I have this stack running ,, here is my docker compose file and some hints for reference..
Things I had to do Create the directories first, ensure the graylog journal is on an exclusive access share otherwise the graylog container will lock up occasionally and require to be restarted-
Add
--log-driver=syslog --log-opt tag="add the container name here" --log-opt syslog-address=tcp://serveriphere:5140 to extra parameters field in
each container you want to monitor. I also believe this stack needs to start first otherwise the monitored containers will not start until the stack is up.
there may be a way to solve this but I don't really have time to dig into it at the moment.
I also implemented the nxlog for windows using this guide
version: "3.8"
services:
mongodb:
image: "mongo:5.0"
volumes:
- "/mnt/user/graylog/mongodb_data:/data/db"
restart: "on-failure"
elasticsearch:
environment:
ES_JAVA_OPTS: "-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true"
bootstrap.memory_lock: "true"
discovery.type: "single-node"
http.host: "0.0.0.0"
action.auto_create_index: "false"
image: "docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2"
ulimits:
memlock:
hard: -1
soft: -1
nofile: 65535 ##added to get rid of the elastisearch filelimit warning.
volumes:
- "/mnt/user/graylog/es_data:/usr/share/elasticsearch/data"
restart: "on-failure"
graylog:
image: "graylog/graylog:4.2"
depends_on:
elasticsearch:
condition: "service_started"
mongodb:
condition: "service_started"
entrypoint: "/usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh"
environment:
GRAYLOG_TIMEZONE: "Europe/Stockholm"
TZ: "Europe/Stockholm"
GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
GRAYLOG_PASSWORD_SECRET: "putyourpasswordhere"
GRAYLOG_ROOT_PASSWORD_SHA2: "youneedtogeneratethis"
GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
GRAYLOG_ELASTICSEARCH_HOSTS: "http://elasticsearch:9200"
GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
ports:
- "5044:5044/tcp" # Beats
- "5140:5140/udp" # Syslog
- "5140:5140/tcp" # Syslog
- "5555:5555/tcp" # RAW TCP
- "5555:5555/udp" # RAW TCP
- "9000:9000/tcp" # Server API
- "12201:12201/tcp" # GELF TCP
- "12201:12201/udp" # GELF UDP
- "10000:10000/tcp" # Custom TCP port
- "10000:10000/udp" # Custom UDP port
- "13301:13301/tcp" # Forwarder data
- "13302:13302/tcp" # Forwarder config
volumes:
- "/mnt/user/appdata/graylog/graylog_data:/usr/share/graylog/data/data"
- "/mnt/user/appdata/graylog/graylog_journal:/usr/share/graylog/data/journal" #my appdata is set as an exclusive share so this works for me
restart: "on-failure"
volumes:
mongodb_data:
es_data:
graylog_data:
graylog_journal: