dnoyeb Posted February 28, 2017 Share Posted February 28, 2017 (edited) Me and one of the guys at work went through the process to get this working and figured we'd share since there isn't an unraid community apps setup done for this... First up, make sure you turn on the Docker hub search feature for community apps... You'll install three seperate dockers, all outlined below... MongoDB Docker setup Add MongoDB from Community apps change name for MongoDB docker to some-mongo Elasticsearch Docker setup Add Elasticsearch (official) from docker hub Change Repository for Elastic to: elasticsearch:2 elasticsearch -Des.cluster.name="graylog" change name for Elasticsearch docker to some-elasticsearch Set path /mnt/user/appdata/graylog/data/elasticsearch for /usr/share/elasticsearch/data Graylog2 Docker Setup Install graylog2 from DockerHUB (graylog2/server) Put these in extra parameters: --link some-mongo:mongo --link some-elasticsearch:elasticsearch create variable with key= GRAYLOG_WEB_ENDPOINT_URI and set key’s value to = http://127.0.0.1:9000/api Add TCP port 9000 add UDP port 514 add UDP port 12201 Set path /mnt/user/appdata/graylog/data/journal for /usr/share/graylog/data/journal Set path /mnt/user/appdata/graylog/config for /usr/share/graylog/data/config On unraid box, cd into your /mnt/user/appdata/graylog/config folder and run the following two commands: wget https://raw.githubusercontent.com/Graylog2/graylog2-images/2.1/docker/config/graylog.conf wget https://raw.githubusercontent.com/Graylog2/graylog2-images/2.1/docker/config/log4j2.xml Anyways, after doing that, you'll have the three dockers all communicating at each other... you have to setup an input in Graylog (I use syslog UDP 514) and point your various servers at it... Going to play more with getting all the other dockers to dump their syslogs into that setup next and will update the post once I do. Edited February 28, 2017 by dnoyeb 1 2 Quote Link to comment
LEXmono Posted February 28, 2017 Share Posted February 28, 2017 Confirmed working! Thanks! Quote Link to comment
LEXmono Posted February 28, 2017 Share Posted February 28, 2017 So adding the following to "Extra Parameters" on each docker will allow you to offload the syslog to the IP and port specified. Make sure you change the value of tag to something notable so you can sort in Graylog and your IP of course. --log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=udp://192.168.1.55:514 If you are using TCP on your input you can use: --log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=tcp://192.168.1.55:514 1 Quote Link to comment
WiFivomFranMan Posted July 29, 2017 Share Posted July 29, 2017 Elasticsearch Docker setup How do you install the elasticsearch? Quote Link to comment
drsparks68 Posted March 19, 2018 Share Posted March 19, 2018 On 2/28/2017 at 12:14 PM, LEXmono said: So adding the following to "Extra Parameters" on each docker will allow you to offload the syslog to the IP and port specified. Make sure you change the value of tag to something notable so you can sort in Graylog and your IP of course. --log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=udp://192.168.1.55:514 If you are using TCP on your input you can use: --log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=tcp://192.168.1.55:514 I tried doing this once I had my syslog server up and it seemed to cause all of my dockers to become orphaned after they were automatically updated and restarted. I pulled this string out of the Extra Parameters field and they started up again. Quote Link to comment
dnoyeb Posted March 21, 2018 Author Share Posted March 21, 2018 yea, they've changed docker up a bit so i'm guessing my old directions are no longer valid. I have since moved on to using Splunk as a VM since I find that I don't come close to the 500mb of data a day limit for free use. Quote Link to comment
ppunraid Posted March 22, 2018 Share Posted March 22, 2018 @drsparks68, how did you get graylog working? I get to the graylog front end page and get the following: We are experiencing problems connecting to the Graylog server running on http://127.0.0.1:9000/api. Please verify that the server is healthy and working correctly. You will be automatically redirected to the previous page once we can connect to the server. Do you need a hand? We can help you. Less details This is the last response we received from the server: Error message Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc. Original Request GET http://127.0.0.1:9000/api/system/sessions Status code undefined Full error message Error: Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc. In the logs, it appears everything is connecting up. Quote Link to comment
Jcloud Posted March 23, 2018 Share Posted March 23, 2018 (edited) This looks like something fun to play with. Thanks for taking the time to make the write-up. For me this begged the question, (I looked on webgui, but not forums yet) "is there a way to fork the unRAID log to an optional syslog server?" Secondary question, is there necessarily a reason for this? I.e would such log data (unRaid host) be useful? Log data is always useful. Edited March 23, 2018 by Jcloud Clarified Quote Link to comment
drsparks68 Posted March 23, 2018 Share Posted March 23, 2018 @ppunraid, I never did. I ran into similar issues getting it connected. I ended up using the Splunk Lite container. Quote Link to comment
dnoyeb Posted March 23, 2018 Author Share Posted March 23, 2018 19 hours ago, Jcloud said: This looks like something fun to play with. Thanks for taking the time to make the write-up. For me this begged the question, (I looked on webgui, but not forums yet) "is there a way to fork the unRAID log to an optional syslog server?" Secondary question, is there necessarily a reason for this? I.e would such log data (unRaid host) be useful? Log data is always useful. I too agree it would be nice to fork (not completely redirect) the unraid log to a secondary log server... Haven't ever seen a way to do that though. 1 Quote Link to comment
drsparks68 Posted March 23, 2018 Share Posted March 23, 2018 31 minutes ago, dnoyeb said: I too agree it would be nice to fork (not completely redirect) the unraid log to a secondary log server... Haven't ever seen a way to do that though. +1 1 Quote Link to comment
