docker documentation security self-host software tools free Linux

Effective Logging with Graylog

Effective logging is crucial for security and system reliability. Graylog, an open-source log management tool, simplifies monitoring and analysis, catering to self-hosting enthusiasts and enterprises alike.
Harley Frank
Harley Frank
5 min read
Effective Logging with Graylog

Introduction

Effective logging is essential for maintaining security, ensuring system reliability, and troubleshooting issues efficiently in today's digital landscape. Graylog, an open-source log management tool, excels in simplifying the complexities of monitoring and analyzing system logs. With its robust features, Graylog caters to both self-hosting enthusiasts and enterprises seeking a scalable solution.

Leveraging the power of Docker, Graylog can be effortlessly deployed and managed, making it an ideal choice for those who prefer self-hosted solutions. Docker simplifies the installation process, allowing you to set up and maintain your Graylog environment with minimal hassle. This flexibility enables users to tailor their logging infrastructure to meet specific needs while retaining full control over their data.

In this article, I'll explore the core functionalities of Graylog, including its powerful logging capabilities, security features, and how it integrates seamlessly with Docker for easy deployment. Whether you're looking to enhance your system's security through comprehensive log analysis or streamline your IT operations, Graylog offers a versatile and effective solution. Join me as I dive into the world of Graylog and discover how it can transform your approach to log management.

Prerequisites

  • Internet Connection
  • Up-to-date Server
  • Proper permissions to run Docker commands
  • Docker Setup - Ultimate Docker Guide

Docker-Compose .yaml File

Below is a modified version of the .yaml file provided by Graylog. At the time of this writing, Graylog is version 6.0. In most cases, using the :latest tag would be fine, however, in this case, we should have a little more version control. Look at the next section to learn how to update the containers.

The official documentation uses volumes, in some cases using volumes inside VMs could be problematic. I suggest some experimentation is needed to find a good balance.

If following Lawrence Systems guide, they use different ports for syslogging, and that is perfectly fine. Make sure that you list it in your docker-compose file.

version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
  mongodb:
    image: mongo:6.0.14
    networks:
      - graylog
    volumes:
      - mongo_data:/data/db

# OpenSearch: https://opensearch.org/docs/latest/install-and-configure/install-opensearch/docker/
  opensearch:
    image: "opensearchproject/opensearch:2.12.0"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - "bootstrap.memory_lock=true"
      - "discovery.type=single-node"
      - "action.auto_create_index=false"
      - "plugins.security.ssl.http.enabled=false"
      - "plugins.security.disabled=true"
      # Can generate a password for `OPENSEARCH_INITIAL_ADMIN_PASSWORD` using a linux device via:
      # tr -dc A-Z-a-z-0-9_@#%^-_=+ < /dev/urandom | head -c${1:-32}
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=+_8r#wliY3Pv5-HMIf4qzXImYzZf-M=M
    ulimits:
      memlock:
        hard: -1
        soft: -1
      nofile:
        soft: 65536
        hard: 65536
    restart: "on-failure"
    networks:
      - graylog
    volumes:
      # - opensearch-data:/usr/share/opensearch/data
      - /data/graylog/opensearch:/usr/share/opensearch/data

# Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:6.0
    environment:
      - GRAYLOG_NODE_ID_FILE=/usr/share/graylog/data/config/node-id
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:9200
      - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
      # CHANGE ME (must be at least 16 characters)!
      # You can generate one by using for example: pwgen -s 96 or pwgen -N 1 -s 96
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      - GRAYLOG_ROOT_USERNAME=administrator
      - GRAYLOG_ROOT_EMAIL=you@gmail.com
      # Default Password: admin
      # If you wwant to change the admin password use the following command in a linux terminal:
      # echo -n "Enter Password: " && head -1 < /dev/stdin | tr -d '\n' | sha256sum | cut -d " " -f1
      # If the above doesn't work, you can try the next command
      # echo -n "Enter Password: " && read -r password && echo -n "$password" | sha256sum | cut -d " " -f1
      - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      # To grab the timezone you want to use, view this website https://www.joda.org/joda-time/timezones.html
      - GRAYLOG_ROOT_TIMEZONE=America/New_York
      - GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
      # If you want to add a URL behind a reverse proxy, you can add the following line:
      # - GRAYLOG_HTTP_EXTERNAL_URI=http://example.com/
      # If you want to add email support, you can add the following lines:
      - GRAYLOG_TRANSPORT_EMAIL_ENABLED=true
      - GRAYLOG_TRANSPORT_EMAIL_HOSTNAME=smtp.gmail.com
      - GRAYLOG_TRANSPORT_EMAIL_PORT=587
      - GRAYLOG_TRANSPORT_EMAIL_USE_AUTH=true
      - GRAYLOG_TRANSPORT_EMAIL_USE_TLS=true
      - GRAYLOG_TRANSPORT_EMAIL_USE_SSL=false
      - GRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME=you@gmail.com
      - GRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD=yourpassword
      - GRAYLOG_TRANSPORT_EMAIL_SUBJECT_PREFIX=[graylog]
      - GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL=https://example.com/
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - graylog
    restart: always
    depends_on:
      - mongodb
      - opensearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # Server Syslog UDP
      # Use anything from 48000-65000
      - 48000:48000/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
    volumes:
      - graylog_data:/usr/share/graylog/data

networks:
  graylog:
    driver: bridge

volumes:
  mongo_data:
    driver: local
  # opensearch-data:
    # driver: local
  graylog_data:
    driver: local

Update Docker Containers

To update the containers, go to the official documentation and see what version they are on. Modify the docker-compose file, shut down the containers, and then start it back up.

cd /data/graylog

docker-compose down

nano docker-compose.yaml

# find the versions and match them up with what is on the docker hub

# Use Control+O to save
# Use Control+X to exit

docker-compose up -d

Reverse Proxy Setup

Using your Reverse Proxy, this is simple to set up as you just need to do a normal host forward, this can be accomplished through NGINX Proxy Manager if you follow my Ultimate Docker Guide.

Sending Linux Logs to Graylog

Linux Setup

We are going to install rsyslog to manage this. More than likely it's installed, however, you can install it for your system. The following is for Ubuntu / Debian-based systems, substitute with your system commands.

sudo apt-get install rsyslog

Now we need to edit the configuration file to send the logs.

sudo nano /etc/rsyslog.conf

Add the following to the bottom of the file, use Control+O to save and Control+X to exit. Substitute for IP and Port. You may need to modify the docker-compose file if you are not using 1514 standard syslog port.

#
# Send logs to Graylog
#
*.* @graylog-server:12201;RSYSLOG_SyslogProtocol23Format

Then we restart the rsyslog service:

sudo systemctl restart rsyslog

MacOS Setup

MacOS has a default syslog infrastructure in place. We need to edit the configuration file to send the logs.

sudo nano /etc/syslog.conf

Add the following to the bottom of the file, use Control+O to save and Control+X to exit. Substitute for IP and Port. You may need to modify the docker-compose file if you are not using 1514 standard syslog port. If you are using TCP then you will need to use @@graylog-server:12201 instead of one @.

#
# Send logs to Graylog
#
*.* @graylog-server:12201

Then we restart the syslog service:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

If the above doesn't work, you may need to restart your MacOS machine.

Graylog setup

In the port, you want to navigate to System and Inputs. From the drop-down menu we want to launch a new input for Syslog UDP.

Add a title, change the port, and then select a timezone. Leave all other settings as default.

Conclusion

Graylog proves to be a powerful and versatile tool for log management, offering robust features for monitoring and analyzing system logs. By leveraging Docker, Graylog provides an effortless deployment and management experience, making it an excellent choice for ensuring that even those new to the platform can get started with ease.

As Graylog proves to be valuable to IT operations, be sure to save this posts as I will be adding more configurations and tips to further optimize your Graylog setup.

Full Disclosure

Most of this article is comprised of facts and opinions. The featured background image was created by andyoneru and is available on Unsplash. I added a blur and a gradient overlay with some text. The following images have been pulled or screenshotted from the respective websites/applications. I do not own this content.

You might also like

Subscribe to Hi! I'm Harley newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!