Home Graylog Docker container
Post
Cancel

Graylog Docker container

Posted Apr 21, 2023
By Ryan Pope
3 min read

Introduction

I want to get some experience ingesting and sorting through data in Graylog. A Docker container is a perfect way to quickly and easily set this up. In the future I want to set up a more robust version but this works for now.

Install Docker

You can see guides on how to here. After you install Docker, install the compose plugin.

Once both of those are installed run:

1
2
3
4
5

sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
sudo systemctl enable docker.service
sudo systemctl enable containerd.service

This will perform the Docker post install steps and configure the daemon to start automatically.

Create and deploy Splunk Container with docker-compose

I created a docker-compose.yml to make deploying the container easier since you need to deploy 3 separate containers. Of course we need to deploy the graylog container but it also uses an elasticsearch and mongoDB container.

docker-compose.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

version: '2'
services:
  # MongoDB: https://hub.docker.com/_/mongo/
  mongodb:
    image: mongo:4.2
    container_name: mongo
    networks:
      - graylog
  #DB in share for persistence
    volumes:
      - /mongo_data:/data/db


   # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    container_name: elasticsearch
    #data folder in share for persistence
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
    networks:
      - graylog

      
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:4.2
    container_name: graylog
    #journal and config directories in local NFS share for persistence
    volumes:
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      # CHANGE ME (must be at least 16 characters)!
      - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
      # Password: admin
      - GRAYLOG_ROOT_PASSWORD_SHA2=e1b24204830484d635d744e849441b793a6f7e1032ea1eef40747d95d30da592
      - GRAYLOG_HTTP_EXTERNAL_URI=http://0.0.0.0:9000/
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - graylog
    links:
      - mongodb:mongo
      - elasticsearch
    restart: always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
# Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_journal:
    driver: local
networks:
    graylog:
      driver: bridge

Make sure to create your own password and replace the “somepasswordpepper”:

1

pwgen -N 1 -s 96

Then generate the SHA256 hash for it:

1

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

login in with:

1
2

username : admin
password <GRAYLOG_PASSWORD_SECRET>

Next run the containers in detached mode.

1

docker compose up -d

Wait a few minutes for the container to deploy and for the console load. You can check the status of your container with docker ps. If no container shows up, your container may have failed. If you want to see why it failed you can run docker logs <container_name>.

To access the Graylog console navigate to http//localhost:9000

image

Generating Practice Data

Since I am developing this on the Ubuntu app on a Windows host I need to find a way to send Windows Event Logs to Graylog. There were multiple options but the most documented one was installing and configuring NXLog. I followed the HackerTips guide to forward Windows Event Logs to the GELD UDP interface oin port 12201. I now have some practice data to use on my Gray log instance. image

Resources

https://computingforgeeks.com/how-to-run-graylog-server-in-docker-containers/

https://thehackertips.com/sending-syslog-from-windows-hosts-to-graylog-server/

docker, graylog
siem
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents