{"id":25883092,"url":"https://github.com/o-x-l/logserver-graylog","last_synced_at":"2025-08-26T08:12:24.855Z","repository":{"id":267938506,"uuid":"902819546","full_name":"O-X-L/logserver-graylog","owner":"O-X-L","description":"Setup-Guide for the central Logserver Graylog (dockerized)","archived":false,"fork":false,"pushed_at":"2025-04-10T10:20:11.000Z","size":195,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-04-10T11:41:11.787Z","etag":null,"topics":["gelf","graylog","it-security","logging","logserver","nis2","nis2directive","rsyslog","security-events","security-events-manager","siem","syslog","windows-event-collector","windows-event-forwarding","windows-event-log","windows-eventlog"],"latest_commit_sha":null,"homepage":"https://www.youtube.com/watch?v=Swqstq2xtaA\u0026list=PLsYMit2eI6VXURlLS7KTAbCLDTj0SscHa","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/O-X-L.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-13T10:33:21.000Z","updated_at":"2025-04-10T10:20:15.000Z","dependencies_parsed_at":"2025-01-24T15:19:00.569Z","dependency_job_id":"08f8c54a-daaf-4827-b661-a6fac30c1dfa","html_url":"https://github.com/O-X-L/logserver-graylog","commit_stats":null,"previous_names":["o-x-l/logserver-graylog"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/O-X-L/logserver-graylog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Flogserver-graylog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Flogserver-graylog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Flogserver-graylog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Flogserver-graylog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/O-X-L","download_url":"https://codeload.github.com/O-X-L/logserver-graylog/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/O-X-L%2Flogserver-graylog/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272192669,"owners_count":24889452,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-26T02:00:07.904Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gelf","graylog","it-security","logging","logserver","nis2","nis2directive","rsyslog","security-events","security-events-manager","siem","syslog","windows-event-collector","windows-event-forwarding","windows-event-log","windows-eventlog"],"created_at":"2025-03-02T16:31:13.666Z","updated_at":"2025-08-26T08:12:24.805Z","avatar_url":"https://github.com/O-X-L.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Graylog Open Setup\n\nThis guide covers a single-node setup of [Graylog Open](https://graylog.org/products/source-available/) by utilizing `docker compose`.\n\nYou can also install the Graylog stack without using docker. The most important config files are the same.\n\nFor usage with [Ansible](https://www.ansible.com/how-ansible-works/) - use [this role](https://github.com/ansibleguy/sw_graylog).\n\n\u003ca href=\"https://graylog.org/products/source-available/\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/O-X-L/logserver-graylog/refs/heads/main/Overview.svg\" alt=\"Graylog Stack\" width=\"400px\"/\u003e\n\u003c/a\u003e\n\n## Setup Guide\n\nVideo: [Deutsch](https://www.youtube.com/watch?v=InskqQZ6LqY)\n\n### System Requirements\n\nThis guide works on a clean [Debian netinstall](https://www.debian.org/CD/netinst/) installation.\n\nMinimal resources I would use:\n\n* 8GB RAM (*2GB Graylog, 4GB OpenSearch*)\n* 4 CPU Cores\n* 20GB of Disk-Space\n\n----\n\n### 1. Disk\n\nMake sure to use a dedicated partition (*LVM*) or a dedicated virtual-disk if ran as VM mounted at `/usr/share/opensearch` to save the log-data to.\n\nIf you want/need to [create index-snapshots](https://opensearch.org/docs/latest/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore/) - you might also want to use a dedicated one mounted at `/usr/share/opensearch/backup`.