docker.recipes

Graylog Log Management

intermediate

Centralized log management and analysis platform.

Overview

Graylog is an enterprise-grade open-source log management platform that transforms raw log data into actionable insights through centralized collection, indexing, and analysis. Originally developed by Lennart Koopmann in 2010, Graylog has evolved into a comprehensive Security Information and Event Management (SIEM) solution that competes with commercial offerings like Splunk and IBM QRadar. Built on a modern microservices architecture, Graylog excels at processing millions of log messages per day while providing real-time alerting, dashboard visualization, and powerful search capabilities that help organizations maintain security posture and operational visibility. This stack combines Graylog's log processing engine with Elasticsearch's distributed search capabilities and MongoDB's flexible document storage to create a robust three-tier logging infrastructure. Elasticsearch serves as the primary search index for log data, enabling sub-second queries across terabytes of historical logs, while MongoDB stores Graylog's configuration metadata, user settings, and system state. The architecture separates concerns effectively: MongoDB handles transactional configuration data, Elasticsearch optimizes for search and analytics workloads, and Graylog orchestrates the entire pipeline from log ingestion through visualization. System administrators managing multi-service architectures, security teams implementing SIEM capabilities, and DevOps engineers troubleshooting distributed applications will find this stack invaluable for consolidating disparate log sources into a unified analysis platform. Unlike simple log aggregation tools, this combination provides advanced features like stream processing, field extraction rules, and correlation capabilities that transform basic logging into comprehensive operational intelligence and security monitoring.

Key Features

  • Multi-protocol log ingestion supporting Syslog, GELF, Beats, and custom HTTP inputs with automatic parsing
  • Real-time stream processing with configurable rules for field extraction, message routing, and data enrichment
  • Advanced search interface with Lucene query syntax, saved searches, and collaborative dashboard sharing
  • Flexible alerting system with email, Slack, and webhook notifications based on log patterns and thresholds
  • Role-based access control with granular permissions for streams, dashboards, and administrative functions
  • Elasticsearch integration optimized for log data with automated index rotation and retention policies
  • MongoDB-backed configuration management ensuring consistent settings across Graylog cluster nodes
  • Plugin ecosystem supporting custom inputs, outputs, and processing functions for specialized log formats

Common Use Cases

  • 1Centralized logging infrastructure for microservices architectures with automatic service discovery and log correlation
  • 2Security Operations Center (SOC) implementation with threat detection, incident response, and compliance reporting
  • 3Application performance monitoring through structured logging analysis and error pattern detection
  • 4Infrastructure monitoring combining system logs, network device logs, and container orchestration events
  • 5Compliance audit trail maintenance for regulations requiring log retention and tamper-proof storage
  • 6Development and staging environment debugging with real-time log streaming and search capabilities
  • 7IoT device fleet monitoring with high-volume message processing and anomaly detection

Prerequisites

  • Minimum 6GB RAM allocation (2GB for Elasticsearch, 2GB for Graylog, 1GB for MongoDB, 1GB system overhead)
  • Generated password secret (96+ character random string) and SHA-256 hashed root password for Graylog authentication
  • Available ports 9000 (web UI), 1514 (Syslog), and 12201 (GELF) without conflicts from existing services
  • Understanding of log formats (Syslog RFC, JSON, GELF) and network protocols for input configuration
  • Basic knowledge of Elasticsearch concepts like indices, shards, and mapping for troubleshooting storage issues
  • Familiarity with regular expressions and Grok patterns for custom log parsing and field extraction

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

docker-compose.yml
1services: 
2  graylog: 
3    image: graylog/graylog:5.2
4    container_name: graylog
5    environment: 
6      - GRAYLOG_PASSWORD_SECRET=${PASSWORD_SECRET}
7      - GRAYLOG_ROOT_PASSWORD_SHA2=${ROOT_PASSWORD_SHA2}
8      - GRAYLOG_HTTP_EXTERNAL_URI=${EXTERNAL_URI}
9      - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:9200
10      - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
11    volumes: 
12      - graylog-data:/usr/share/graylog/data
13    ports: 
14      - "9000:9000"
15      - "1514:1514"
16      - "1514:1514/udp"
17      - "12201:12201"
18      - "12201:12201/udp"
19    depends_on: 
20      - mongodb
21      - elasticsearch
22    networks: 
23      - graylog-network
24    restart: unless-stopped
25
26  mongodb: 
27    image: mongo:6
28    container_name: graylog-mongodb
29    volumes: 
30      - mongo-data:/data/db
31    networks: 
32      - graylog-network
33    restart: unless-stopped
34
35  elasticsearch: 
36    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.15
37    container_name: graylog-elasticsearch
38    environment: 
39      - discovery.type=single-node
40      - xpack.security.enabled=false
41      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
42    volumes: 
43      - elasticsearch-data:/usr/share/elasticsearch/data
44    networks: 
45      - graylog-network
46    restart: unless-stopped
47
48volumes: 
49  graylog-data: 
50  mongo-data: 
51  elasticsearch-data: 
52
53networks: 
54  graylog-network: 
55    driver: bridge

.env Template

.env
1# Graylog
2EXTERNAL_URI=http://localhost:9000/
3
4# Generate with: pwgen -N 1 -s 96
5PASSWORD_SECRET=your_password_secret_at_least_16_chars
6
7# Generate with: echo -n "yourpassword" | sha256sum | cut -d" " -f1
8ROOT_PASSWORD_SHA2=your_sha256_password_hash

