Remote inputs on dockerized graylog

danc · August 8, 2018, 4:29pm

Hello Graylog forum users!

I am new to Graylog and this forum and I have been working on a problem with my graylog set up all day and can’t find a solution online, in the marketplace or the documentation. I followed the documentation here: http://docs.graylog.org/en/2.2/pages/installation/docker.html

This is all running on a server, (mongo, elasticsearch and graylog) and I have a couple of remote servers that I want to receive logs from. I edited the rsyslog.conf file on the remote servers to send logs on port 514 initially which didn’t work, and then I changed to 5140, which also didn’t work.

I also tried to set up various inputs on the graylog web interface but couldn’t get any data into graylog. What should I do? I’m wondering is docker at fault here, firewalls are open and I’m able to ping and nc to the port number from the other servers. What ports do I need to use to send log data in? I also have log files collecting from my fairly basic application, and can’t figure out how to send these either.

Any of your help would be super helpful. Thanks!

jan · August 8, 2018, 8:30pm

you need to forward/open the ports from your docker container host into the container.

Like you can see in this docker compose

github.com

jalogisch/d-gray-lab/blob/master/docker-compose.yml#L189-L203


ports:
  # Graylog web interface and REST API
  - 192.168.1.50:9000:9000
  # Syslog TCP
  - 192.168.1.50:514:1514
  # Syslog UDP
  - 192.168.1.50:514:1514/udp
  # GELF TCP
  - 192.168.1.50:12201:12201
  # GELF UDP
  - 192.168.1.50:12201:12201/udp
  # BEATS
  - 192.168.1.50:5044:5044
  # RAW TCP
  - 192.168.1.50:5555:5555

danc · August 9, 2018, 7:59am

Thanks for the quick response and help Jan. This looks promising!

So I’ve tried both internal and external IP address, and it’s still not clear to me how to get any messages in. I have set up 4 different inputs:
Gelf UDP on port 12201,
Raw plaintext TCP on port 5555,
Syslog UDP on port 5140,
Syslog TCP on port 514.

I’ve been trying to get a message in using the following commands with different ports which I found in the documentation but have had no joy.

echo -n ‘{ “version”: “1.1”, “host”: “example.org”, “short_message”: “A short message”, “level”: 5, “_some_info”: “foo” }’ | nc -w0 -u localhost 5140

echo ‘first log message’ | nc localhost 5555

Am I missing something? Should it be the internal or external IP? Do I need to change my inputs and only have one?

Thanks again for your help
Dan

jan · August 9, 2018, 9:26am

Did you open the Port?

What Docker command or compose file did you run?

danc · August 9, 2018, 11:02am

The ports are open. I used docker-compose up -d on a docker-compose file that is very similar to yours except it just has one graylog server.

jan · August 9, 2018, 11:57am

without your docker-compose file nobody would be able to assist you further.

It might be something with missing ports or some misconfiguration on the docker host - good luck.

danc · August 9, 2018, 12:00pm

version: '2'
services:
  mongodb:
    image: mongo:3
    volumes:
      - mongo_data:/data/db
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.3
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:2.4.0-1
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME!
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=d07cf09e0d9b56c755e2cc97147c8fc63bfd98ea08fac925d40587c5880222f7
      - GRAYLOG_WEB_ENDPOINT_URI=http://127.0.0.1:9000/api
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 10.0.0.14:9000:9000
      # Syslog TCP
      - 10.0.0.14:5140:5140
      # Syslog UDP
      - 10.0.0.14:5140:5140/udp
      # GELF TCP
      - 10.0.0.14:12201:12201
      # GELF UDP
      - 10.0.0.14:12201:12201/udp
# Volumes for persisting data
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:

jan · August 9, 2018, 12:16pm

I guess that 10.0.0.14 is the IP of your Docker host and the target where you want to sent messages?

danc · August 9, 2018, 1:56pm

That is correct. This is the internal IP of the server on which graylog is running.

jan · August 10, 2018, 6:40am

Did you checked if a firewall on the docker host interrupt the traffic?

danc · August 10, 2018, 7:54am

I turns out it was the network security group in Azure. Thanks for your help Jan!

system · August 24, 2018, 8:06am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Udp/tcp in blocked Graylog Central (peer support)	18	2981	August 30, 2018
Log file location or how to get the logging working in a container Graylog Central (peer support)	5	1640	April 7, 2020
Graylog inputs do not seem to be working Graylog Central (peer support)	5	2918	September 7, 2018
Can't send logs to graylog2 docker container via HTTP endpoint Graylog Central (peer support)	3	1994	May 1, 2017
Just not ingesting any logs Graylog Central (peer support)	10	1516	March 19, 2019

Remote inputs on dockerized graylog

Related topics