Graylog Docker Failed to connect: Connection refused


#1

Hello,

I’m trying to run graylog in a docker container running on AWS. I’m able to get the web interface up and running and can login an create inputs, etc. However i am unable to actually send any logs to graylog. Nothing shows up in the stream or search. Further, testing from the command line i get the following:

(removed http headings for this post due to forum rules)

curl -XPOST X.X.X.X :12201/gelf -p0 -d '{"short_message":"Hello there", "host":"example", "facility":"test", "_foo":"bar"}'
curl: (7) Failed to connect to X.X.X.X port 12201: Connection refused

Even from inside the container i get the same message:

root@41c5489c3654 :/usr/share/graylog# curl -XPOST localhost :12201/gelf -p0 -d '{"short_message":"Hello there", "host":"example", "facility":"test", "_foo":"bar"}'
curl: (7) Failed to connect to localhost port 12201: Connection refused

If I run this same setup on my local laptop it seems to be able to recieve messages without issue.

My docker compose file looks like this:

version: '2'
services:
  mongodb:
    image: mongo:3
    volumes:
      - /Users/<redacted>/docekr/data/mongo:/data/db
  elasticsearch:
    image: docker.elastic /elasticsearch/elasticsearch:5.5.1
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  graylog:
    image: graylog2/server:latest
    volumes:
      - /Users/<redacted>/docekr/data/graylog:/usr/share/graylog/data/journal
    environment:
      - GRAYLOG_PASSWORD_SECRET=<redacted>
      - GRAYLOG_ROOT_PASSWORD_SHA2=<redacted>
      - GRAYLOG_WEB_ENDPOINT_URI=127.0.0.1:9000/api
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 514:514
      # Syslog UDP
      - 514:514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
      - 5555:5555
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local

(Jochen) #2

You can wrap text snippets in a code block to circumvent these rules and it will even look better!
See http://commonmark.org/help/ for details.

What type of inputs have you created in Graylog and what’s the configuration of these inputs?


#3

Hey Jochen, thanks for that info, i’ll def use that for next time.

For testing I created the following:

GELF HTTP

bind_address: 0.0.0.0
decompress_size_limit: 8388608
enable_cors: true
idle_writer_timeout: 60
max_chunk_size: 65536
override_source:
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********

GELF UDP - port 12201

bind_address: 0.0.0.0
decompress_size_limit: 8388608
override_source:
port: 12201
recv_buffer_size: 262144

GELP TCP - port 12201

bind_address: 0.0.0.0
decompress_size_limit: 8388608
max_message_size: 2097152
override_source:
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********
use_null_delimiter: true

Syslog UDP - port 514

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
override_source:
port: 514
recv_buffer_size: 262144
store_full_message: false

Syslog TCP - port 514

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
override_source:
port: 514
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********
use_null_delimiter: false

Raw input - port 5555

bind_address: 0.0.0.0
max_message_size: 2097152
override_source:
port: 5555
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********
use_null_delimiter: false

The GELF HTTP and TCP were not both running at the same time. I created all of the inputs via the web console.


(Jochen) #4

GELF HTTP and GELF TCP cannot use the same port, because both are TCP-based.
Try using a different port for one of the inputs.


#5

Hey Jochen,

Thanks for the feedback, I think i got this working now. It looks like i had a typo in the docker-compose.yml. Thanks for your response and help!


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.