graylog docker container on rhel 7

beauvalon · June 29, 2023, 12:06pm

Hello, I’m trying to get graylog to work on my AWS Docker Contain like I have for ElasticSearch & Mongo. Everything I’ve seen seems to be Ubuntu or some other OS. I figured they would be similar but as semi-suspected it isn’t.
Any help would be greatly appreciated.

Thank you!

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
93e8c9e732fe elasticsearch:8.7.1 “/bin/tini – /usr/l…” About an hour ago Up About an hour 9200/tcp, 9300/tcp amazing_wozniak
c41ca9711ed1 mongo “docker-entrypoint.s…” About an hour ago Up About an hour 27017/tcp magical_jennings

gsmith · June 29, 2023, 10:19pm

Hey @beauvalon

By chance are you also running Docker-Compose?

beauvalon · June 29, 2023, 10:33pm

Hello gsmith,
Yes, I have a docker-compose in /opt/.

gsmith · June 29, 2023, 10:44pm

Can you show your docker-compose.yml file?

beauvalon · June 30, 2023, 1:50pm

Sure, here you go. Nothing so secret about it. Thanks for responding!

version: '3'
services:
  # MongoDB: LINK://LINK
  mongo:
    image: mongo:6.0.6
    container_name: mongo
    restart: unless-stopped
    # ports:
    #   - 27017:27017
    # environment:
    #   - MONGO_INITDB_ROOT_USERNAME=root
    #   - MONGO_INITDB_ROOT_PASSWORD=14user2use
      # - MONGO_INITDB_DATABASE=project
    volumes:
      # - mongodb-data-storage:/data/db
      # - mongodb-config-storage:/data/config
      - mongodb-storage:/data
    networks:
      - graylog
  # Mongo Express: https://hub.docker.com/_/mongo-express
  # mongo-express:
  #   image: mongo-express:latest
  #   #image: mongo-express:0.54.0
  #   container_name: mongo-express
  #   restart: unless-stopped
  #   depends_on:
  #     - mongo
  #   ports:
  #     - 1079:8081 
  #   environment:
  #     - ME_CONFIG_MONGODB_SERVER=mongo
  #     - ME_CONFIG_MONGODB_PORT=27017
  #     #- ME_CONFIG_MONGODB_ENABLE_ADMIN=true
  #     #- ME_CONFIG_MONGODB_AUTH_DATABASE=Logging
  #     - ME_CONFIG_MONGODB_ADMINUSERNAME=root
  #     - ME_CONFIG_MONGODB_ADMINPASSWORD=14user2use
  #     #- ME_CONFIG_SITE_SSL_ENABLED=false
  #     # - ME_CONFIG_BASICAUTH_USERNAME=${MONGOEXPRESS_LOGIN}
  #     # - ME_CONFIG_BASICAUTH_PASSWORD=${MONGOEXPRESS_PASSWORD}
  #   networks:
  #     - graylog
#
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:8.1.7
    volumes:
      - es_data-storage:/usr/share/elasticsearch/data      
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 1g
    networks:
      - graylog
#
  graylog:
    image: graylog/graylog:5.1
    # image: graylog/graylog:5.0
    links:
      - mongo:mongo
      - elasticsearch:elasticsearch
    environment:
      - GRAYLOG_PASSWORD_SECRET="${GRAYLOG_PASSWORD_SECRET}"
       #- GRAYLOG_NODE_ID_FILE="/usr/share/graylog/data/config/node-id"
       # CHANGE ME (must be at least 16 characters)!
       # Password: admin
      #- GRAYLOG_ROOT_PASSWORD_SHA2="${GRAYLOG_ROOT_PASSWORD_SHA2}"
      - GRAYLOG_ROOT_PASSWORD_SHA2="XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      - GRAYLOG_HTTP_EXTERNAL_URI=LINK://XX.XX.XX.XX:1074/
      - GRAYLOG_ELASTICSEARCH_HOSTS=LINK://elasticsearch:9200
      - GRAYLOG_MONGODB_URI=mongodb://mongo:27017/graylogLINK
      # MongoDB
      #- LINK
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    restart: unless-stopped
    ports:
      # Graylog web interface and REST API
      - 1074:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
    networks:
      - graylog
    volumes:
      - graylog-storage:/usr/share/graylog/data   
#
networks:
  graylog:
    driver: bridge
#
volumes:
  mongodb-storage:
    driver: local
  es_data-storage:
    driver: local
  graylog-storage:
    driver: local

beauvalon · June 30, 2023, 2:35pm

At first it wouldn’t let me post response due to new user having more than 2 links. Links in my compose file I pasted. So I put XXXX or LINKS in areas to get past that error. It took my updates finally, but then post I see was basically what I saved initially. I gotta post more often to understand how this works. Ugh!

gsmith · June 30, 2023, 10:23pm

Hey @beauvalon

First, I hope you dont mind but I fixed your configuration post so its readable

I found some configurations that doesnt seams right, I could be wrong thou. The networks you have
- graylog. I also tried that it does seam to work well. I use depends_on:. With network I used network_mode: bridge. Elasticsearch 8.1, you might have issue with Graylog-5.1. most of the confiuration does seamed tp be correct.

