Graylog + filebeat
--
Table Of Contents
1 MUST-HAVE
2 MUST-PREPARE
3- INSTALL GRAYLOG USING DOCKER COMPOSE
1 MUST-HAVE
1.1 Docker INSTALLED
1.2 Docker-compose INSTALLED
2 MUST PREPARE
1 Create folder “graylog”
2 Create all folders. for all services (mongodb,elasticsearch,graylog)
$ sudo mkdir -p /graylog/{mongodb,elasticsearch,graylog}
3 We need to download and prep the default config files.
$ mkdir -p /graylog/graylog/config
$ cd /graylog/graylog/config
$ wget https://raw.githubusercontent.com/Graylog2/graylog-docker/4.0/config/graylog.conf
$ wget https://raw.githubusercontent.com/Graylog2/graylog-docker/4.0/config/log4j2.xml4 Change permissions
Graylog is running with UID 1100,that’s way we need to change both UID and GID to 1100 :
$ sudo chown 1100:1100 -R /srv/graylog4.1 Get IP server or localhost:
server-side: get the IP server and update it in your docker-compose
- GRAYLOG_HTTP_EXTERNAL_URI=http://12.0.4.188:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS=http://12.0.4.188:9200localhost :m
- GRAYLOG_HTTP_EXTERNAL_URI=http://localhost:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS=http://localhost:92005 Prepare Graylog admin password and change the password secret
5.1 we need to change the root_password_sha2 parameter in the config file:
To change the password you need a sha256 hash of your password, this can be retrieved by running this command line :
Exemple:
$ echo -n “mypassword” | sha256sum
89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8 -so the final string in the graylog.conf would be this
root_password_sha2 = 89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c85.2 Don’t forget to change password_secret to some long random string
3 INSTALL GRAYLOG USING DOCKER COMPOSE
Graylog already has docker-compose.yml (here), so we will use their docker-compose and make changes to it.
Add persistent storage volume for services (mongodb,elasticsearch,graylog)
volumes:
- /home/graylog/graylog:/usr/share/graylog/datavolumes:
- /home/graylog/elasticsearch:/usr/share/elastisearch/datavolumes:
- /home/graylog/mongodb:/data/db
The final docker-compose.yml
version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongo:
image: mongo:4.2
container_name: mongodb
volumes:
- /home/graylog/mongodb:/data/db
networks:
- graylog
#elasticsearch
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.0
container_name: elasticsearch
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- /home/graylog/elasticsearch:/usr/share/elastisearch/data
ulimits:
memlock:
soft: -1
hard: -1
deploy:
resources:
limits:
memory: 1g
ports:
- 9200:9200
networks:
- graylog
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:4.0
container_name: graylog
environment:
- GRAYLOG_HTTP_EXTERNAL_URI=http://12.0.4.188:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS=http://12.0.4.188:9200
- GRAYLOG_ELASTICSEARCH_VERSION=7
volumes:
- /home/graylog/graylog:/usr/share/graylog/data
networks:
- graylog
restart: always
depends_on:
- mongo
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 514:1514
# Syslog UDP
- 514:1514/udp
# GELF TCP
- 12201:12201
networks:
graylog:4 Start services
docker-compose up -d username :admin
password : mypassword
