docker.recipes

Graylog

intermediate

Centralized log management with search and analysis capabilities.

Overview

Graylog is an enterprise-grade centralized log management platform that aggregates, indexes, and analyzes log data from across your infrastructure. Originally created in 2010 by Lennart Koopmann, Graylog has evolved into a comprehensive solution for collecting structured and unstructured data from servers, applications, network devices, and cloud services, providing real-time search capabilities and powerful analytics to help organizations maintain visibility into their systems. This stack combines Graylog with MongoDB for metadata storage and OpenSearch for full-text indexing and search functionality. MongoDB stores Graylog's configuration, user accounts, dashboards, and metadata, while OpenSearch handles the heavy lifting of indexing log messages and providing lightning-fast search capabilities across millions of log entries. OpenSearch, Amazon's open-source fork of Elasticsearch, delivers the scalable search engine that powers Graylog's query interface and enables complex log analysis. This three-tier architecture is ideal for organizations that need robust log management without the complexity of managing separate logging solutions. DevOps teams, security analysts, and system administrators benefit from having centralized visibility into application behavior, security events, and system performance metrics, while the web-based interface makes log analysis accessible to both technical and non-technical team members.

Key Features

  • GELF (Graylog Extended Log Format) input support for structured logging with custom fields and metadata
  • Real-time stream processing with configurable rules for routing, filtering, and enriching log messages
  • MongoDB-backed configuration persistence ensuring dashboard and input configurations survive container restarts
  • OpenSearch integration providing full-text search across indexed log data with sub-second query response times
  • Multi-protocol log ingestion supporting syslog, GELF, and custom TCP/UDP inputs simultaneously
  • Built-in alerting system with email notifications based on configurable search conditions and thresholds
  • Role-based access control with user authentication and authorization managed through MongoDB
  • Stream-based log routing allowing different log types to be processed and stored with separate retention policies

Common Use Cases

  • 1Application troubleshooting by correlating error logs across microservices and identifying root causes
  • 2Security monitoring and incident response through centralized collection of authentication logs and security events
  • 3Compliance reporting for regulations requiring log retention and audit trails of system access
  • 4Performance monitoring by analyzing application response times and database query logs
  • 5Infrastructure monitoring for server health metrics, network device logs, and cloud service events
  • 6Development environment debugging with real-time log streaming during application testing
  • 7Capacity planning through historical analysis of system resource usage patterns and growth trends

Prerequisites

  • Minimum 4GB RAM available (2GB for OpenSearch, 1GB for MongoDB, 1GB for Graylog)
  • Generated GRAYLOG_PASSWORD_SECRET environment variable using openssl or similar cryptographic tool
  • SHA256 hash of admin password stored in GRAYLOG_ROOT_PASSWORD_SHA2 environment variable
  • Ports 9000, 1514, and 12201 available on the host system for web interface and log ingestion
  • Basic understanding of log formats (syslog, JSON) and network protocols for configuring log sources
  • At least 10GB available disk space for initial log storage and index data growth

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  mongodb: 
3    image: mongo:6
4    container_name: graylog-mongo
5    restart: unless-stopped
6    volumes: 
7      - mongo_data:/data/db
8    networks: 
9      - graylog-network
10
11  opensearch: 
12    image: opensearchproject/opensearch:2
13    container_name: graylog-opensearch
14    restart: unless-stopped
15    environment: 
16      discovery.type: single-node
17      OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
18      DISABLE_SECURITY_PLUGIN: "true"
19    volumes: 
20      - opensearch_data:/usr/share/opensearch/data
21    networks: 
22      - graylog-network
23
24  graylog: 
25    image: graylog/graylog:5.2
26    container_name: graylog
27    restart: unless-stopped
28    environment: 
29      GRAYLOG_PASSWORD_SECRET: ${GRAYLOG_PASSWORD_SECRET}
30      GRAYLOG_ROOT_PASSWORD_SHA2: ${GRAYLOG_ROOT_PASSWORD_SHA2}
31      GRAYLOG_HTTP_EXTERNAL_URI: http://localhost:9000/
32      GRAYLOG_ELASTICSEARCH_HOSTS: http://opensearch:9200
33      GRAYLOG_MONGODB_URI: mongodb://mongodb:27017/graylog
34    ports: 
35      - "9000:9000"
36      - "1514:1514"
37      - "1514:1514/udp"
38      - "12201:12201"
39      - "12201:12201/udp"
40    depends_on: 
41      - mongodb
42      - opensearch
43    networks: 
44      - graylog-network
45
46volumes: 
47  mongo_data: 
48  opensearch_data: 
49
50networks: 
51  graylog-network: 
52    driver: bridge

.env Template

.env
1GRAYLOG_PASSWORD_SECRET=somepasswordpepper
2GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