flamegrilled Posted June 29, 2020 Share Posted June 29, 2020 (edited) Hi , I cannot login.Change passwords and added to the Graylog.conf file.Any clues as to why.Is the password (which is more 16 char) the issue?Pics show containers off atm. Thanks Got it working by changing password. Modifying timezone.Going to reinstall again to confirm install. Edited June 29, 2020 by flamegrilled Text Quote Link to comment
ppunraid Posted June 29, 2020 Share Posted June 29, 2020 8 hours ago, flamegrilled said: Hi , I cannot login.Change passwords and added to the Graylog.conf file.Any clues as to why.Is the password (which is more 16 char) the issue?Pics show containers off atm. Thanks Got it working by changing password. Modifying timezone.Going to reinstall again to confirm install. I finally got this setup during lockdown, If this is your first run, you have to login as root which needs to be encrypted as sha2 format in your conf file. Then after that you can use your admin password going forward. Quote Link to comment
flamegrilled Posted June 30, 2020 Share Posted June 30, 2020 17 hours ago, ppunraid said: I finally got this setup during lockdown, If this is your first run, you have to login as root which needs to be encrypted as sha2 format in your conf file. Then after that you can use your admin password going forward. Thank you .That's it. Added the sha2 formatted password to the docker config and it worked. Quote Link to comment
capino Posted May 13, 2021 Share Posted May 13, 2021 I'm running unRaid 6.9.2 and tried the extra parameters, but nothing is landing In Graylog. --log-driver=syslog --log-opt tag="radarr" --log-opt syslog-address=udp://192.168.1.17:5442 My Graylog server is running as a docker on ip 192.168.1.17. When I do the same from docker on my MacBook, the logs are landing in Graylog. I also tried the GELF log-driver, but the same problem within UnRaid, but from MacBook it works. Does anybody have a solution for this? Quote Link to comment
capino Posted May 13, 2021 Share Posted May 13, 2021 It had to do with the fact that Unraid cannot talk to dockers with a static IP. I changed Elasticsearch, MongoDB and Graylog to the host IP and now it works. Quote Link to comment
idscomm Posted August 31, 2022 Share Posted August 31, 2022 Hi folks, Is this still the best way (up to date procedure) to install Graylog to Unraid Docker? I did some research and found this link talking about docker compose... Just wondering the best way to install Graylog on Unraid. Quote Link to comment
witalit Posted December 4, 2023 Share Posted December 4, 2023 On 8/31/2022 at 3:25 PM, idscomm said: Hi folks, Is this still the best way (up to date procedure) to install Graylog to Unraid Docker? I did some research and found this link talking about docker compose... Just wondering the best way to install Graylog on Unraid. Did you manage to get Graylog installed? Quote Link to comment
idscomm Posted December 4, 2023 Share Posted December 4, 2023 I did not install it no… it’s a project as I’d like to have overtime going but for now I don’t have the time to do it unfortunately. Quote Link to comment
ppunraid Posted December 4, 2023 Share Posted December 4, 2023 I've had this running for some time now, but since I moved my docker image, a lot of my dockers are broken, which I'm working through. It still runs ATM, but it appears the database is corrupted. Quote Link to comment
lostit Posted January 26 Share Posted January 26 (edited) I have this stack running ,, here is my docker compose file and some hints for reference.. Things I had to do Create the directories first, ensure the graylog journal is on an exclusive access share otherwise the graylog container will lock up occasionally and require to be restarted- Add --log-driver=syslog --log-opt tag="add the container name here" --log-opt syslog-address=tcp://serveriphere:5140 to extra parameters field in each container you want to monitor. I also believe this stack needs to start first otherwise the monitored containers will not start until the stack is up. there may be a way to solve this but I don't really have time to dig into it at the moment. I also implemented the nxlog for windows using this guide version: "3.8" services: mongodb: image: "mongo:5.0" volumes: - "/mnt/user/graylog/mongodb_data:/data/db" restart: "on-failure" elasticsearch: environment: ES_JAVA_OPTS: "-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true" bootstrap.memory_lock: "true" discovery.type: "single-node" http.host: "0.0.0.0" action.auto_create_index: "false" image: "docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2" ulimits: memlock: hard: -1 soft: -1 nofile: 65535 ##added to get rid of the elastisearch filelimit warning. volumes: - "/mnt/user/graylog/es_data:/usr/share/elasticsearch/data" restart: "on-failure" graylog: image: "graylog/graylog:4.2" depends_on: elasticsearch: condition: "service_started" mongodb: condition: "service_started" entrypoint: "/usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh" environment: GRAYLOG_TIMEZONE: "Europe/Stockholm" TZ: "Europe/Stockholm" GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id" GRAYLOG_PASSWORD_SECRET: "putyourpasswordhere" GRAYLOG_ROOT_PASSWORD_SHA2: "youneedtogeneratethis" GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000" GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/" GRAYLOG_ELASTICSEARCH_HOSTS: "http://elasticsearch:9200" GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog" ports: - "5044:5044/tcp" # Beats - "5140:5140/udp" # Syslog - "5140:5140/tcp" # Syslog - "5555:5555/tcp" # RAW TCP - "5555:5555/udp" # RAW TCP - "9000:9000/tcp" # Server API - "12201:12201/tcp" # GELF TCP - "12201:12201/udp" # GELF UDP - "10000:10000/tcp" # Custom TCP port - "10000:10000/udp" # Custom UDP port - "13301:13301/tcp" # Forwarder data - "13302:13302/tcp" # Forwarder config volumes: - "/mnt/user/appdata/graylog/graylog_data:/usr/share/graylog/data/data" - "/mnt/user/appdata/graylog/graylog_journal:/usr/share/graylog/data/journal" #my appdata is set as an exclusive share so this works for me restart: "on-failure" volumes: mongodb_data: es_data: graylog_data: graylog_journal: Edited January 26 by lostit Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.