Usage Notes

  1. 1Graylog UI at http://localhost:9000
  2. 2Login: admin / (your password)
  3. 3Syslog input on :1514
  4. 4GELF input on :12201
  5. 5Create inputs in System > Inputs

Individual Services(3 services)

Copy individual services to mix and match with your existing compose files.

graylog
graylog:
  image: graylog/graylog:5.2
  container_name: graylog
  environment:
    - GRAYLOG_PASSWORD_SECRET=${PASSWORD_SECRET}
    - GRAYLOG_ROOT_PASSWORD_SHA2=${ROOT_PASSWORD_SHA2}
    - GRAYLOG_HTTP_EXTERNAL_URI=${EXTERNAL_URI}
    - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:9200
    - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
  volumes:
    - graylog-data:/usr/share/graylog/data
  ports:
    - "9000:9000"
    - "1514:1514"
    - 1514:1514/udp
    - "12201:12201"
    - 12201:12201/udp
  depends_on:
    - mongodb
    - elasticsearch
  networks:
    - graylog-network
  restart: unless-stopped
mongodb
mongodb:
  image: mongo:6
  container_name: graylog-mongodb
  volumes:
    - mongo-data:/data/db
  networks:
    - graylog-network
  restart: unless-stopped
elasticsearch
elasticsearch:
  image: docker.elastic.co/elasticsearch/elasticsearch:7.17.15
  container_name: graylog-elasticsearch
  environment:
    - discovery.type=single-node
    - xpack.security.enabled=false
    - ES_JAVA_OPTS=-Xms512m -Xmx512m
  volumes:
    - elasticsearch-data:/usr/share/elasticsearch/data
  networks:
    - graylog-network
  restart: unless-stopped

Quick Start

terminal
1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  graylog:
5    image: graylog/graylog:5.2
6    container_name: graylog
7    environment:
8      - GRAYLOG_PASSWORD_SECRET=${PASSWORD_SECRET}
9      - GRAYLOG_ROOT_PASSWORD_SHA2=${ROOT_PASSWORD_SHA2}
10      - GRAYLOG_HTTP_EXTERNAL_URI=${EXTERNAL_URI}
11      - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:9200
12      - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
13    volumes:
14      - graylog-data:/usr/share/graylog/data
15    ports:
16      - "9000:9000"
17      - "1514:1514"
18      - "1514:1514/udp"
19      - "12201:12201"
20      - "12201:12201/udp"
21    depends_on:
22      - mongodb
23      - elasticsearch
24    networks:
25      - graylog-network
26    restart: unless-stopped
27
28  mongodb:
29    image: mongo:6
30    container_name: graylog-mongodb
31    volumes:
32      - mongo-data:/data/db
33    networks:
34      - graylog-network
35    restart: unless-stopped
36
37  elasticsearch:
38    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.15
39    container_name: graylog-elasticsearch
40    environment:
41      - discovery.type=single-node
42      - xpack.security.enabled=false
43      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
44    volumes:
45      - elasticsearch-data:/usr/share/elasticsearch/data
46    networks:
47      - graylog-network
48    restart: unless-stopped
49
50volumes:
51  graylog-data:
52  mongo-data:
53  elasticsearch-data:
54
55networks:
56  graylog-network:
57    driver: bridge
58EOF
59
60# 2. Create the .env file
61cat > .env << 'EOF'
62# Graylog
63EXTERNAL_URI=http://localhost:9000/
64
65# Generate with: pwgen -N 1 -s 96
66PASSWORD_SECRET=your_password_secret_at_least_16_chars
67
68# Generate with: echo -n "yourpassword" | sha256sum | cut -d" " -f1
69ROOT_PASSWORD_SHA2=your_sha256_password_hash
70EOF
71
72# 3. Start the services
73docker compose up -d
74
75# 4. View logs
76docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal
1curl -fsSL https://docker.recipes/api/recipes/graylog-complete/run | bash

Troubleshooting

  • Graylog shows 'Elasticsearch cluster unavailable': Check Elasticsearch container health and network connectivity, verify ES_JAVA_OPTS memory allocation doesn't exceed container limits
  • MongoDB connection failures during startup: Ensure MongoDB container starts before Graylog, check GRAYLOG_MONGODB_URI format and network resolution between containers
  • Web UI returns 502 Bad Gateway: Verify GRAYLOG_HTTP_EXTERNAL_URI matches your access URL, check if Graylog process started successfully with proper environment variables
  • No logs appearing in streams: Confirm input ports are properly exposed, check firewall rules, verify log format matches input type expectations (Syslog vs GELF)
  • Elasticsearch yellow cluster status: Single-node clusters show yellow by default, add 'cluster.routing.allocation.disk.threshold_enabled: false' to elasticsearch environment if disk space warnings appear
  • High memory usage and container crashes: Reduce ES_JAVA_OPTS heap size, implement log rotation policies, monitor Graylog buffer settings to prevent memory overflow

Community Notes

Loading...
Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

graylogmongodbelasticsearch

Tags

#logging#graylog#log-management#siem#analysis

Category

Monitoring & Observability

Related Recipes

Ad Space