Usage Notes

  1. 1Docs: https://go2docs.graylog.org/
  2. 2UI at http://localhost:9000 - login admin with SHA2 password hash
  3. 3Generate password hash: echo -n yourpassword | sha256sum
  4. 4GELF input on port 12201 (TCP/UDP) - native Graylog format
  5. 5Syslog input on port 1514 for traditional log forwarding
  6. 6Create Inputs in System > Inputs before logs can be received

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

mongodb
mongodb:
  image: mongo:6
  container_name: graylog-mongo
  restart: unless-stopped
  volumes:
    - mongo_data:/data/db
  networks:
    - graylog-network
opensearch
opensearch:
  image: opensearchproject/opensearch:2
  container_name: graylog-opensearch
  restart: unless-stopped
  environment:
    discovery.type: single-node
    OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
    DISABLE_SECURITY_PLUGIN: "true"
  volumes:
    - opensearch_data:/usr/share/opensearch/data
  networks:
    - graylog-network
graylog
graylog:
  image: graylog/graylog:5.2
  container_name: graylog
  restart: unless-stopped
  environment:
    GRAYLOG_PASSWORD_SECRET: ${GRAYLOG_PASSWORD_SECRET}
    GRAYLOG_ROOT_PASSWORD_SHA2: ${GRAYLOG_ROOT_PASSWORD_SHA2}
    GRAYLOG_HTTP_EXTERNAL_URI: http://localhost:9000/
    GRAYLOG_ELASTICSEARCH_HOSTS: http://opensearch:9200
    GRAYLOG_MONGODB_URI: mongodb://mongodb:27017/graylog
  ports:
    - "9000:9000"
    - "1514:1514"
    - 1514:1514/udp
    - "12201:12201"
    - 12201:12201/udp
  depends_on:
    - mongodb
    - opensearch
  networks:
    - graylog-network

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  mongodb:
5    image: mongo:6
6    container_name: graylog-mongo
7    restart: unless-stopped
8    volumes:
9      - mongo_data:/data/db
10    networks:
11      - graylog-network
12
13  opensearch:
14    image: opensearchproject/opensearch:2
15    container_name: graylog-opensearch
16    restart: unless-stopped
17    environment:
18      discovery.type: single-node
19      OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
20      DISABLE_SECURITY_PLUGIN: "true"
21    volumes:
22      - opensearch_data:/usr/share/opensearch/data
23    networks:
24      - graylog-network
25
26  graylog:
27    image: graylog/graylog:5.2
28    container_name: graylog
29    restart: unless-stopped
30    environment:
31      GRAYLOG_PASSWORD_SECRET: ${GRAYLOG_PASSWORD_SECRET}
32      GRAYLOG_ROOT_PASSWORD_SHA2: ${GRAYLOG_ROOT_PASSWORD_SHA2}
33      GRAYLOG_HTTP_EXTERNAL_URI: http://localhost:9000/
34      GRAYLOG_ELASTICSEARCH_HOSTS: http://opensearch:9200
35      GRAYLOG_MONGODB_URI: mongodb://mongodb:27017/graylog
36    ports:
37      - "9000:9000"
38      - "1514:1514"
39      - "1514:1514/udp"
40      - "12201:12201"
41      - "12201:12201/udp"
42    depends_on:
43      - mongodb
44      - opensearch
45    networks:
46      - graylog-network
47
48volumes:
49  mongo_data:
50  opensearch_data:
51
52networks:
53  graylog-network:
54    driver: bridge
55EOF
56
57# 2. Create the .env file
58cat > .env << 'EOF'
59GRAYLOG_PASSWORD_SECRET=somepasswordpepper
60GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
61EOF
62
63# 3. Start the services
64docker compose up -d
65
66# 4. View logs
67docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/graylog/run | bash

Troubleshooting

  • Graylog shows 'Indexer failures' in web interface: Verify OpenSearch container is running and GRAYLOG_ELASTICSEARCH_HOSTS points to correct OpenSearch service name
  • Cannot login with admin credentials: Ensure GRAYLOG_ROOT_PASSWORD_SHA2 contains SHA256 hash, not plaintext password, and regenerate hash if necessary
  • Logs not appearing in Graylog interface: Create and start appropriate input (GELF, Syslog) in System > Inputs before sending log data
  • OpenSearch container exits with OutOfMemoryError: Reduce OPENSEARCH_JAVA_OPTS heap size or increase Docker container memory limits
  • MongoDB connection errors in Graylog logs: Check GRAYLOG_MONGODB_URI format and ensure MongoDB service is accessible on port 27017
  • Web interface shows 'No active inputs' warning: Configure at least one input source in System > Inputs and ensure it's in 'running' state

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

graylogmongodbopensearch

Tags

#graylog#logs#centralized#search#analysis

Category

Monitoring & Observability

Related Recipes

Ad Space