Docker Installation with Self-Managed OpenSearch
Docker is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers. This product allows you to run and configure Graylog in concert with its dependencies: MongoDB and OpenSearch.
Requirements
You will need a recent version of Docker, at least version 20.10.10. In addition, use the following Docker images in this chapter:
- Graylog Enterprise: graylog/graylog-enterprise OR Graylog Open: graylog/graylog
- MongoDB: mongo
- OpenSearch: https://hub.docker.com/r/opensearchproject/opensearch
If you prefer to run the containers together, you could configure all the containers above in a .yaml file. To do this install Docker Compose. Refer to Settings for compose examples.
GRAYLOG_HTTP_EXTERNAL_URI and add GRAYLOG_HTTP_PUBLISH_URI and GRAYLOG_HTTP_EXTERNAL_URI according to the server.conf documentation.Graylog Sample Compose File
version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: "mongo:6.0.18"
ports:
- "27017:27017"
restart: "on-failure"
networks:
- graylog
volumes:
- "mongodb_data:/data/db"
- "mongodb_config:/data/configdb"
opensearch:
image: "opensearchproject/opensearch:2.15.0"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
- "discovery.type=single-node"
- "action.auto_create_index=false"
- "plugins.security.ssl.http.enabled=false"
- "plugins.security.disabled=true"
# Can generate a password for `OPENSEARCH_INITIAL_ADMIN_PASSWORD` using a linux device via:
# tr -dc A-Z-a-z-0-9_@#%^-_=+ < /dev/urandom | head -c${1:-32}
- "OPENSEARCH_INITIAL_ADMIN_PASSWORD=+_8r#wliY3Pv5-HMIf4qzXImYzZf-M=M"
ulimits:
memlock:
hard: -1
soft: -1
nofile:
soft: 65536
hard: 65536
ports:
- "9203:9200"
- "9303:9300"
restart: "on-failure"
networks:
- graylog
volumes:
- "opensearch:/usr/share/opensearch/data"
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
hostname: "server"
image: "graylog/graylog-enterprise:6.1"
# To install Graylog Open: "graylog/graylog:6.1"
depends_on:
mongodb:
condition: "service_started"
opensearch:
condition: "service_started"
entrypoint: "/usr/bin/tini -- wait-for-it opensearch:9200 -- /docker-entrypoint.sh"
environment:
GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
GRAYLOG_ELASTICSEARCH_HOSTS: "http://opensearch:9200"
GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
# To make reporting (headless_shell) work inside a Docker container
GRAYLOG_REPORT_DISABLE_SANDBOX: "true"
# CHANGE ME (must be at least 16 characters)!
GRAYLOG_PASSWORD_SECRET: "somepasswordpepper"
# Password: "admin"
GRAYLOG_ROOT_PASSWORD_SHA2: "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
GRAYLOG_HTTP_EXTERNAL_URI: "http://127.0.0.1:9000/"
ports:
# Graylog web interface and REST API
- "9000:9000/tcp"
# Beats
- "5044:5044/tcp"
# Syslog TCP
- "5140:5140/tcp"
# Syslog UDP
- "5140:5140/udp"
# GELF TCP
- "12201:12201/tcp"
# GELF UDP
- "12201:12201/udp"
# Forwarder data
- "13301:13301/tcp"
# Forwarder config
- "13302:13302/tcp"
restart: "on-failure"
networks:
- graylog
volumes:
- "graylog_data:/usr/share/graylog/data"
networks:
graylog:
driver: "bridge"
volumes:
mongodb_data:
mongodb_config:
opensearch:
graylog_data:After starting all three Docker containers by running docker-compose up, you can open the URL http://127.0.0.1:9000 in a web browser and log in with username admin and password admin (make sure to change the password later). Change GRAYLOG_HTTP_EXTERNAL_URI=
Configurations
Every configuration option can be set via environment variables. Simply prefix the parameter name with GRAYLOG_ and put it all in upper case.
Graylog comes with a default configuration that works out of the box, but you have to set a password for the admin user and the web interface needs to know how to connect from your browser to the Graylog REST API.
