{"id":22100928,"url":"https://github.com/marcinbojko/graylog","last_synced_at":"2025-07-25T00:30:54.775Z","repository":{"id":123084520,"uuid":"332408392","full_name":"marcinbojko/graylog","owner":"marcinbojko","description":"Simple one node Graylog setup with Traefik, Cloudflare/Let's Encrypt, Filebeat  GELF/SYSLOG/BEATS support, and GeoIP updates","archived":false,"fork":false,"pushed_at":"2024-03-25T10:34:15.000Z","size":723,"stargazers_count":8,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-03-25T11:59:09.007Z","etag":null,"topics":["cloudflare","elasticsearch","filebeat","graylog","iwantgraylog","letsencrypt","mongodb","traefik"],"latest_commit_sha":null,"homepage":"https://github.com/marcinbojko/graylog","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/marcinbojko.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-01-24T09:18:52.000Z","updated_at":"2024-03-25T10:34:03.000Z","dependencies_parsed_at":"2024-03-14T10:57:32.701Z","dependency_job_id":null,"html_url":"https://github.com/marcinbojko/graylog","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcinbojko%2Fgraylog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcinbojko%2Fgraylog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcinbojko%2Fgraylog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcinbojko%2Fgraylog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/marcinbojko","download_url":"https://codeload.github.com/marcinbojko/graylog/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227489160,"owners_count":17780529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","elasticsearch","filebeat","graylog","iwantgraylog","letsencrypt","mongodb","traefik"],"created_at":"2024-12-01T05:17:24.563Z","updated_at":"2024-12-01T05:17:25.054Z","avatar_url":"https://github.com/marcinbojko.png","language":null,"funding_links":["https://www.buymeacoffee.com/marcinbojko"],"categories":[],"sub_categories":[],"readme":"# Simple one node Graylog setup with Traefik, Cloudflare/Let's Encrypt, Filebeat  GELF/SYSLOG/BEATS support, and GeoIP updates\n\n[![\"Buy Me A Coffee\"](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/marcinbojko)\n\nConsider buying me a coffee if you like my work. All donations are appreciated. All donations will be used to pay for pipeline running costs\n\n## What for\n\n- Tests\n- More Tests\n- Graylog Enterprise non-prod (Graylog license below 2 GB Day is free)\n- Restore of archives created with Graylog Enterprise (long term storage)\n- Back/front separation with Traefik as loadbalancer/proxy\n- can be easy reworked into multiple node setup\n- Filebeat example can be easily replicated to smaller non-prod setups\n\n## Network diagram\n\n```mermaid\ngraph LR\n    subgraph SERVICES\n        HTTP\n        HTTPS\n        GELF_TCP\n        GELF_HTTP\n        SYSLOG\n        BEATS\n        BEATS_SIDECARS\n        OPENSEARCH_HTTP\n        OPENSEARCH_SEED\n    end\n\n    subgraph FRONT\n        TRAEFIK\n    end\n\n    subgraph \" \"\n        HTTP --\u003e |TCP/80| TRAEFIK\n        HTTPS --\u003e |TCP/443| TRAEFIK\n        GELF_TCP --\u003e |TCP/12202| TRAEFIK\n        GELF_HTTP --\u003e |TCP/12201| TRAEFIK\n        SYSLOG --\u003e |TCP/15514, UDP/15514| TRAEFIK\n        BEATS --\u003e |TCP/5040| TRAEFIK\n        BEATS_SIDECARS --\u003e |TCP/5050| TRAEFIK\n        OPENSEARCH_HTTP --\u003e |TCP/9200| TRAEFIK\n        OPENSEARCH_SEED --\u003e |TCP/9300| TRAEFIK\n    end\n\n    subgraph BACK\n        GRAYLOG --\u003e |TCP/9200| OPENSEARCH\n        GRAYLOG --\u003e MONGODB\n        GRAYLOG --\u003e GEOIP\n        OFELIA\n        FILEBEAT\n    end\n\n    TRAEFIK --\u003e |TCP/443, TCP12202,\n    TCP/12201, TCP/12202, TCP/5050, TCP/5040\n    TCP1514/UDP1514,| GRAYLOG\n    TRAEFIK --\u003e |TCP/9200,TCP/9300| OPENSEARCH\n\n```\n\n## Credentials to set\n\n### Docker/Docker Compose\n\n#### `.env`\n\n```ini\nELASTIC_VERSION=7.17.4\nES_JAVA_OPTS=-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true\nFILEBEAT_TAG=7.17.4\nGRAYLOG_HOSTNAME=graylog.somedomain.com\nGRAYLOG_URL=http://127.0.0.1:9000/\nGRAYLOG_VERSION=4.3.0-1-jre11\nGRAYLOG_PLUGINS=4.3.0\nMONGO_VERSION=3\nOFELIA_TAG=v0.3.6\nTRAEFIK_TAG=2.7.0\nTRAEFIK_HOSTNAME=traefik.somedomain.com\nTZ=Europe/Warsaw\n```\n\n### Traefik dashboard\n\nDashboard is available at localhost or [https://$TRAEFIK_HOSTNAME](https://$TRAEFIK_HOSTNAME) (.env)\nDefault credentials for Traefik dashboards are: `admin:password`\n\n### Cloudflare/Let's Encrypt\n\nSupport for Cloudflare DNS challenge will allow to host this setup internaly with no self-sign certs\n\n#### `/traefik/etc/cloudflare.env`\n\n```ini\nCF_API_EMAIL=someemail@somedomein.com\nCF_DNS_API_TOKEN=sometoken\n```\n\n### GeoIP\n\nSign in for free MaxMind