Adding Grayog docker compose elasticsearch https config

Hello,

I am trying to use Graylog to manage Wazuh Docker compose along with Graylog, so i did mixed both Graylog an Wazuh into same docker compose config .
All is starting up but graylog is having hard time to connect to elastic search i guess its the fact that its using https user password,
I will need help to set Graylog trust elastic cert ,how to add it in the docker-compose file
below you will find the doker compose config and error i got from Graylog docker.
Please advice
Thanks

docker-compose config

# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.3.10
    hostname: wazuh.manager
    restart: always
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - "/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem"
      - "/config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem"
      - "/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key"
      - "/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf"

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.3.10
    hostname: wazuh.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1024m -Xmx1024m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.3.10
    hostname: wazuh.dashboard
    restart: always
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - /config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager
  
  mongodb:
    image: mongo:6.0.3
    #networks:
    #    - graylog
    #DB in share for persistence
    volumes:
      - ./mongo_data:/data/db

  graylog:
    image: graylog/graylog:4.3-jre11
    #journal and config directories in local NFS share for persistence
    volumes:
      - ./graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=OQGWOEcM6R027M8rUnoZ
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=cc98fd7aec95a055a76fd10c8d0cfa6e314b1a1fc5d6141544d29a0c1ba64945
      - GRAYLOG_HTTP_EXTERNAL_URI=http://0.0.0.0:9000/
      - GRAYLOG_ELASTICSEARCH_HOSTS="https://admin:SecretPassword@wazuh.indexer:9200"

    entrypoint: /usr/bin/tini -- wait-for-it https://wazuh.indexer:9200 --  /docker-entrypoint.sh
    #networks:
    #  - graylog
    links:
      - mongodb:mongo
      - wazuh.indexer
    restart: always
    depends_on:
      - mongodb
      - wazuh.indexer
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1516:1514
      # Syslog UDP
      - 1516:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp    
volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  wazuh-indexer-data:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
networks:
    graylog:
      driver: bridge

error

Warning can not change owner to graylog:graylog
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
2022-11-26 21:08:50,768 INFO : org.graylog2.featureflag.ImmutableFeatureFlagsCollector - Following feature flags are used: {}
2022-11-26 21:08:51,115 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration
com.github.joschi.jadconfig.ParameterException: Couldn't convert value for parameter "elasticsearch_hosts"
	at com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:141) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.process(JadConfig.java:99) ~[graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.processConfiguration(CmdLineTool.java:465) [graylog.jar:?]
	at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:271) [graylog.jar:?]
	at org.graylog2.bootstrap.Main.main(Main.java:45) [graylog.jar:?]
Caused by: com.github.joschi.jadconfig.ParameterException: Illegal character in scheme name at index 0: "https://admin:SecretPassword@wazuh.indexer:9200"
	at org.graylog2.configuration.converters.URIListConverter.constructURIFromString(URIListConverter.java:66) ~[graylog.jar:?]
	at java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[?:?]
	at java.util.Iterator.forEachRemaining(Unknown Source) ~[?:?]
	at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
	at java.util.stream.ReferencePipeline.collect(Unknown Source) ~[?:?]
	at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:48) ~[graylog.jar:?]
	at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:32) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.convertStringValue(JadConfig.java:167) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:139) ~[graylog.jar:?]
	... 4 more
Caused by: java.net.URISyntaxException: Illegal character in scheme name at index 0: "https://admin:SecretPassword@wazuh.indexer:9200"
	at java.net.URI$Parser.fail(Unknown Source) ~[?:?]
	at java.net.URI$Parser.checkChars(Unknown Source) ~[?:?]
	at java.net.URI$Parser.checkChar(Unknown Source) ~[?:?]
	at java.net.URI$Parser.parse(Unknown Source) ~[?:?]
	at java.net.URI.<init>(Unknown Source) ~[?:?]
	at org.graylog2.configuration.converters.URIListConverter.constructURIFromString(URIListConverter.java:64) ~[graylog.jar:?]
	at java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[?:?]
	at java.util.Iterator.forEachRemaining(Unknown Source) ~[?:?]
	at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source) ~[?:?]
	at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
	at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) ~[?:?]
	at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
	at java.util.stream.ReferencePipeline.collect(Unknown Source) ~[?:?]
	at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:48) ~[graylog.jar:?]
	at org.graylog2.configuration.converters.URIListConverter.convertFrom(URIListConverter.java:32) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.convertStringValue(JadConfig.java:167) ~[graylog.jar:?]
	at com.github.joschi.jadconfig.JadConfig.processClassFields(JadConfig.java:139) ~[graylog.jar:?]
	... 4 more
wait-for-it: waiting 15 seconds for https://wazuh.indexer
wait-for-it: timeout occurred after waiting 15 seconds for https://wazuh.indexer
chown: changing ownership of '/usr/share/graylog/data/journal': Operation not permitted

Hello && welcome @tbaror

I seen this issue somewhere before, don’t think it was resolved.

As for this error…

Caused by: com.github.joschi.jadconfig.ParameterException: Illegal character in scheme name at index 0: “https://admin:SecretPassword@wazuh.indexer:9200”

Elasticsearch/OpenSearch using the security feature (i.e., xpack.security.enabled). The connection type is limited Between Graylog & Elasticsearch. As shown below.

# List of Elasticsearch hosts Graylog should connect to.
# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
# requires authentication.
#
# Default: http://127.0.0.1:9200
#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200

elasticsearch_hosts = http://192.168.1.100:9200

If you noticed there is not a HTTPS configuration. Unfortunately, I have not found a way to achieve this using https connection between Graylog and ES/OS.
Probably the best thing to do is use a reverse proxy like Nginx.

Or you could post in GitHub here

@joe.gross

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.