Graylog Log Management
Graylog centralized log management with MongoDB and OpenSearch.
Overview
Graylog is an enterprise-grade centralized log management platform that emerged from the need for comprehensive logging solutions in complex IT environments. Originally developed to address the challenges of log aggregation, analysis, and alerting across distributed systems, Graylog has evolved into a powerful Security Information and Event Management (SIEM) tool that combines log collection, parsing, indexing, and visualization capabilities. The platform excels at handling massive volumes of log data while providing real-time analysis and alerting functionality. This stack combines Graylog with OpenSearch for distributed search and analytics capabilities, while MongoDB serves as the metadata store for configuration data, user information, and dashboard definitions. OpenSearch acts as the primary data engine, storing and indexing log messages for fast retrieval and complex queries, while MongoDB maintains the operational state and configuration of the Graylog cluster. This architecture separates concerns effectively, allowing each component to excel at its specialized function. Organizations implementing centralized logging strategies, security operations centers, and DevOps teams monitoring distributed applications will find this combination particularly valuable. The stack provides enterprise-level log management capabilities without the licensing costs of commercial solutions, making it attractive for mid-sized companies and growing startups that need professional logging infrastructure but want to maintain control over their data and costs.
Key Features
- Real-time log processing with customizable parsing rules and extractors for structured data extraction
- OpenSearch integration providing distributed full-text search across billions of log entries
- Stream-based log routing and processing with conditional message filtering and transformation
- MongoDB-backed configuration management ensuring persistent storage of dashboards, users, and alerts
- Multi-protocol log ingestion supporting Syslog, GELF, and custom input plugins
- Role-based access control with granular permissions for different user groups and data streams
- Alerting system with customizable conditions, notifications, and escalation workflows
- Geolocation enrichment and IP reputation lookup for security analysis
Common Use Cases
- 1Security Operations Centers monitoring network intrusions and analyzing security events
- 2DevOps teams centralizing application logs from microservices and container environments
- 3Compliance reporting for industries requiring audit trails and log retention policies
- 4Network operations monitoring infrastructure logs from routers, switches, and firewalls
- 5Web application monitoring tracking user behavior, errors, and performance metrics
- 6IoT device management collecting and analyzing telemetry data from connected devices
- 7Database activity monitoring for tracking queries, connections, and performance issues
Prerequisites
- Minimum 4GB RAM available (2GB for OpenSearch, 1GB for Graylog, 512MB for MongoDB)
- Generate ROOT_PASSWORD_SHA2 using 'echo -n yourpassword | sha256sum' command
- Create PASSWORD_SECRET with minimum 16 characters for encryption operations
- Ports 9000, 1514, and 12201 available on the host system
- Basic understanding of log formats and network protocols for input configuration
- Docker host with at least 10GB available disk space for log data storage
For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms
docker-compose.yml
docker-compose.yml
1services: 2 mongodb: 3 image: mongo:64 container_name: graylog-mongo5 restart: unless-stopped6 volumes: 7 - mongo_data:/data/db8 networks: 9 - graylog-network1011 opensearch: 12 image: opensearchproject/opensearch:latest13 container_name: graylog-opensearch14 restart: unless-stopped15 environment: 16 - cluster.name=graylog17 - discovery.type=single-node18 - bootstrap.memory_lock=true19 - plugins.security.disabled=true20 - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"21 ulimits: 22 memlock: 23 soft: -124 hard: -125 volumes: 26 - opensearch_data:/usr/share/opensearch/data27 networks: 28 - graylog-network2930 graylog: 31 image: graylog/graylog:5.232 container_name: graylog33 restart: unless-stopped34 ports: 35 - "${GRAYLOG_PORT:-9000}:9000"36 - "1514:1514"37 - "1514:1514/udp"38 - "12201:12201"39 - "12201:12201/udp"40 environment: 41 - GRAYLOG_PASSWORD_SECRET=${PASSWORD_SECRET:-somepasswordpepper}42 - GRAYLOG_ROOT_PASSWORD_SHA2=${ROOT_PASSWORD_SHA2}43 - GRAYLOG_HTTP_EXTERNAL_URI=http://localhost:9000/44 - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog45 - GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:920046 volumes: 47 - graylog_data:/usr/share/graylog/data48 depends_on: 49 - mongodb50 - opensearch51 networks: 52 - graylog-network5354volumes: 55 mongo_data: 56 opensearch_data: 57 graylog_data: 5859networks: 60 graylog-network: 61 driver: bridge.env Template
.env
1# Graylog2GRAYLOG_PORT=90003PASSWORD_SECRET=somepasswordpeppersomepasswordpepper4# Generate with: echo -n "admin" | sha256sum5ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918Usage Notes
- 1Graylog at http://localhost:9000
- 2Default login: admin/admin
- 3Generate PASSWORD_SECRET (min 16 chars)
- 4Configure inputs to receive logs
Individual Services(3 services)
Copy individual services to mix and match with your existing compose files.