NOTE: Here is mine,perhap this may help out.Its a little older then yours but the configurations should work, just need to add your own spec’s to the file (i.e., IP, image, etc…)

version: '2'
services:
  
  mongodb:
    image: mongo:4
    network_mode: bridge
  
    volumes:
      - mongo_data:/data/db
  
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    network_mode: bridge
    
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  
  graylog:
    image: graylog/graylog:4.2-jre11
    network_mode: bridge
    dns:
      - 192.168.2.15
      - 192.168.2.16
  
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
      - graylog_bin:/usr/share/graylog/bin
      - graylog_data:/usr/share/graylog/data
    environment:
      
      - TZ=America/Chicago      
      - GRAYLOG_PASSWORD_SECRET=pJod1TRZAckHmqM2oQPqX1qnLVJS99jHm2DuCux2Bpiuu2XLTZuyb2YW9eHiKLTifjy7cLpeWIjWgMtnwZf6Q79HW2nonDhN
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.1.28:9000/
      #timezone
      - GRAYLOG_ROOT_TIMEZONE=America/Chicago
      #mail
      - GRAYLOG_ROOT_EMAIL=greg.smith@domain.com
      - GRAYLOG_HTTP_PUBLISH_URI=http://192.168.1.28:9000/
      - GRAYLOG_TRANSPORT_EMAIL_PROTOCOL=smtp
      - GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL=http://192.168.1.28:9000/
      - GRAYLOG_TRANSPORT_EMAIL_HOSTNAME=192.168.1.28
      - GRAYLOG_TRANSPORT_EMAIL_ENABLED=true
      - GRAYLOG_TRANSPORT_EMAIL_PORT=25
      - GRAYLOG_TRANSPORT_EMAIL_USE_AUTH=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_TLS=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_SSL=false
      - GRAYLOG_TRANSPORT_FROM_EMAIL=root@localhost
      - GRAYLOG_TRANSPORT_SUBJECT_PREFIX=[graylog]
      - GRAYLOG_REPORT_DISABLE_SANDBOX=true
      
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 8514:8514
      # Syslog UDP
      - 8514:8514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
      # Reports
      - 9515:9515
      - 9515:9515/udp
      # email
      - 25:25
      - 25:25/udp     
       

volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
  graylog_bin:
    driver: local
  graylog_data:
    driver: local

Hope that helps

beauvalon · July 3, 2023, 2:26pm

Hello gsmith,
I appreciate you replying and providing fixed compose file to be readable. I tried your file as is besides changing the ip address for things that didn’t pertain to my AWS instance Graylog/ElasticSearch/Mongo setup.
Your comment was that I would have issues possibly with ElasticSearch 8.7.1 to Graylog? When I do a docker ps, I see the following running but not Graylog. This is my issue at the moment. Why won’t it load/install/Run any Graylog? Is it because you are saying newer version of ElasticSearch with older Graylog? I was trying 5.1.
I took out the DNS, email etc.

Here is the update I did to your suggested compose file.

[root@i-03cd299b485ee gem_containers]# cat docker_gem_compose
version: ‘2’`:
services:
mongodb:
image: mongo:5
network_mode: bridge

volumes:
  - mongo_data:/data/db

elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:8.1.7
network_mode: bridge

volumes:
  - es_data:/usr/share/elasticsearch/data
environment:
  - http.host=0.0.0.0
  - transport.host=localhost
  - network.host=0.0.0.0
  - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
  memlock:
    soft: -1
    hard: -1
mem_limit: 1g

graylog:
image: graylog/graylog:4.2-jre11
network_mode: bridge
- graylog_journal:/usr/share/graylog/data/journal
- graylog_bin:/usr/share/graylog/bin
- graylog_data:/usr/share/graylog/data
environment:

  - TZ=America/Los Angeles
  - GRAYLOG_PASSWORD_SECRET=pJod1TRZAckHmqM2oQPqX1qnLVJS99jHm2DuCux2Bpiuu2XLTZuyb2YW9eHiKLTifjy7cLpeWIjWgMtnwZf6Q79HW2nonDhN
  # Password: admin
  - GRAYLOG_ROOT_PASSWORD_SHA2=ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
  - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
  - GRAYLOG_HTTP_EXTERNAL_URI=http://10.149.58.44:9000/