\n\n----\n\n### 2. Setup docker\n\n[Docker Docs](https://docs.docker.com/engine/install/debian/#install-using-the-repository)\n\n```bash\nsudo -i\napt-get update\napt-get install ca-certificates curl\ninstall -m 0755 -d /etc/apt/keyrings\ncurl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc\nchmod a+r /etc/apt/keyrings/docker.asc\n\necho \\\n  \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \\\n  $(. /etc/os-release \u0026\u0026 echo \"$VERSION_CODENAME\") stable\" | \\\n  tee /etc/apt/sources.list.d/docker.list \u003e /dev/null\napt-get update\n\napt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin\n```\n\n----\n\n### 3. Main config files\n\n`mkdir /etc/graylog`\n\nPlace files into `/etc/graylog`:\n\n   * [docker-compose.yml](https://github.com/O-X-L/logserver-graylog/blob/main/config/docker-compose.yml) =\u003e update the `OPENSEARCH_INITIAL_ADMIN_PASSWORD`\n   * [Dockerfile_mongodb](https://github.com/O-X-L/logserver-graylog/blob/main/config/Dockerfile_mongodb)\n   * [Dockerfile_opensearch](https://github.com/O-X-L/logserver-graylog/blob/main/config/Dockerfile_opensearch)\n   * [Dockerfile_nginx](https://github.com/O-X-L/logserver-graylog/blob/main/config/Dockerfile_nginx)\n   * [nginx.conf](https://github.com/O-X-L/logserver-graylog/blob/main/config/nginx.conf)\n   * [Dockerfile_pki](https://github.com/O-X-L/logserver-graylog/blob/main/config/Dockerfile_pki)\n\n----\n\n### 4. Create service-users\n\nThis is necessary for persistent data storage to work correctly.\n\n```bash\ngroupadd graylog --gid 1100\nuseradd --shell /usr/sbin/nologin --uid 1100 --gid 1100 graylog\ngroupadd mongodb --gid 1101\nuseradd --shell /usr/sbin/nologin --uid 1101 --gid 1101 mongodb\ngroupadd opensearch --gid 1102\nuseradd --shell /usr/sbin/nologin --uid 1102 --gid 1102 opensearch\n```\n\n----\n\n### 5. Create directories\n\n```bash\nmkdir -p /usr/share/graylog/data /usr/share/graylog/data/config /usr/share/graylog/data/ssl\nchown -R graylog:graylog /usr/share/graylog\nmkdir -p /usr/share/opensearch/config /usr/share/opensearch/data\nchown -R opensearch:opensearch /usr/share/opensearch\nmkdir -p /usr/share/mongodb\nchown -R mongodb:mongodb /usr/share/mongodb\nmkdir -p /usr/share/log-pki\nchmod 700 /usr/share/log-pki\nchmod 750 /usr/share/graylog /usr/share/opensearch /usr/share/mongodb\n```\n\n----\n\n### 6. Application config-files\n\n**OpenSearch**:\n* `ln -s /usr/share/opensearch/config /etc/graylog/opensearch`\n* Place the opensearch config files into `/etc/graylog/opensearch`\n  * [jvm.options](https://github.com/O-X-L/logserver-graylog/blob/main/config/opensearch/jvm.options) =\u003e update the GB of RAM to use: `-Xms` and `-Xmx`\n  * [log4j2.properties](https://github.com/O-X-L/logserver-graylog/blob/main/config/opensearch/log4j2.properties)\n  * [opensearch.yml](https://github.com/O-X-L/logserver-graylog/blob/main/config/opensearch/opensearch.yml)\n\n**Graylog**:\n* `ln -s /usr/share/graylog/data/config /etc/graylog/server`\n* Place graylog config file into `/etc/graylog/server`\n  * [graylog.conf](https://github.com/O-X-L/logserver-graylog/blob/main/config/server/graylog.conf)\n    * Add a long `password_secret`\n    * Generate graylog admin-hash and add it to the config as `root_password_sha2`: `echo 'PASSWORD' | tr -d '\\n' | sha256sum | cut -d \" \" -f1`\n\n----\n\n### 7. Start it\n\n`docker compose -f \"/etc/graylog/docker-compose.yml\" up -d`\n\n----\n\n### 8. Check\n\nLogs: `docker logs -f log-graylog`\n\nStatus: `docker ps -a`\n\n----\n\n### 9. OpenSearch Settings\n\nSet [OpenSearch Cluster-Settings](https://opensearch.org/docs/2.2/api-reference/cluster-api/cluster-settings/):\n\nAfter the opensearch cluster is online - we need to