mongodb
mongodb:
image: mongo:6
container_name: graylog-mongo
restart: unless-stopped
volumes:
- mongo_data:/data/db
networks:
- graylog-network
opensearch
opensearch:
image: opensearchproject/opensearch:latest
container_name: graylog-opensearch
restart: unless-stopped
environment:
- cluster.name=graylog
- discovery.type=single-node
- bootstrap.memory_lock=true
- plugins.security.disabled=true
- OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- opensearch_data:/usr/share/opensearch/data
networks:
- graylog-network
graylog
graylog:
image: graylog/graylog:5.2
container_name: graylog
restart: unless-stopped
ports:
- ${GRAYLOG_PORT:-9000}:9000
- "1514:1514"
- 1514:1514/udp
- "12201:12201"
- 12201:12201/udp
environment:
- GRAYLOG_PASSWORD_SECRET=${PASSWORD_SECRET:-somepasswordpepper}
- GRAYLOG_ROOT_PASSWORD_SHA2=${ROOT_PASSWORD_SHA2}
- GRAYLOG_HTTP_EXTERNAL_URI=http://localhost:9000/
- GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
- GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:9200
volumes:
- graylog_data:/usr/share/graylog/data
depends_on:
- mongodb
- opensearch
networks:
- graylog-network
Quick Start
terminal
1# 1. Create the compose file2cat > docker-compose.yml << 'EOF'3services:4 mongodb:5 image: mongo:66 container_name: graylog-mongo7 restart: unless-stopped8 volumes:9 - mongo_data:/data/db10 networks:11 - graylog-network1213 opensearch:14 image: opensearchproject/opensearch:latest15 container_name: graylog-opensearch16 restart: unless-stopped17 environment:18 - cluster.name=graylog19 - discovery.type=single-node20 - bootstrap.memory_lock=true21 - plugins.security.disabled=true22 - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"23 ulimits:24 memlock:25 soft: -126 hard: -127 volumes:28 - opensearch_data:/usr/share/opensearch/data29 networks:30 - graylog-network3132 graylog:33 image: graylog/graylog:5.234 container_name: graylog35 restart: unless-stopped36 ports:37 - "${GRAYLOG_PORT:-9000}:9000"38 - "1514:1514"39 - "1514:1514/udp"40 - "12201:12201"41 - "12201:12201/udp"42 environment:43 - GRAYLOG_PASSWORD_SECRET=${PASSWORD_SECRET:-somepasswordpepper}44 - GRAYLOG_ROOT_PASSWORD_SHA2=${ROOT_PASSWORD_SHA2}45 - GRAYLOG_HTTP_EXTERNAL_URI=http://localhost:9000/46 - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog47 - GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:920048 volumes:49 - graylog_data:/usr/share/graylog/data50 depends_on:51 - mongodb52 - opensearch53 networks:54 - graylog-network5556volumes:57 mongo_data:58 opensearch_data:59 graylog_data:6061networks:62 graylog-network:63 driver: bridge64EOF6566# 2. Create the .env file67cat > .env << 'EOF'68# Graylog69GRAYLOG_PORT=900070PASSWORD_SECRET=somepasswordpeppersomepasswordpepper71# Generate with: echo -n "admin" | sha256sum72ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a91873EOF7475# 3. Start the services76docker compose up -d7778# 4. View logs79docker compose logs -fOne-Liner
Run this command to download and set up the recipe in one step:
terminal
1curl -fsSL https://docker.recipes/api/recipes/graylog-logging/run | bashTroubleshooting
- Graylog shows 'Elasticsearch cluster unavailable': Verify OpenSearch container is running and check GRAYLOG_ELASTICSEARCH_HOSTS environment variable
- MongoDB connection errors in Graylog logs: Ensure MongoDB container started successfully and GRAYLOG_MONGODB_URI points to correct hostname
- OpenSearch fails to start with memory errors: Increase Docker memory limits or reduce OPENSEARCH_JAVA_OPTS heap size settings
- Web interface returns 'Invalid credentials': Verify ROOT_PASSWORD_SHA2 matches the SHA256 hash of your intended password
- No logs appearing in Graylog: Check that inputs are properly configured and firewall rules allow traffic on ports 1514 and 12201
- Graylog shows disk space warnings: Monitor volume usage and implement log rotation policies or increase storage allocation
Community Notes
Loading...
Loading notes...
Download Recipe Kit
Get all files in a ready-to-deploy package
Includes docker-compose.yml, .env template, README, and license
Components
graylogmongodbopensearch
Tags
#graylog#logging#centralized#opensearch#siem
Category
Monitoring & ObservabilityAd Space
Shortcuts: C CopyF FavoriteD Download