Graylog + filebeat

NHAILA Achraf
3 min readOct 22, 2022

Table Of Contents

1 MUST-HAVE

2 MUST-PREPARE

3- INSTALL GRAYLOG USING DOCKER COMPOSE

1 MUST-HAVE

1.1 Docker INSTALLED

1.2 Docker-compose INSTALLED

2 MUST PREPARE

1 Create folder “graylog”

create a new folder named “graylog” in /home

2 Create all folders. for all services (mongodb,elasticsearch,graylog)

$ sudo mkdir -p /graylog/{mongodb,elasticsearch,graylog}

3 We need to download and prep the default config files.

$ mkdir -p /graylog/graylog/config
$ cd /graylog/graylog/config
$ wget https://raw.githubusercontent.com/Graylog2/graylog-docker/4.0/config/graylog.conf
$ wget https://raw.githubusercontent.com/Graylog2/graylog-docker/4.0/config/log4j2.xml

4 Change permissions

Graylog is running with UID 1100,that’s way we need to change both UID and GID to 1100 :

$ sudo chown 1100:1100 -R /srv/graylog

4.1 Get IP server or localhost:

server-side: get the IP server and update it in your docker-compose

- GRAYLOG_HTTP_EXTERNAL_URI=http://12.0.4.188:9000/ 
- GRAYLOG_ELASTICSEARCH_HOSTS=http://12.0.4.188:9200

localhost :m

- GRAYLOG_HTTP_EXTERNAL_URI=http://localhost:9000/ 
- GRAYLOG_ELASTICSEARCH_HOSTS=http://localhost:9200

5 Prepare Graylog admin password and change the password secret

5.1 we need to change the root_password_sha2 parameter in the config file:

To change the password you need a sha256 hash of your password, this can be retrieved by running this command line :

Exemple:

$ echo -n “mypassword” | sha256sum
89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8 -

so the final string in the graylog.conf would be this

root_password_sha2 = 89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8

5.2 Don’t forget to change password_secret to some long random string

3 INSTALL GRAYLOG USING DOCKER COMPOSE

Graylog already has docker-compose.yml (here), so we will use their docker-compose and make changes to it.

Add persistent storage volume for services (mongodb,elasticsearch,graylog)

volumes: 
- /home/graylog/graylog:/usr/share/graylog/data
volumes:
- /home/graylog/elasticsearch:/usr/share/elastisearch/data
volumes:
- /home/graylog/mongodb:/data/db

The final docker-compose.yml

version: '3' 

services:
# MongoDB: https://hub.docker.com/_/mongo/
mongo:
image: mongo:4.2
container_name: mongodb
volumes:
- /home/graylog/mongodb:/data/db
networks:
- graylog

#elasticsearch
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.0
container_name: elasticsearch
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- /home/graylog/elasticsearch:/usr/share/elastisearch/data
ulimits:
memlock:
soft: -1
hard: -1
deploy:
resources:
limits:
memory: 1g
ports:
- 9200:9200
networks:
- graylog

# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:4.0
container_name: graylog
environment:
- GRAYLOG_HTTP_EXTERNAL_URI=http://12.0.4.188:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS=http://12.0.4.188:9200
- GRAYLOG_ELASTICSEARCH_VERSION=7
volumes:
- /home/graylog/graylog:/usr/share/graylog/data
networks:
- graylog
restart: always
depends_on:
- mongo
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 514:1514
# Syslog UDP
- 514:1514/udp
# GELF TCP
- 12201:12201

networks:
graylog:

4 Start services

docker-compose up -d 

username :admin

password : mypassword

--

--