Both settings can be configured via environment variables (also see Configuration):
GRAYLOG_ROOT_PASSWORD_SHA2: "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
GRAYLOG_HTTP_EXTERNAL_URI: "http://127.0.0.1:9000/"In this case you can log into Graylog with the username and password admin.
Generate your own admin password with the following command and put the SHA-256 hash into the GRAYLOG_ROOT_PASSWORD_SHA2 environment variable:
echo -n "Enter Password: " && head -1 < /dev/stdin | tr -d '\n' | sha256sum | cut -d " " -f1All these settings and command line parameters can be put in a docker-compose.yml file, so that they don’t have to be executed one after the other.
Configurations via Environment Properties
For example, setting up the SMTP configuration for sending Graylog alert notifications via email, the docker-compose.yml
version: '3'
services:
mongo:
image: "mongo:6.0.18"
# Other settings [...]
opensearch:
image: "opensearchproject/opensearch:2.15.0"
# Other settings [...]
graylog:
image: "graylog/graylog:6.1"
# Other settings [...]
environment:
GRAYLOG_TRANSPORT_EMAIL_ENABLED: "true"
GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: smtp
GRAYLOG_TRANSPORT_EMAIL_PORT: 25
GRAYLOG_TRANSPORT_EMAIL_USE_AUTH: "false"
GRAYLOG_TRANSPORT_EMAIL_USE_TLS: "false"
GRAYLOG_TRANSPORT_EMAIL_USE_SSL: "false"Another option would be to store the configuration file outside of the container and edit it directly.
Custom Configuration Files
Instead of using a long list of environment variables to configure Graylog (see Configuration Settings), you can also overwrite the bundled Graylog configuration files.
The bundled configuration files are stored in /usr/share/graylog/data/config/ inside the Docker container.
Create the new configuration directory next to the docker-compose.ymlfile and copy the default files from GitHub.
mkdir -p ./graylog/config
cd ./graylog/config
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/6.1/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/6.1/config/log4j2.xmlThe newly created directory ./graylog/config/ with the custom configuration files now has to be mounted into the Graylog Docker container.
This can be done by adding an entry to the volumes section of the docker-compose.yml
Example:
services:
mongodb:
image: mongo:6.0.18
# Other settings [...]
opensearch:
image: opensearchproject/opensearch:2.15.0
# Other settings [...]
graylog:
image: graylog/graylog-enterprise:6.1
# Other settings [...]
volumes:
# Mount local configuration directory into Docker container
- ./graylog/config:/usr/share/graylog/data
graylog with the ID 1100 in Docker. That ID needs to be able to read the configuration files you place into the container.
Reading Individual Configuration Settings from Files
The Graylog Docker image supports reading individual configuration settings from a file. This can be used to secure configuration settings with Docker secrets or similar mechanisms.
This has the advantage, that configuration settings containing sensitive information don’t have to be added to a custom configuration file or into an environment variable in plaintext.
The Graylog Docker image checks for the existence of environment variables with the naming scheme GRAYLOG_<CONFIG_NAME>__FILE on startup and expects the environment variable to contain the absolute path to a readable file.
For example, if the environment variable GRAYLOG_ROOT_PASSWORD_SHA2__FILE contained the value /run/secrets/root_password_hash, the Graylog Docker image would use the contents of /run/secrets/root_password_hash as value for the root_password_sha2 configuration setting.
Docker Secrets
Example for using Docker secrets in a Docker Swarm service:
# Create SHA-256 hash of our password
echo -n 'password' | sha256sum | awk '{ print $1 }' 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
# Create a Docker secret named "root_password_hash"
printf '5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8' | \
docker secret create root_password_hash -
nlujwooo5uu6z0m91bmve79uo
docker secret ls
ID NAME DRIVER CREATED UPDATED
nlujwooo5uu6z0m91bmve79uo root_password_hash 34 seconds ago 34 seconds ago
# Create Docker Swarm service named "graylog" with access
# to the secret named "root_password_hash"
docker service create --name graylog \
--secret root_password_hash \
-e GRAYLOG_ROOT_PASSWORD_SHA2__FILE=/run/secrets/root_password_hash \
-p 9000:9000 graylog/graylog-enterprise:6.1
mclk5gm39ingk51s869dc0htz
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
docker service ls
ID NAME MODE REPLICAS IMAGE PORTS
mclk5gm39ing graylog replicated 1/1 graylog/graylog-enterprise:6.1 *:9000->9000/tcpPersisting Data
In order to make the recorded data persistent, you can use external volumes to store all data. In the case of a container restart, this will simply re-use the existing data from the former instances.
