Hello,
I am new to graylog.
Based on the post

I see that we dont need logstash between filebeat and graylog to ingest log to graylog
So, the flow would be
beats → graylog

I am using the below docker compose to start the graylog. The Graylog UI comes up. After login , i created an input. I started my filebeat . But i dont see any messages being received in filebeat. No error seen in filebeat logs. Looking forward for community support as i am not sure, wot else i am missing to see my apache access log in graylog

Docker compose.yml

version: '2'
services:
  # MongoDB:
  mongodb:
    image: mongo:3
    volumes:
      - mongo_data:/data/db
  # Elasticsearch:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.20
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ports:
    - 9200:9200


  # Graylog:
  graylog:
    image: graylog/graylog:4.2
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=daglisecret12345
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
      - GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
      
      - 5044:5044
      - 5044:5044/udp

# Volumes for persisting data
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local

Graylog input

bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 12
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

filebeat.yml

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - C:\POC\Docker\graylog\log\access_ligerrzs
  fields:
    business_unit : CSG_BN 
    datacenter : bp
    environment : lab
    platform: csg
    log_type: ap_acc
    level: INFO
  fields_under_root: true

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
 
setup.kibana:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

I got the resolution. I was using “localhost” i had to use IP in my case it was

output.logstash:

The Logstash hosts

hosts: [“127.0.0.1:5044”]

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.