. . .

[Graylog] installation


Introduction

Graylog is an industry leading log monitoring solution used by ApiOmat to manage logging from Yambas and all other services in a centralized application. Graylog allows real-time log analysis and customize log monitoring. For more information about Graylog, visit https://www.graylog.org.

Prerequisites

Following default ports should be available :

  • 9000 (Default Graylog instance)

  • 12201 (Default GELF TCP & UDP input port)

  • 514 (Default Syslog TCP & UDP input port)

System requirements

(Taken from https://docs.graylog.org/en/2.4/pages/installation.html#system-requirements)

The following configurations are recommended.

Please check the official compatibility list between graylog and elasticsearch e.g. https://docs.graylog.org/en/4.0/pages/configuration/elasticsearch.html#elasticsearch-versions

Installation

Linux and Windows

Graylog is not included in our installation package and must be installed separately. Follow the instructions from Graylog directly.

Docker Compose
Docker Compose
# Docker login
docker login -u <USERNAME> -p <PASSWORD>
 
# Store the following file and execute:
docker-compose -f aom-graylog.compose up

aom-graylog.compose:

Docker Compose
version: '3.5'
services:
graylog:
image: graylog/graylog:3.0
ports:
# api
- "9000:9000"
# GELF
- "12201:12201"
- "12201:12201/udp"
# Syslog
- "514:514"
- "514:514/udp"
depends_on:
- elasticsearch
- mongodb
- consul
links:
- elasticsearch
- mongodb:mongo
- consul
environment:
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://host.docker.internal:9000/
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.6.1
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
consul:
image: library/consul
ports:
- "8500:8500"
command: agent -dev -ui -client=0.0.0.0
mongodb:
image: mongo:3
ports:
- "27017:27017"
command: --smallfiles

Configuration

Linux and Windows

Configuration are described in the Graylog installation wiki for each system.

Docker

Environmental Variables

The following variables are mentioned in the docker compose file above; for further configuration using docker you can refer to Graylog docker configuration.

Key

Default

Explanation

GRAYLOG_PASSWORD_SECRET

somepasswordpepper

GRAYLOG_ROOT_PASSWORD_SHA2

8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

Encoded root password (default is admin)

GRAYLOG_HTTP_EXTERNAL_URI

http://127.0.0.1:9000/

graylog host that should be available from outside. This was formerly known as Web endpoint to access graylog api (for more information about graylog rest api you can refer to Graylog rest api documentation)

logback.xml

To enable sending logs to Graylog you should have a logback.xml configuration to your service (Graylog host is defined as "graylog" assuming you are running your services in a docker container on the same network):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<springProperty name="serviceName" source="spring.application.name"/>
<include resource="org/springframework/boot/logging/logback/base.xml" />
 
<!-- send logs to graylog -->
<appender name="GELF" class="de.siegmar.logbackgelf.GelfUdpAppender">
<graylogHost>graylog</graylogHost>
<graylogPort>12201</graylogPort>
<layout class="de.siegmar.logbackgelf.GelfLayout">
<includeRawMessage>false</includeRawMessage>
<includeMarker>true</includeMarker>
<includeMdcData>true</includeMdcData>
<includeCallerData>true</includeCallerData>
<includeRootCauseData>true</includeRootCauseData>
<includeLevelName>true</includeLevelName>
<shortPatternLayout class="ch.qos.logback.classic.PatternLayout">
<pattern>%m%nopex</pattern>
</shortPatternLayout>
<fullPatternLayout class="ch.qos.logback.classic.PatternLayout">
<pattern>%m</pattern>
</fullPatternLayout>
<staticField>service_name:${serviceName}</staticField>
<staticField>os_arch:${os.arch}</staticField>
<staticField>os_name:${os.name}</staticField>
<staticField>os_version:${os.version}</staticField>
</layout>
</appender>
 
<logger name="perfStatsLogger" level="WARN">
<appender-ref ref="GELF" />
</logger>

Authentication setup

Default authentication on Graylog dashboard is "admin":"admin". To log in, go to your Graylog endpoint (default https://localhost:9000) and simply enter the admin credentials:

images/download/attachments/75831444/grayloglogin.png

You can read more about Graylogs security at the official documentation.

Next steps

Connect to the log manager as describe in Authentication part. When using docker the port 12201 is open for input requests for GELF TCP & UDP. You need to create input listeners for that under "System/Inputs" > "inputs":

images/download/attachments/75831444/graylog-inputs.png

Once your input listeners are configured and started, you can now search and manage your logs navigating using the "Search tab", or you can click the "Show received messages" of an input to see the log received on that specific input. Default input used by services is UDP port 12201. You should now be able to filter the log :

images/download/attachments/75831444/search-graylog.png