I'm new with Graylog and I'm trying to use Graylog on a Docker Container, but the logs from the others containers does not arrive on Graylog and nothing is displayed on the Graylog web interface SEARCH.
What should I do to logs of the containers arrives on the Graylog?
Below, I describe my try:
On a single host, running docker swarm with just one node (itself).
The local IP of this host is: 10.0.0.5
Inside a folder, I've some files:
- docker-compose.yml
- graylog.js
The content of my docker-compose.yml
is:
version: "3.3"
networks:
ambiente:
external: true
services:
# MONGO
mongo:
image: mongo:4.2
networks:
- ambiente
environment:
- MONGO_INITDB_ROOT_USERNAME=root
- MONGO_INITDB_ROOT_PASSWORD=drUqGGCMh
volumes:
- ./graylog.js:/docker-entrypoint-initdb.d/graylog.js:ro
# ELASTICSEARCH
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
environment:
- "http.host=0.0.0.0"
- "discovery.type=single-node"
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
networks:
- ambiente
# GRAYLOG
graylog:
image: graylog/graylog:4.1.0
environment:
- GRAYLOG_HTTP_EXTERNAL_URI=http://10.0.0.5:9000/
# Pass is "admin"
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_ELASTICSEARCH_DISCOVERY_ENABLED=true
- GRAYLOG_MONGODB_URI=mongodb://graylog:vWGzncmBe9@mongo:27017/graylog
- GRAYLOG_MESSAGE_JOURNAL_ENABLED=false
depends_on:
- mongo
- elasticsearch
ports:
- "9000:9000"
- "12201:12201"
- "1514:1514"
networks:
- ambiente
The graylog.js
content is:
graylog = db.getSiblingDB('graylog');
graylog.createUser(
{
user: "graylog",
pwd: "vWGzncmBe9",
roles: [
{ role: "dbOwner", db: "graylog" }
]
}
);
On the HOST, I created the file /etc/docker/daemon.json
with the content:
{
"metrics-addr" : "10.0.0.5:9323",
"experimental" : true,
"log-driver": "gelf",
"log-opts": {
"gelf-address": "udp://10.0.0.5:12201"
}
}
After file created, I restarted the docker service and checked this status:
service docker restart
service docker status
The status of docker service is ACTIVE:
Active: active (running) since Sat 2021-06-26 16:58:31 -03; 1min 2s ago
Then I created a Docker network:
docker network create -d overlay ambiente
And then I depolyed the stack:
docker stack deploy graylog -c docker-compose.yml
With Graylog running, from the web interface on System/Input, I created a global input like:
bind_address: 0.0.0.0
decompress_size_limit: 8388608
number_worker_threads: 12
override_source: port: 12201
recv_buffer_size: 262144
Thanks for any help!
I just found the answer after a long time on Google!
Posting this answer here to help anyone with the same dificult that I had.
The issue was on the
docker-compose.yml
file on graylog ports, due to I used UDP protocol:Before (not working), because the default docker ports is on TCP protocol:
Now (working), docker ports is on TCP and UDP protocol:
Testing from any container:
and the message appears on the Graylog web interface: