Graylog2 on Docker

Docker, Firewalling, Persistance, Logging Posted by Joost Faassen on 2016-04-09

Graylog is an awesome open source log management server.

It accepts arbitrary 'event data' over different 'inputs', and stores them in Elastic Search.

This allows you to query, filter, track all sorts of application events.

Graylog versions

All versions of Graylog are called Graylog2.

The current (as of April 2016) version is Graylog2 v1.3.4.

The Graylog team is working on Graylog2 v2.0.0, which is kinda/totally confusing. Hope this explanation helps :)

Graylog on Docker

There's a Graylog2 organization on Docker Hub.

You'll find the following repositories:

As v2.0.0 is still in beta, this guide will focus on the graylog2/allinone repository.

Pull the image

docker pull graylog2/allinone

Test run

You can now test the image using the following command:

docker run -t -p 9000:9000 -p 12201:12201/udp graylog2/allinone

This will start the full stack (Elastic Search and Graylog2). No volumes are mounted, so all data will be lost when the container is destroyed.

Access the admin ui:

You can access the admin UI on port 9000. For example: http://127.0.0.1:9000

The default username and password is admin/admin.

Persistence

In order to save the stored events after a container is stopped, you'll need to mount a volume.

You can do that like this:

docker run -t -p 9000:9000 -p 12201:12201/udp -e GRAYLOG_NODE_ID=some-rand-omeu-uidasnodeid -e GRAYLOG_SERVER_SECRET=somesecretsaltstring -v /dockerdata/graylog2/data:/var/opt/graylog/data -v /dockerdata/graylog2/logs:/var/log/graylog graylog2/allinone

Important: explicitly provide the same Node ID and server secret when restarting a persistent container, otherwise users won't be able to login. You can get a UUID here.

Advanced

Please refer to the documentation here on more advanced scenarios.

docker-compose

You can simplify spinning up a new Graylog2 environment by using Docker Compose.

Simply create a file called docker-compose.yml with the following contents:

graylog2:
  container_name: graylog2
  restart: always
  image: graylog2/allinone
  ports:
    - 9000:9000
    - 12201:12201/udp
  volumes:
    - "/dockerdata/graylog2/data:/var/opt/graylog/data"
    - "/dockerdata/graylog2/logs:/var/log/graylog"
  environment:
    - GRAYLOG_TIMEZONE=Europe/Paris
    - GRAYLOG_PASSWORD=lkjDje12daDkS3kL
    - GRAYLOG_NODE_ID=32a36cdc-730f-4fc3-5bef-d2a3f2eec166
    - GRAYLOG_SERVER_SECRET=de3b93af-d430-cb63-a1d5-d71cd3bd78c0

Then simply run:

docker-compose up