I am using docker-compose to deploy graylog:
IP from graylog host starts with 10.128
IP from graylog-docker on graylog host has internal docker ip 192.168.64.3
[docker-compose.yml]
version: '2.2'
services:
graylog:
image: graylog/graylog:4.0.1
hostname: graylog1-docker
container_name: graylog
restart: always
environment:
- GRAYLOG_HTTP_ENABLE_TLS=true
- GRAYLOG_HTTP_TLS_CERT_FILE=/etc/ssl/certs/graylog-node1.pem
- GRAYLOG_HTTP_TLS_KEY_FILE=/etc/ssl/private/graylog-node1.key
- GRAYLOG_HTTP_EXTERNAL_URI=https://graylog-node1-fqdn:9000/
- GRAYLOG_HTTP_PUBLISH_URI=https://graylog-node1-fqdn:9000/
- GRAYLOG_ELASTICSEARCH_HOSTS=3 nodes defined and working
- GRAYLOG_MONGODB_URI=replicaset defined and working
networks:
- graylog
volumes:
- /etc/graylog/graylog_journal:/usr/share/graylog/data/journal
ports:
# HTTPS
- 9000:9000
# Syslog TCP
- 5140:5140
- 5141:5141
- 5142:5142
- 5143:5143
- 5144:5144
- 5145:5145
- 5146:5146
- 5147:5147
- 5148:5148
- 5149:5149
# Syslog UDP
- 5140:5140/udp
- 514:514/udp
- 5141:5141/udp
- 5142:5142/udp
- 5143:5143/udp
- 5144:5144/udp
- 5145:5145/udp
- 5146:5146/udp
- 5147:5147/udp
- 5148:5148/udp
- 5149:5149/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
[/docker-compose.yml]
I configured a external vm and configured syslog-ng to send to graylog.
Graylog collects data successfully but it is very slowly.
On the syslog-ng host I see the following logs very often:
systemd-journal[337]: Forwarding to syslog missed 12 messages.
So I mad a tcp dump on the graylog host where the docker runs.
[tcpdump]
11:32:52.154627 IP (tos 0x0, ttl 63, id 18494, offset 0, flags [DF], proto TCP (6), length 52)
syslog-ng.fqdn.36854 > 192.168.64.3.5141: Flags [.], cksum 0x65f4 (correct), ack 1, win 229, options [nop,nop,TS val 5745664 ecr 1220618454], length 0
11:32:52.154766 IP (tos 0x0, ttl 64, id 900, offset 0, flags [DF], proto TCP (6), length 52)
192.168.64.3.5141 > syslog-ng.fqdn.36854: Flags [.], cksum 0x8be1 (incorrect → 0x49ea), ack 2916, win 19064, options [nop,nop,TS val 1220678614 ecr 5084031], length 0
11:32:52.154774 IP (tos 0x0, ttl 64, id 900, offset 0, flags [DF], proto TCP (6), length 52)
192.168.64.3.5141 > syslog-ng.fqdn.36854: Flags [.], cksum 0x8be1 (incorrect → 0x49ea), ack 2916, win 19064, options [nop,nop,TS val 1220678614 ecr 5084031], length 0
11:32:52.154789 IP (tos 0x0, ttl 63, id 900, offset 0, flags [DF], proto TCP (6), length 52)
graylog-fqdn.5141 > syslog-ng.fqdn.36854: Flags [.], cksum 0x168f (incorrect → 0xbf3c), ack 2916, win 19064, options [nop,nop,TS val 1220678614 ecr 5084031], length 0
11:33:38.681019 IP (tos 0x0, ttl 64, id 11487, offset 0, flags [DF], proto TCP (6), length 52)
syslog-ng.fqdn.45521 > graylog-fqdn.5141: Flags [.], cksum 0xc16c (correct), ack 1, win 229, options [nop,nop,TS val 2672946176 ecr 1115955523], length 0
11:33:38.681046 IP (tos 0x0, ttl 63, id 11487, offset 0, flags [DF], proto TCP (6), length 52)
syslog-ng.fqdn.45521 > 192.168.64.3.5141: Flags [.], cksum 0x4c1a (correct), ack 1, win 229, options [nop,nop,TS val 2672946176 ecr 1115955523], length 0
[/tcpdump]
So the problem is that some packets are dropped because the syslog-ng host tries to send to 192.168 which is not working as the syslog-ng need to write to 10.128 or the graylog-fqdn.
My question is:
How can I correctly configure the graylog-docker-compose to use the right ip address and not the internal docker ip address. I assume that the tcp connections breaks all the time.
The configured Input in graylog looks like this:
> allow_override_date:
true bind_address: 0.0.0.0 expand_structured_data: false force_rdns: false max_message_size: 2097152 number_worker_threads: 8 override_source: <empty> port: 5141 recv_buffer_size: 1048573 store_full_message: false tcp_keepalive: true tls_cert_file: <empty> tls_client_auth: disabled tls_client_auth_cert_file: <empty> tls_enable: false tls_key_file: admin tls_key_password: ******** use_null_delimiter: false
Thank you very much