB_ENDPOINT_URI="http://127.0.0.1:9000/api" -d graylog2/server

Settings

Graylog comes with a default configuration that works out of the box but you have to set a password for the admin user. Also the web interface needs to know how to connect from your browser to the Graylog API. Both can be done via environment variables.

  -e GRAYLOG_PASSWORD_SECRET=somepasswordpepper
  -e GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
  -e GRAYLOG_WEB_ENDPOINT_URI="http://127.0.0.1:9000/api"

In this case you can login to Graylog with the user and password admin. Generate your own password with this command:

  $ echo -n yourpassword | shasum -a 256

This all can be put in a docker-compose file, like:

version: '2'
services:
  some-mongo:
    image: "mongo:3"
  some-elasticsearch:
    image: "elasticsearch:2"
    command: "elasticsearch -Des.cluster.name='graylog'"
  graylog:
    image: graylog2/server:2.1.1-1
    environment:
      GRAYLOG_PASSWORD_SECRET: somepasswordpepper
      GRAYLOG_ROOT_PASSWORD_SHA2: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      GRAYLOG_WEB_ENDPOINT_URI: http://127.0.0.1:9000/api
    links:
      - some-mongo:mongo
      - some-elasticsearch:elasticsearch
    ports:
      - "9000:9000"

After starting the three containers with docker-compose up open your browser with the URL http://127.0.0.1:9000 and login with admin:admin

Persist log data

In order to make the log data and configuration of Graylog persistent, you can use external volumes to store all data. In case of a container restart simply re-use the existing data from the former instances.

If you need to customize the configuration files for Graylog (such as the Log4j 2 configuration), you can download the vanilla files from GitHub and put them into a dedicated Docker volume.

Create the configuration directory and copy the default files:

mkdir /graylog/config
cd /graylog/config
wget https://raw.githubusercontent.com/Graylog2/graylog2-images/2.1/docker/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog2-images/2.1/docker/config/log4j2.xml

The docker-compose.yml file looks like this:

version: '2'
services:
  some-mongo:
    image: "mongo:3"
    volumes:
      - /graylog/data/mongo:/data/db
  some-elasticsearch:
    image: "elasticsearch:2"
    command: "elasticsearch -Des.cluster.name='graylog'"
    volumes:
      - /graylog/data/elasticsearch:/usr/share/elasticsearch/data
  graylog:
    image: graylog2/server:2.1.1-1
    volumes:
      - /graylog/data/journal:/usr/share/graylog/data/journal
      - /graylog/config:/usr/share/graylog/data/config
    environment:
      GRAYLOG_PASSWORD_SECRET: somepasswordpepper
      GRAYLOG_ROOT_PASSWORD_SHA2: 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      GRAYLOG_WEB_ENDPOINT_URI: http://127.0.0.1:9000/api
    links:
      - some-mongo:mongo
      - some-elasticsearch:elasticsearch
    ports:
      - "9000:9000"
      - "12201/udp:12201/udp"
      - "1514/udp:1514/udp"

Start all services with:

docker-compose up

Configuration

Every configuration option can be set via environment variables, take a look here for an overview. Simply prefix the parameter name with GRAYLOG_ and put it all in upper case. Another option would be to store the configuration file outside of the container and edit it directly.

Documentation

Documentation for Graylog is hosted here. Please read through the docs and familiarize yourself with the functionality before opening an issue on GitHub.

License

View license information for the software contained in this image.

Docker Pull Command
Owner
graylog2

Comments (41)
askbox
20 days ago

Hi!

I'got error:
compose.config.config.find: Using configuration files: ./docker-compose.yml
ERROR: compose.cli.main.main: Invalid published port: 12201/udp

To fix it you need change

  • "12201/udp:12201/udp"
  • "1514/udp:1514/udp"
    to
  • "12201:12201/udp"
  • "1514:1514/udp"
ttdung
a month ago

I can not start graylog container, it say "2017-06-29 08:48:55,558 ERROR: com.google.common.util.concurrent.ServiceManager - Service JerseyService [FAILED] has failed in the STARTING state.
javax.ws.rs.ProcessingException: Failed to start Grizzly HTTP server: Cannot assign requested address
"
It set:
rest_listen_uri = http://192.168.70.89:9000/api/
web_listen_uri = http://192.168.70.89:9000
Currently, no application in host using the port 9000

beatcracker
2 months ago

I've improved my previous solution for running Graylog in Rancher. See if it suits you and don't hesitate to leave feedback at the GitHub.

https://github.com/beatcracker/rancher-graylog


rancher-graylog: quickly deploy Graylog in Rancher.

This docker-compose.yml file is aimed to quickly deploy Graylog instance in development environment.

Features
  • Use Rancher metadata to correctly bind rest_transport_uri to Rancher host IP.
  • Download and install Graylog plugins from GitHub.
  • Download MaxMind GeoLite2 database and update it on a schedule.
  • Disable Graylog's built-in telemetry plugin.

mitsulark
3 months ago

What's the recommended way of adding a Graylog plugin? Do we build a Docker container derived from this one, or is there a way to supply the plugin via a mounted external directory?

larskumbier
3 months ago

Please note that graylog will ignore any GRAYLOG_CONTENT_PACKS_AUTO_LOAD environment variable. you instead need to mount a config directory into the container and use the normal config-file option content_packs_auto_load=grok-patterns.json,my-new-content-pack.json.

beatcracker
5 months ago

@throrin19 and other Rancher folks. Here is how I've managed to automatically assign host's IP to the rest_transport_uri:

  • docker-compose.yml
version: '2'
services:
  graylog2:
    image: graylog2/server
    stdin_open: true
    tty: true
    ports:
      - 9000:9000/tcp
    command:
      - 'bash'
      - '-c'
      - 'sed -i -E "s@#(rest_transport_uri).*@\1 = http://$$(curl -s http://rancher-metadata/latest/self/host/agent_ip):9000/api/@g" ./data/config/graylog.conf && /docker-entrypoint.sh graylog'
mrpupswindel
7 months ago

@maframan: Have you added an input which is able to retrieve data?
i.e. http://docs.graylog.org/en/2.1/pages/sending_data.html#gelf-via-http
If you want to get the curl command working, then you would need to launch a new "gelf http" input. Obviously you need to open enough Docker-ports for your purposes.

maframan
7 months ago

Hi,
i tried to deploy graylog docker image on openshift (v.3.3) with mongodb and elasticsearch.
Now, graylog is able to connect to mongodb but not to elastichsearch.
Please help me to understand how when launch docker-compose all works fine and when i try to run on openshift graylog is not able to connect to elasticsearch.

Thanks a lot for your patience and support.

Regards
Francesco

maframan
7 months ago

Hi, i've installed graylog2 as docker container with docker-compose.yml but when i try to send via logstash (installed in other server) the string to graylog, it not recieve nothing and if i check the udp port 12201 and 1514 via nmap i found port closed. With docker inspect i see that ports exposed are 12900 and 9000 TCP only, should It not expose even those udp? Please help me.
Regards
Francesco
My logstash configuration is:
input {
file {
type => "test"
path => [ "/tmp/sar-cpu.log" ]
add_field => { "foo" => "message you want to append" }
}
}
output {
gelf {
host => "192.168.102.202"
port => 12201
}
}

elaijuh
8 months ago

GRAYLOG_WEB_ENDPOINT_URI: http://127.0.0.1:9000/api
I cannot find this WEB_ENDPOINT_URI in config file