Remote inputs on dockerized graylog

Hello Graylog forum users!

I am new to Graylog and this forum and I have been working on a problem with my graylog set up all day and can’t find a solution online, in the marketplace or the documentation. I followed the documentation here: http://docs.graylog.org/en/2.2/pages/installation/docker.html

This is all running on a server, (mongo, elasticsearch and graylog) and I have a couple of remote servers that I want to receive logs from. I edited the rsyslog.conf file on the remote servers to send logs on port 514 initially which didn’t work, and then I changed to 5140, which also didn’t work.

I also tried to set up various inputs on the graylog web interface but couldn’t get any data into graylog. What should I do? I’m wondering is docker at fault here, firewalls are open and I’m able to ping and nc to the port number from the other servers. What ports do I need to use to send log data in? I also have log files collecting from my fairly basic application, and can’t figure out how to send these either.

Any of your help would be super helpful. Thanks!

you need to forward/open the ports from your docker container host into the container.

Like you can see in this docker compose

Thanks for the quick response and help Jan. This looks promising!

So I’ve tried both internal and external IP address, and it’s still not clear to me how to get any messages in. I have set up 4 different inputs:
Gelf UDP on port 12201,
Raw plaintext TCP on port 5555,
Syslog UDP on port 5140,
Syslog TCP on port 514.

I’ve been trying to get a message in using the following commands with different ports which I found in the documentation but have had no joy.

echo -n ‘{ “version”: “1.1”, “host”: “example.org”, “short_message”: “A short message”, “level”: 5, “_some_info”: “foo” }’ | nc -w0 -u localhost 5140

echo ‘first log message’ | nc localhost 5555

Am I missing something? Should it be the internal or external IP? Do I need to change my inputs and only have one?

Thanks again for your help
Dan

Did you open the Port?

What Docker command or compose file did you run?

The ports are open. I used docker-compose up -d on a docker-compose file that is very similar to yours except it just has one graylog server.

without your docker-compose file nobody would be able to assist you further.

It might be something with missing ports or some misconfiguration on the docker host - good luck.

version: '2'
services:
  mongodb:
    image: mongo:3
    volumes:
      - mongo_data:/data/db
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.3
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:2.4.0-1
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME!
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=d07cf09e0d9b56c755e2cc97147c8fc63bfd98ea08fac925d40587c5880222f7
      - GRAYLOG_WEB_ENDPOINT_URI=http://127.0.0.1:9000/api
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 10.0.0.14:9000:9000
      # Syslog TCP
      - 10.0.0.14:5140:5140
      # Syslog UDP
      - 10.0.0.14:5140:5140/udp
      # GELF TCP
      - 10.0.0.14:12201:12201
      # GELF UDP
      - 10.0.0.14:12201:12201/udp
# Volumes for persisting data
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:

I guess that 10.0.0.14 is the IP of your Docker host and the target where you want to sent messages?

That is correct. This is the internal IP of the server on which graylog is running.

Did you checked if a firewall on the docker host interrupt the traffic?

I turns out it was the network security group in Azure. Thanks for your help Jan!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.