What do the multiple ports mean while running graylog through docker?

priyanker · December 5, 2019, 6:55am

I followed the steps mentioned in the documentation for installing graylog through docker.

docker run --name mongo -d mongo:3

docker run --name elasticsearch \
    -e "http.host=0.0.0.0" \
    -e "ES_JAVA_OPTS=-Xms512m -Xmx512m" \
    -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.2

 docker run --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5046:5046 \
    -e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/" \
    -d graylog/graylog:3.1

What do all these ports mean?

I created a GELF UDP input in graylog with bind address 0.0.0.0 and port 5046
I added the following log4net AsyncGelfUdpAppender appender in my .Net project.

<appender name="AsyncGelfUdpAppender" type="Gelf4Net.Appender.AsyncGelfUdpAppender, Gelf4Net">
    <!-- Number of log lines to buffer for async send. Defaults to 10-->
    <bufferSize value="20" />
    <!-- Number of tasks to use for the async appender. 0 or fewer indicates one task per processor-->
    <threads value="2" />
    <remoteAddress value="127.0.0.1" />
    <remotePort value="5046" />
    <layout type="Gelf4Net.Layout.GelfLayout, Gelf4Net">
        <param name="AdditionalFields" value="app:AsyncUdpAppender,version:1.0,Environment:Dev,Level:%level" />
        <param name="Facility" value="RandomPhrases" />
        <param name="IncludeLocationInformation" value="true" />
        <param name="SendTimeStampAsString" value="true"/>
    </layout>
  </appender>

But no messages are getting logged to graylog.

maniel · December 5, 2019, 11:04am

Deploying via docker you just expose ports you use in your app, in case of docker it really depends ports your inputs listen on, in this case you need 9000 for graylog’s web interface and REST API, 1514 is probably syslog (514) upped by 1000 because non-root user can’t use ports smaller than 1024 (?), you don’t really need it if you don’t use corresponding input in graylog, 5046 is the port you need for your input, additionally to expose udp port you need to append /udp, in your case it should be -p 5046:5046/udp

priyanker · December 5, 2019, 11:11am

I did try this.
docker run --link mongo --link elasticsearch
-p 9000:9000 -p 12201:12201 -p 5046:5046/udp
-e GRAYLOG_HTTP_EXTERNAL_URI=“http://127.0.0.1:9000/”
-d graylog/graylog:3.1

What should the bind address be when I create an input in Graylog? Right now, it’s 0.0.0.0 and still with this configuration, I see no messages in Graylog when I log through my application.

What do you think should be the remoteAddress and remotePort value if I use the docker command above?

maniel · December 5, 2019, 11:19am

weird, it should work, maybe try external ip address of the machine you run dockerized graylog on

priyanker · December 5, 2019, 11:21am

Do you think these values are correct?

<remoteAddress value="127.0.0.1" />
    <remotePort value="5046" />

And should I change the bind address to 127.0.0.1 from 0.0.0.0 and port from 5046 to something else when creating a GELF UDP input?

maniel · December 5, 2019, 11:24am

no, 0.0.0.0 should be ok in input config, i was suggesting using non local ip address in remoteAddress, like ip of your machine instead of 127.0.0.1

system · December 19, 2019, 11:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.