GeoLite2 database access here [https://www.maxmind.com/en/geolite2/signup](https://www.maxmind.com/en/geolite2/signup)\n\n#### `/geoip/geoip.env`\n\nFill in `GEOIPUPDATE_ACCOUNT_ID` and `GEOIPUPDATE_LICENSE_KEY`\n\n```ini\nGEOIPUPDATE_ACCOUNT_ID=1111111\nGEOIPUPDATE_LICENSE_KEY=bbbbbbbbbbbbbbb\nGEOIPUPDATE_EDITION_IDS=GeoLite2-City\nGEOIPUPDATE_FREQUENCY=24\n```\n\n### Graylog\n\nGraylog dashboard is available at [https://GRAYLOG_HOSTNAME]\n\nFor sending notifications fill in variables in `graylog/graylog.env`\n\n```ini\nGRAYLOG_TRANSPORT_EMAIL_ENABLED=true\nGRAYLOG_TRANSPORT_EMAIL_HOSTNAME=somedomain.com\nGRAYLOG_TRANSPORT_EMAIL_PORT=587\nGRAYLOG_TRANSPORT_EMAIL_USE_AUTH=true\nGRAYLOG_TRANSPORT_EMAIL_USE_TLS=true\nGRAYLOG_TRANSPORT_EMAIL_USE_SSL=false\nGRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME=graylog@somedomain.com\nGRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD=sometoken\nGRAYLOG_TRANSPORT_EMAIL_FROM_EMAIL=graylog@somedomain.com\nGRAYLOG_TRANSPORT_EMAIL_SUBJECT_PREFIX=[graylog]\nGRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL=https://graylog.somedomain.com\n```\n\n#### Default graylog dashboard password\n\nusername: admin\npassword: admin\n\n```ini\nGRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918\n```\n\n## Components\n\n### Traefik\n\nMost elements to change are in traefik/etc folder\n\nOpened ports:\n\n|Port|Destination Port|Destination|\n|----|----------------|-----------|\n|80|80|http|\n|443|443|https|\n|12201|12201|GELF HTTP|\n|12202|12202|GELF TCP/UDP|\n|15514|15514|Syslog TCP/UDP|\n|5050|5050|Beats|\n|----|----------------|-----------|\n\n### Elasticsearch\n\n### MongoDB\n\n### Graylog 4\n\n#### Inputs - Beats(TLS)\n\nTo create BEATS input on port 5050 go to `System/Inputs`, pick `Beats` as new input, press `Launch new input` and configure as mentioned on image\n\n![image](images/beats.png)\n![image](images/beats2.png)\n![image](images/beats3.png)\n\nTo provide your own certificates mount cert and key file into docker graylog volumes\n\n#### Plugins\n\nEverytime you're changing Graylog version (in .env file)  you should also change plugins in /gralog/plugins/ and `docker-compose` graylog section. Use `${GRAYLOG_PLUGINS}` variable to manage plugin versions\n\n```yaml\n  graylog:\n    image: graylog/graylog:${GRAYLOG_VERSION}\n    container_name: graylog\n    volumes:\n      - graylog_journal:/usr/share/graylog/data/journal\n      - graylog_data:/usr/share/graylog/data\n      - graylog_archives:/archives\n      - graylog_shared:/data/shared\n      - graylog_geoip:/etc/graylog/server:ro\n      - ./graylog/node-id.gl2:/usr/share/graylog/data/config/node-id\n      - ./graylog/plugins/graylog-plugin-enterprise-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-enterprise-es6-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-es6-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-enterprise-es7-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-es7-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-enterprise-integrations-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-enterprise-integrations-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-integrations-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-integrations-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-aws-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-aws-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-collector-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-collector-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-plugin-threatintel-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-plugin-threatintel-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-storage-elasticsearch6-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-storage-elasticsearch6-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/graylog-storage-elasticsearch7-${GRAYLOG_PLUGINS}.jar:/usr/share/graylog/plugin/graylog-storage-elasticsearch7-${GRAYLOG_PLUGINS}.jar\n      - ./graylog/plugins/metrics-reporter-prometheus-3.0.0.jar:/usr/share/graylog/plugin/metrics-reporter-prometheus-3.0.0.jar\n```\n\n### Ofelia\n\nUsed for scheduled task (like traefik logrotation)\n\n### Filebeat\n\nFilebeat is configured to deliver traefik logs directly to graylog after creation of BEATS input at port 5050\n\n## To do\n\n- Let's encrypt cert extraction for GELF/BEATS\n- GELF HTTP/HTTPS\n- Multiple node (HA) setup\n\n## Author\n\n- Marcin Bojko marcin@bojko.com.pl\n- www: [bojko.dev](bojko.dev)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcinbojko%2Fgraylog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarcinbojko%2Fgraylog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcinbojko%2Fgraylog/lists"}