configure its watermark:\n\n```bash\ncurl -XPUT \"http://localhost:9200/_cluster/settings\" -H 'Content-Type: application/json' -d'\n{\n  \"persistent\":{\n    \"cluster.routing.allocation.disk.watermark.low\": \"95%\",\n    \"cluster.routing.allocation.disk.watermark.high\": \"98%\",\n    \"cluster.routing.allocation.disk.watermark.flood_stage\": \"99%\"\n  }\n}\n'\n```\n\n----\n\n### 10. Set System-Settings\n\nSet [Linux System-Settings for OpenSearch](https://opensearch.org/docs/latest/quickstart/):\n\n```bash\nsysctl -w vm.swappiness=1\nsysctl -w vm.max_map_count=262144\n```\n\nAlso add those to the config file to be persistent: `/etc/sysctl.conf`\n\n----\n\n## Troubleshooting\n\n1. Check the status of the containers: `docker ps -a`\n\n2. Read logs of the containers: `docker logs -f log-\u003cCOMPONENT\u003e`\n\n3. Check networking:\n\n```bash\napt install net-tools\nnetstat -tulpn\n```\n\n----\n\n## Certificates\n\nThe `log-pki` (*Public-Key-Infrastructure*) container can be used to generate certificates that are needed for encrypted log-forwarding.\n\n### Server\n\nGenerate the certificate:\n\n```bash\nCMD=\"/pki/pki.sh --subject-alt-name='DNS:logserver.intern,IP:192.168.0.10' build-server-full logserver nopass\"\ndocker run --rm -v /usr/share/log-pki:/pki/pki -it local/pki $CMD\n```\n\nCopy the key/cert pair to a directory graylog can read:\n\n```bash\ncp /usr/share/log-pki/ca.crt /usr/share/graylog/data/ssl/\ncp /usr/share/log-pki/issued/logserver.crt /usr/share/graylog/data/ssl/\ncp /usr/share/log-pki/private/logserver.nopw.key /usr/share/graylog/data/ssl/\nchmod 400 /usr/share/graylog/data/ssl/*\nchown graylog /usr/share/graylog/data/ssl/*\n```\n\nThen you can use it for your inputs.\n\n----\n\n### Client\n\nGenerate the certificate:\n\n```bash\nCMD=\"/pki/pki.sh build-client-full \u003cNAME\u003e nopass\"\ndocker run --rm -v /usr/share/log-pki:/pki/pki -it local/pki $CMD\n```\n\nThen move the files to your client-system:\n\n* `/usr/share/log-pki/ca.crt`\n* `/usr/share/log-pki/issued/\u003cNAME\u003e.crt`\n* `/usr/share/log-pki/private/\u003cNAME\u003e.nopw.key`\n\nMake sure your client validates the server-certificate by the provided `ca.crt`!\n\n----\n\n### Renewal\n\nRemove an existing certificate:\n\n```bash\nCMD='/pki/pki.sh revoke \u003cNAME\u003e'\ndocker run --rm -v /usr/share/log-pki:/pki/pki -it local/pki $CMD\n```\n\nThen simply re-generate it as seen above.\n\n----\n\n# Update\n\n### 1. Major Upgrade\n\nIf you want to perform a major upgrade - change version numbers in:\n* `docker-compose.yml`\n* `Dockerfile_mongodb`\n* `Dockerfile_opensearch`\n\n\n### 2. Stop the containers\n\n`docker compose -f \"/etc/graylog/docker-compose.yml\" down`\n\n### 3. Remove the old images\n\nReplace VERSION by the current one: `docker image ls`\n\n```bash\ndocker image rm \"local/opensearch:\u003cVERSION\u003e\"\ndocker image rm \"local/mongodb:\u003cVERSION\u003e\"\ndocker image rm \"local/nginx:latest\"\ndocker image prune -f\n```\n\n### 4. Update the images\n\n```bash\ndocker compose -f \"/etc/graylog/docker-compose.yml\" build\ndocker compose -f \"/etc/graylog/docker-compose.yml\" pull --quiet --ignore-pull-failures\n```\n\n### 5. Start it\n\n`docker compose -f \"/etc/graylog/docker-compose.yml\" up -d`\n\n----\n\n# Log Forwarding\n\nSee: [Log Forwarding](https://github.com/O-X-L/logserver-graylog/blob/main/clients/README.md)\n\n----\n\n# Monitoring\n\nSee: [Monitoring](https://github.com/O-X-L/logserver-graylog/blob/main/monitoring/README.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fo-x-l%2Flogserver-graylog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fo-x-l%2Flogserver-graylog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fo-x-l%2Flogserver-graylog/lists"}