Graylog is a powerful, open-source log management and Security Information & Event Management (SIEM) platform that offers fast search, alerting, and visualization across complex environments. It is available as a free open-source version (Graylog Open). This page covers Gralog installation and configuration.
We use Gray to store and process log and event data from the systems and services running in our Home Lab.
You can learn about some of the features in the latest release (7.0) of Graylog here. There is also an excellent community support forum for Graylog.
Graylog Installation
We are running Gray in Docker. The installation and configuration of Graylog is a bit tricky. The following video explains the basic installation:
The latest version of the Docker Compose file used in the video above to install Graylog 6 is available here. The following video provides a helpful overview of the new features in Graylog 6.
We have upgraded the Docker Compose file to run the latest version of Graylog, 7.0.2, as of this posting. It is essential to review the Graylog Compatibility Matrix when upgrading individual services in a Graylog installation. We are running the following versions in our current Docker Compose for Graylog:
- Graylog – graylog/graylog:7.0.2
- MangoDB – mongo:8.2.3
- OpenSearch = opensearchproject/opensearch:2.19.4 (Note: OpenSearch 3.x will break the current Graylog installation.)
Customizing the Docker Compose
Several customizations are required to adapt the Docker Compose file for the video to our installation. These include (the items marked with a * should be set using a secret environment configuration option):
- GRAYLOG_HTTP_EXTERNAL_URI – Set to the URI for the hosting Docker VM (http://<docker host URI>:9000)
- GRAYLOG_TIMEZONE – Set to our local timezone (“America/New_York”)
- TZ – Set to our local timezone (“America/New_York”)
- GRAYLOG_PASSWORD_SECRET* – Set to a random string of sufficient length.
- GRAYLOG_ROOT_PASSWORD_SHA2* – Set the admin user password. This string can be generated using the following command –
echo -n "mysecretpassword" | sha256sum | cut -d" " -f1We enabled Graylog to send us email alerts by setting up the email variables in the Docker Compose:
GRAYLOG_TRANSPORT_EMAIL_PROTOCOL: "smtp"
GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: "your.mail.server"
GRAYLOG_TRANSPORT_EMAIL_PORT: "587"
GRAYLOG_TRANSPORT_EMAIL_USE_AUTH: "true"
GRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME: "xxxxx"
GRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD: "xxxxx"
GRAYLOG_TRANSPORT_EMAIL_USE_TLS: "true"
GRAYLOG_TRANSPORT_EMAIL_USE_SSL: "false"
GRAYLOG_TRANSPORT_FROM_EMAIL: "graylog@homelab.com"
GRAYLOG_TRANSPORT_SUBJECT_PREFIX: "[Graylog]"
GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL: "base URL for links in emails"We also mapped all Volumes used by the Graylog Docker Compose to local volumes. We used the same autofs-based approach we use for all our Docker VMs.
Configuration
We are working through configuring Graylog for our Home Lab. The planned steps are:
- Log Log storage on an external volume with sufficient space
- Segment log sources by device/service type
- Configure email alerting for important events
- Create input parsers to enable better utilization and search of log data
- Create some useful dashboards
Log Storage on an External Volume
We set up an NFS volume on one of our NAS drives to store log data collected by the OpenSearch microservice in our Graylog stack. Access to the NFS log data volume is enabled via an autofs mount within the Graylog Docker host VM. With this done, the Docker Compose service that creates OpenSearch is configured to use the volume:
opensearch:
image: opensearchproject/opensearch:2.19.4
container_name: opensearch
volumes:
# Set the location of the external volume
# via the LOG_DATA_DIR variable in .env
- "${LOG_DATA_DIR}:/usr/share/opensearch/data"
...Segmenting Log Sources
This will be the next step in our configuration process. Check back for more information on configuring Graylog.