#timezone
- TZ=America/Los Angeles

links:
  - mongodb:mongo
  - elasticsearch
depends_on:
  - mongodb
  - elasticsearch
ports:
  # Graylog web interface and REST API
  - 9000:9000
  # Syslog TCP
  - 8514:8514
  # Syslog UDP
  - 8514:8514/udp
  # GELF TCP
  - 12201:12201
  # GELF UDP
  - 12201:12201/udp
  # Reports
  - 9515:9515
  - 9515:9515/udp
  # email
  - 25:25
  - 25:25/udp

volumes:
mongo_data:
driver: local
es_data:
driver: local
graylog_journal:
driver: local
graylog_bin:
driver: local
graylog_data:
driver: local

beauvalon · July 3, 2023, 2:57pm

Since I’ve installed & run ElasticSearch:8.1.7 & Mongodb 6.0.6,
docker ps I see them running but not anything for Graylog.
[root@i-03cd299b485ee ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
42772916765d elasticsearch:8.7.1 “/bin/tini – /usr/l…” 24 seconds ago Up 24 seconds 9200/tcp, 9300/tcp festive_jepsen
42fd680abd1f mongo “docker-entrypoint.s…” About a minute ago Up About a minute 27017/tcp naughty_shannon
[root@i-03cd299b485ee ~]#

I was told I don’t even need to install Graylog, as the compose file was supposed to do that. I am new and I don’t get this as you can tell.

I just figure it is better to do a “docker pull graylog” whatever version, install, run etc. Then when I do a docker ps, I should see all three containers running.

No such luck!
Thank you in advance for your support.

gsmith · July 3, 2023, 9:32pm

Hey @beauvalon

Graylog 5.x.x is using Openseach 1.3 and above, You can still use Elasticsearch but its perfered to start with Opensearch. Im assuming later version of Graylog will not be compatible with Elasticsearch.

Not sure if you seen this documentation.

Docker

Not installing Graylog that would be incorrect, you can use environment variables and/or configuration file. Depending on what you want to do. Easiest way is just use docker-compose file.

Yes, you can run docker-compose logs this should tell you what the issue is.

EDIT: easiest way to find out why graylog container doesnt start is looking through logs root # docker logs -f

beauvalon · July 14, 2023, 7:53pm

Hi gssmith,
Progress made by being able to log into Graylog server, but now I’m encountering no "Show messages for the 1 and only SideCar I have configured to send logs to Graylog Server. To top it off to more issues when I didn’t even touch the system after leaving work yesterday stuck at not seeing my “Show messages”.
Todays new problems: Collectors status
filebeat: Couldn’t execute collector /usr/share/filebeat/bin/filebeat, binary path is not included in `collector_binaries_accesslist’ config option.

SideCar_PB10, was running just fine, not “Failing” UGH!!!

Any help is greatly appreciated.

Thank you

gsmith · July 18, 2023, 4:28am

Hey @beauvalon

When you install graylog sidecar

wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-5_all.deb
sudo dpkg -i graylog-sidecar-repository_1-5_all.deb
sudo apt-get update && sudo apt-get install graylog-sidecar

Here is another member that had the same issue, check it out see if it works for you.

beauvalon · July 19, 2023, 10:01pm

Thank you gsmith et al for your responses! Got things back from last standpoint with more green status with the exception of a couple such as ElasticSearch Cluster being yellow.
Indices & Sidecar are both green & running again.
Still trying to solve the big hurdle of why no messages are showing up when I select “Sidecars Overview” show messages and all I get is the “Days listed”.
Need to solve making this configuration persistent from my AWS Environment. Power down AWS Instance or do a “docker-compose down” then “docker-compose up -d” and have to reconfigure everything each time I need to bring down the server or perform commands above.
Thank you in advance!

Topic		Replies	Views
Can't get docker graylog up and running Graylog Central (peer support)	3	6571	January 2, 2019
Unable to login after starting docker container Graylog Central (peer support) docker	2	653	December 23, 2022
Graylog Docker Container doesn't start Graylog Central (peer support) docker	6	994	April 27, 2023
Is my Docker Compose YAML set up correctly? Graylog Central (peer support)	1	540	December 24, 2019
Graylog 3.0 with docker container Graylog Central (peer support) sidecar , nxlog , filebeat-linux , filebeat-windows , winlogbeat , nodatanx	9	5166	March 21, 2019

graylog docker container on rhel 7

Related Topics