Using Docker volumes for the data of MongoDB, OpenSearch, and Graylog, the docker-compose.yml file looks as follows:
MongoDB
volumes:
- "/your/local/path:/data/db"
- "/your/local/path:/data/configdb"OpenSearch
volumes:
- "/your/local/path:/usr/share/opensearch/data"Graylog
volumes:
- "/your/local/path:/usr/share/graylog/data"Kubernetes Automatic Leader Selection
Running Graylog in Kubernetes opens the challenge to set the is_master=true setting only for one node in the cluster. The problem can be solved by calculating the name of the pod if Graylog is running in a stateful set with the following environment variable.
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.nameFor a stateful set, the name of the first pod in a cluster always ends with -0. See the documentation about stateful sets. The leader selection mechanism in docker-entrypoint.sh file does the following:
- Examines if Graylog is running inside Kubernetes
- Verifies that the pod name ends in
-0 - Sets
is_master=truefor this container
Nomad Automatic Leader Selection
When running Graylog in a Nomad cluster, you must ensure that only one node in the cluster has the setting is_master=true in the server.conf file.
Whether the container is running on Nomad may be identified with an environmental check on NOMAD_ALLOC_INDEX. Should that variable be set to 0, the container will set Graylog to is_master=true. If the variable is set to anything other than 0, it will set Graylog to is_master=false.
Troubleshooting
In case you see warnings regarding open file limit, try to set the ulimit from the outside of the container.
ulimits:
nofile:
soft: "65536"
hard: "65536"The devicemapper storage driver can create issues with Graylog's disk journal on some systems. In this case please pick another driver like aufs overlay.
Testing a Beta Version
You can also run a pre-release (alpha, beta, or release candidate) version of Graylog using Docker.
The pre-releases are tagged in the graylog/graylog Docker image.
See the available tags for the Graylog image on Docker Hub and pick an alpha/beta/rc tag like this:
graylog:
hostname: "server"
image: "graylog/graylog-enterprise:6.1.0-beta.1-1"How to Get in Log Data
You can create different kinds of inputs under System / Inputs. However, you can only use ports that have been properly mapped to your Docker container; otherwise, data will not show up in the Graylog UI.
graylog:
image: "graylog/graylog-enterprise:6.1"
# Other settings [...]
GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
ports:
# Graylog web interface and REST API
- "9000:9000/tcp"
# Beats
- "5044:5044/tcp"
# Syslog TCP
- "5140:5140/tcp"
# Syslog UDP
- "5140:5140/udp"
# GELF TCP
- "12201:12201/tcp"
# GELF UDP
- "12201:12201/udp"
# Forwarder data
- "13301:13301/tcp"
# Forwarder config
- "13302:13302/tcp"
# Other settings [...] For example, to start a Graylog Docker container listening on port 5555, stop your container and recreate it, while appending -p 5555:5555 to your docker run command.
Similarly, the same can be done for UDP by appending -p 5555:5555/udp.
After ensuring that your Graylog Docker container is listening on :5555, create a raw/plaintext input by navigating to your Graylog port, e.g. https://localhost:9000/system/inputs
Once on the Inputs page, search for Raw/Plaintext TCP and click Launch new input.
After launching the input, a configuration form will pop up with several options. You can leave most of these options as their defaults, but note that you’ll need to provide a name for the input, as well as select the node, or “Global” for the location for the input.
After that you can send a plain text message to the Graylog raw/plaintext TCP input running on port 5555 using the following command:
echo 'First log message' | nc localhost 5555You can then view the message in the Graylog UI.
