Depending on your root configuration you might need to sudo all command
1) Use grubby to set kernel to avoid the error - "docker: Error response from daemon: OCI runtime create failed: "
sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
and reboot
sudo reboot
2) Use dnf to install docker and docker-compose; first check if dnf-plugins-core is installed
sudo dnf -y install dnf-plugins-core
sudo dnf install dockerd
sudo dnf install docker-compose
and reboot
sudo reboot
3) Then create a directory for graylog; I chose /opt/graylog
cd /opt
mkdir /graylog
4) Then create the following directory structure
/opt/graylog/data
/opt/graylog/data/config
/opt/graylog/data/journal
/opt/graylog/elasticsearchdata
/opt/graylog/mongodb
5) Next we need to put down some config files
cd /opt/graylog/data/config
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.2/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.2/config/log4j2.xml
6) Now we need to create a dummy node-id file
still in the config directory
touch node-id
7) Apply security to data, mongodb and elasticsearchdata
chmod -R 777 /opt/graylog/<folder>
chown -R 1000:1000 /opt/graylog/<folder>
8) Next is the docker-compose file
cd /opt/graylog
nano docker-compose.yml
Remember to change mylinuxip to your linux machine’s IP xxx.xxx.xxx.xxx
version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongo:
image: mongo:3
user: 1000:1000
networks:
- graylog
restart: always
volumes:
- /opt/graylog/mongodb:/data/db:z
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.5
user: 1000:1000
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
deploy:
resources:
limits:
memory: 1g
networks:
- graylog
restart: always
volumes:
- /opt/graylog/elasticsearchdata:/usr/share/elasticsearch/data:z
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:3.2
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://mylinuxip:9000/
networks:
- graylog
depends_on:
- mongo
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
restart: always
volumes:
- /opt/graylog/data/journal:/usr/share/graylog/data/journal:z
- /opt/graylog/data/config:/usr/share/graylog/data/config:z
networks:
graylog:
driver: bridge
8. Firewall to resolve later; let’s just disable it for now and restart docker
sudo systemctl stop firewalld
sudo systemctl restart docker
9. Start Graylog
cd /opt/graylog
docker-compose up
10. In a browser connect to Graylog
http://yourlinuxup:9000
11. You can break out using Ctrl-C and then a
docker-compose down
12. Fix the firewall
Temporarily disable it from starting
sudo systemctl disable firewalld
13. Let Graylog docker-compose start on boot
All of the services run when you reboot your system if you run below command only once
docker-compose up -d
14. Some handy commands
docker-compose logs
docker volume ls
delete all volumes; carefull with this one
docker volume rm $(docker volume ls -q)
Hope this help someone; was a couple of hours research and not perfect, might have missed something. I am a relative NOOB @ Linux so forgive me if it is not 100%.
