06phill
November 13, 2017, 4:37am
1
Hello,
I’m trying to run graylog in a docker container running on AWS. I’m able to get the web interface up and running and can login an create inputs, etc. However i am unable to actually send any logs to graylog. Nothing shows up in the stream or search. Further, testing from the command line i get the following:
(removed http headings for this post due to forum rules)
curl -XPOST X.X.X.X :12201/gelf -p0 -d '{"short_message":"Hello there", "host":"example", "facility":"test", "_foo":"bar"}'
curl: (7) Failed to connect to X.X.X.X port 12201: Connection refused
Even from inside the container i get the same message:
root@41c5489c3654 :/usr/share/graylog# curl -XPOST localhost :12201/gelf -p0 -d '{"short_message":"Hello there", "host":"example", "facility":"test", "_foo":"bar"}'
curl: (7) Failed to connect to localhost port 12201: Connection refused
If I run this same setup on my local laptop it seems to be able to recieve messages without issue.
My docker compose file looks like this:
version: '2'
services:
mongodb:
image: mongo:3
volumes:
- /Users/<redacted>/docekr/data/mongo:/data/db
elasticsearch:
image: docker.elastic /elasticsearch/elasticsearch:5.5.1
volumes:
- es_data:/usr/share/elasticsearch/data
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
graylog:
image: graylog2/server:latest
volumes:
- /Users/<redacted>/docekr/data/graylog:/usr/share/graylog/data/journal
environment:
- GRAYLOG_PASSWORD_SECRET=<redacted>
- GRAYLOG_ROOT_PASSWORD_SHA2=<redacted>
- GRAYLOG_WEB_ENDPOINT_URI=127.0.0.1:9000/api
links:
- mongodb:mongo
- elasticsearch
depends_on:
- mongodb
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 514:514
# Syslog UDP
- 514:514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
- 5555:5555
volumes:
mongo_data:
driver: local
es_data:
driver: local
graylog_journal:
driver: local
jochen
November 13, 2017, 8:13am
2
You can wrap text snippets in a code block to circumvent these rules and it will even look better!Markdown Reference for details.
What type of inputs have you created in Graylog and what’s the configuration of these inputs?
06phill
November 13, 2017, 9:36am
3
Hey Jochen, thanks for that info, i’ll def use that for next time.
For testing I created the following:
GELF HTTP
bind_address: 0.0.0.0
GELF UDP - port 12201
bind_address: 0.0.0.0
GELP TCP - port 12201
bind_address: 0.0.0.0
Syslog UDP - port 514
allow_override_date: true
Syslog TCP - port 514
allow_override_date: true
Raw input - port 5555
bind_address: 0.0.0.0
The GELF HTTP and TCP were not both running at the same time. I created all of the inputs via the web console.
jochen
November 13, 2017, 10:05am
4
GELF HTTP and GELF TCP cannot use the same port, because both are TCP-based.
06phill
November 13, 2017, 10:17am
5
Hey Jochen,
Thanks for the feedback, I think i got this working now. It looks like i had a typo in the docker-compose.yml. Thanks for your response and help!
system
November 27, 2017, 10:18am
6
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
