Read internal log messages

I’ve setup graylog (community) with docker compose and having some issues with the in vs out message ratio.

My average in is 149 and out is 1, and have noticed that the internal log messages counter is increasing rapidly. I’ve had to set the ‘Subsystem: Graylog’ logging to ‘Fatal’ or the server will run out of storage space…

How can I read these log messages?

The FAQ suggests checking “/var/log/graylog-server/server.log” or “/var/log/graylog//current”, but the paths don’t exist in the graylog docker container.

Not sure if you need the docker compose yml-file, but here it is:

version: '3'
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongo:
    image: mongo:3
    networks:
      - graylog
  # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.5
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 1g
    networks:
      - graylog
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:3.3.2
    environment:
      - GRAYLOG_PASSWORD_SECRET=<redacted>
      - GRAYLOG_ROOT_PASSWORD_SHA2=<redacted>
      - GRAYLOG_HTTP_EXTERNAL_URI=http://<redacted>:9000/
      - root_timezone = <redacted>
    networks:
      - graylog
    depends_on:
      - mongo
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
networks:
  graylog:
    driver: bridge

sudo docker-compose -f graylog.config.yml up -d

I’ve tried using more than 3 braincells and ran “sudo docker-compose -f graylog.config.yml up” without the daemonised parameter (-d) and saw a brief error message:

Unable to decode raw message RawMessage{id=e6c55246-c2b2-11ea-8250-0242ac120004, journalOffset=8678857, codec=gelf, payloadSize=42, timestamp=2020-07-10T13:40:21.988Z, remoteAddress=/10.11.128.16:54055} on input <5f06f7bfffa6db0fd26657c1>.

Apparently NXLOG is not a good option for windows events shipping so i’ll try winlogbeat instead.

I took a deeper look at my NXLOG config and found a useful template described in https://docs.graylog.org/en/latest/pages/sidecar.html

What probably fixed it was the setting below:

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.