Skip to content

graylog

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

graylog

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
.env.example
.env.example
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

README.md

graylog

Centralized log management: MongoDB (metadata), OpenSearch (log storage), and Graylog (UI/API).

Components

Service Role Port
MongoDB Graylog configuration and metadata — (internal)
OpenSearch Log storage and search — (internal)
Graylog Web UI, API, log ingestion 9000 (web), 514/1514 (syslog), 12201 (GELF)

Design Decisions

Why Graylog over Loki?

Graylog provides a full-featured UI for searching, dashboards, and alerting out of the box. Loki is lighter but requires Grafana for visualization. Since we're already using Grafana for metrics, Graylog's independence keeps log management self-contained.

Why OpenSearch over Elasticsearch?

OpenSearch is the community fork after Elastic's license change. It's API-compatible and avoids licensing concerns for self-hosted deployments.

Network Architecture

  • MongoDB and OpenSearch are on an internal graylog_net network
  • Graylog joins both graylog_net (backend) and monitoring_net (for Fluent Bit and Grafana access)
  • Syslog ports (514, 1514) and GELF (12201) are exposed to the host

Resource Limits

Service Memory CPU Rationale
MongoDB 512M 0.5 Metadata only; low load
OpenSearch 2G 1 Java heap is 1G; needs headroom
Graylog 2G 1 Java heap + ingestion and query overhead

OpenSearch memory must exceed OPENSEARCH_JAVA_OPTS heap settings. If you increase heap, increase the container limit.

Environment Variables

Create .env from template. Required variables:

Variable Purpose
GRAYLOG_PASSWORD_SECRET 96-char random string for encryption
GRAYLOG_ROOT_PASSWORD_SHA2 SHA256 hash of admin password
GRAYLOG_HTTP_EXTERNAL_URI Public URL for web UI
GRAYLOG_ROOT_TIMEZONE Timezone for UI
OPENSEARCH_INITIAL_ADMIN_PASSWORD OpenSearch bootstrap password

Generate secrets:

# Password secret (96 chars)
openssl rand -hex 48

# Admin password hash
echo -n "yourpassword" | sha256sum | cut -d' ' -f1

Data Persistence

Path Contents
data/mongodb/ Graylog configuration, users, dashboards
data/opensearch/ Log indices
data/graylog/ Graylog state

Backup priority: MongoDB contains configuration; OpenSearch contains logs. Back up MongoDB before upgrades.

Log Inputs

Configure inputs in Graylog UI (System → Inputs):

Input Type Port Use Case
GELF TCP 12201 Fluent Bit, Docker GELF driver
GELF UDP 12201 High-volume, loss-tolerant
GELF HTTP 12201 Scripts via log.sh, external apps
Syslog TCP 514, 1514 Network devices, legacy systems
Syslog UDP 514, 1514 Network devices

Required inputs:

  • GELF TCP on 12201 — For Fluent Bit integration
  • GELF HTTP on 12201 — For script logging via scripts/lib/log.sh

GELF HTTP Setup

  1. System → Inputs → Select "GELF HTTP"
  2. Launch new input
  3. Bind: 0.0.0.0, Port: 12201

Scripts can then send logs:

source /opt/docker/scripts/lib/log.sh
log_info "myapp" "Operation completed"

Dependencies

  • Requires monitoring_net external network
  • MongoDB and OpenSearch must be healthy before Graylog starts (enforced via depends_on)

Troubleshooting

Graylog not starting:

# Check OpenSearch health
curl http://localhost:9200/_cluster/health

# Check MongoDB
docker exec graylog-mongodb mongosh --eval "db.runCommand('ping')"

OpenSearch out of memory:

  • Increase container memory limit (must exceed Java heap)
  • Check for runaway index growth

Logs not appearing:

  • Verify input is running (System → Inputs)
  • Check source is sending to correct port/protocol
  • Check Graylog logs: docker logs graylog

Retention

Configure index rotation in System → Indices:

  • Index rotation strategy: time-based or size-based
  • Retention: delete or close old indices

For space management, set retention to match your backup policy.