Run Graylog in Docker

The following guide will walk you through running Graylog with Docker Compose.

Warning: We strongly recommend you first review Graylog and Docker before you begin deployment as it covers how to customize your Compose file to fit your needs and environment variables.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • Install a recent version of Docker Compose following the official Docker documentation.

  • Familiarity with Docker Compose, YAML, and the Graylog Compose file will be crucial to your success in successfully installing and deploying Graylog with Docker!

  • You must have a YAML Compose file including the following Docker images, which will be pulled automatically when you deploy the stack. We recommend you begin with the example Compose file provided by Graylog, including these images:

    • MongoDB: mongo

    • Graylog Data Node: graylog/graylog-datanode

    • Graylog Enterprise: graylog/graylog-enterprise

      • OR Graylog Open: graylog/graylog

  • We also recommend you obtain the example .env file from GitHub to manage your password secret and root password as noted in Graylog and Docker.

  • Make sure to configure Docker to have the correct vm.max_map_count setting of at least 262144.

Run Graylog with Docker Compose

To run Graylog with Docker Compose, we recommend you follow the process below:

  1. Navigate to GitHub and download the example Graylog docker-compose.yml and the environment .env.example file, which contains the password secret and root password configurations.

  2. Save the files in your desired directory. We recommend you save the file to a local file store; however, see Graylog and Docker for additional methods of file storage and management.

    Hint: Be sure to save the .env.example as .env!

  3. Use the following command to create your GRAYLOG_PASSWORD_SECRET:

    Copy 
    < /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-96};echo;

  4. Then, create your GRAYLOG_ROOT_PASSWORD_SHA2:

    Copy 
    echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

  5. Now, open the environment file and add the output from the previous steps to your environment file for the GRAYLOG_PASSWORD_SECRET and GRAYLOG_ROOT_PASSWORD_SHA2 values respectively.

  6. Open and inspect the Compose YAML file. You can make any changes to the configuration settings as necessary at this time. For more information on this file and how to adjust configuration settings, see Graylog and Docker.

  7. Deploy the Graylog application with Docker Compose:

    Copy 
    docker compose up

    To have it running in the background, you can use:

    Copy 
    docker compose up -d

    Warning: Once you deploy the application, the console will begin to display log files. Do not interrupt this process! You will not be able to deploy Graylog!

  8. To check the status of your containers, use:

    Copy 
    docker compose ps

Complete Preflight Login

Once your Graylog container is up and running, you can access the Graylog interface and log in for the first time.

  1. View your Docker logs to obtain your initial login credentials:

    Copy 
    docker compose logs graylog

  2. Locate the log entry beginning, "It seems you are starting Graylog for the first time..." Your initial login information will be located here:

    Copy 
    graylog-1   |                                                              ---
    graylog-1   |                                                              ---
    graylog-1   |                                                              ---
    graylog-1   |     ########  ###   ######### ##########   ####         #### ---         .----               ----
    graylog-1   |   ###############   ###################### #####       ####  ---      ------------       .----------- --
    graylog-1   |  #####     ######   #####              #### ####      ####   ---     ---        ---     ---        -----
    graylog-1   | ####         ####   ####       ############  ####     ####   ---    --           ---   ---           ---
    graylog-1   | ###           ###   ####     ##############   ####   ####    ---   ---            --   --             --
    graylog-1   | ####         ####   ####    ####       ####    #### ####     ---   ---            --   --            .--
    graylog-1   | #####       #####   ####    ####       ####     #######      ---    ---          ---   ---           ---
    graylog-1   |  ################   ####     ##############     ######-       --     ----      ----      ---       -----
    graylog-1   |    ##############   ####      #############      #####        -----   -----------         ----------  --
    graylog-1   |              ####                                ####                                                ---
    graylog-1   | #####       ####                                ####                                     -          .--
    graylog-1   |   #############                                ####                                     -----     ----
    graylog-1   |      ######                                   ####                                          -------
    graylog-1   | 
    graylog-1   | ========================================================================================================
    graylog-1   | 
    graylog-1   | It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
    graylog-1   | been started. You must log in to it to perform the initial configuration and continue.
    graylog-1   | 
    graylog-1   | Initial configuration is accessible at 0.0.0.0:9000, with username 'admin' and password 'ghWgeIAkKl'.
    graylog-1   | Try clicking on http://admin:ghWgeIAkKl@0.0.0.0:9000
    graylog-1   | 
    graylog-1   | ========================================================================================================
    graylog-1   | 

  3. To access the interface, you must change the IP address provided, listed as 0.0.0.0:9000 above, to match the IP of your Docker host. For example: https://admin:NQNJr0CkX2@192.168.1.47:9000. This is the location of your Graylog interface.

  4. Navigate to the interface and use the initial username and password provided in the Docker log file to first log into the preflight UI.

  5. After provisioning, you will then need to use the GRAYLOG_ROOT_PASSWORD_SHA2 configured in the Compose file to complete your login.

Get in Logs and Verify Logs

Inputs can be created and configured via the Graylog interface. See Inputs for more information.

Hint: You can only use ports that have been mapped to your Docker container. See Docker and Graylog for more information about the ports configured in the example Compose file.

To display the logs of all services defined in your Graylog environment and verify they are running as intended, use the following command:

Copy 
docker compose logs -f

Stop and Remove Containers

If for any reason you need to stop and remove the containers, networks, volumes, and images created as a part of your Graylog deployment, use the following command:

Copy 
docker compose down

For more information on this process, see the Docker documentation.

Troubleshooting and Common Issues

The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.

Issue: Open File Limit

You may encounter warning messages about the open file limit during deployment.

Solution: Set ulimit Outside the Container

If this occurs, try setting the ulimit outside of the container:

Copy 
ulimits:
    nofile:
      soft: "65536"
      hard: "65536"

Issue: devicemapper Storage Driver Compatibility

It is possible you may encounter an issue between Graylog's disk journal and the devicemapper storage driver in Docker. This may result in an error message in the Docker logs or in Graylog’s service logs.

Solution: Choose Another Driver

In this case, we recommend you choose another driver like aufs or overlay2 to provide better performance for read/write operations.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: