├── README.md
├── config
└── graylog
│ └── graylog.conf
├── docker-compose.yml
└── nxlog.conf
/README.md:
--------------------------------------------------------------------------------
1 | # Overview
2 |
3 | This is a mix of [graylog2 open-core](https://github.com/Graylog2/docker-compose/blob/main/open-core/docker-compose.yml) and [graylog2 docker install docs.](https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/docker_installation.htm)
4 |
5 | # Usage
6 |
7 | ```
8 | docker compose up
9 | ```
10 |
11 | Access graylog [here.](http://localhost:9000)
12 |
13 | nxlog.conf is the Window NXLOG configuration for sending GELF format logs to Graylog. Replace the default C:\Program Files\nxlog\conf\nxlog.conf with the one https://raw.githubusercontent.com/lawrencesystems/graylog/master/nxlog.conf and change the IP address to match your Graylog server.
14 |
--------------------------------------------------------------------------------
/config/graylog/graylog.conf:
--------------------------------------------------------------------------------
1 | # If you are running more than one instances of Graylog server you have to select one of these
2 | # instances as master. The master will perform some periodical tasks that non-masters won't perform.
3 | is_master = true
4 |
5 | # The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
6 | # to use an absolute file path here if you are starting Graylog server from init scripts or similar.
7 | node_id_file = /usr/share/graylog/data/config/node-id
8 |
9 | root_username = admin
10 | root_timezone = UTC
11 | bin_dir = /usr/share/graylog/bin
12 | data_dir = /usr/share/graylog/data
13 | plugin_dir = /usr/share/graylog/plugin
14 |
15 |
16 | # List of Elasticsearch hosts Graylog should connect to.
17 | # Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
18 | # If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
19 | # requires authentication.
20 |
21 | # Maximum number of retries to connect to elasticsearch on boot for the version probe.
22 | #
23 | # Default: 0, retry indefinitely with the given delay until a connection could be established
24 | elasticsearch_version_probe_attempts = 5
25 |
26 | # Waiting time in between connection attempts for elasticsearch_version_probe_attempts
27 | #
28 | # Default: 5s
29 | elasticsearch_version_probe_delay = 5s
30 |
31 | # Maximum amount of time to wait for successful connection to Elasticsearch HTTP port.
32 | #
33 | # Default: 10 Seconds
34 | elasticsearch_connect_timeout = 10s
35 |
36 | # Maximum amount of time to wait for reading back a response from an Elasticsearch server.
37 | # (e. g. during search, index creation, or index time-range calculations)
38 | #
39 | # Default: 60 seconds
40 | elasticsearch_socket_timeout = 60s
41 |
42 | # Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will
43 | # be tore down.
44 | #
45 | # Default: inf
46 | #elasticsearch_idle_timeout = -1s
47 |
48 | # Maximum number of total connections to Elasticsearch.
49 | #
50 | # Default: 200
51 | #elasticsearch_max_total_connections = 200
52 |
53 | # Maximum number of total connections per Elasticsearch route (normally this means per
54 | # elasticsearch server).
55 | #
56 | # Default: 20
57 | #elasticsearch_max_total_connections_per_route = 20
58 |
59 | # Maximum number of times Graylog will retry failed requests to Elasticsearch.
60 | #
61 | # Default: 2
62 | #elasticsearch_max_retries = 2
63 |
64 | # Enable automatic Elasticsearch node discovery through Nodes Info,
65 | # see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster-nodes-info.html
66 | #
67 | # WARNING: Automatic node discovery does not work if Elasticsearch requires authentication, e. g. with Shield.
68 | #
69 | # Default: false
70 | #elasticsearch_discovery_enabled = true
71 |
72 | # Filter for including/excluding Elasticsearch nodes in discovery according to their custom attributes,
73 | # see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster.html#cluster-nodes
74 | #
75 | # Default: empty
76 | #elasticsearch_discovery_filter = rack:42
77 |
78 | # Frequency of the Elasticsearch node discovery.
79 | #
80 | # Default: 30s
81 | # elasticsearch_discovery_frequency = 30s
82 |
83 | # Set the default scheme when connecting to Elasticsearch discovered nodes
84 | #
85 | # Default: http (available options: http, https)
86 | #elasticsearch_discovery_default_scheme = http
87 |
88 | # Enable payload compression for Elasticsearch requests.
89 | #
90 | # Default: false
91 | #elasticsearch_compression_enabled = true
92 |
93 | # Enable use of "Expect: 100-continue" Header for Elasticsearch index requests.
94 | # If this is disabled, Graylog cannot properly handle HTTP 413 Request Entity Too Large errors.
95 | #
96 | # Default: true
97 | #elasticsearch_use_expect_continue = true
98 |
99 | # Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
100 | # when to rotate the currently active write index.
101 | # It supports multiple rotation strategies:
102 | # - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
103 | # - "size" per index, use elasticsearch_max_size_per_index below to configure
104 | # valid values are "count", "size" and "time", default is "count"
105 | #
106 | # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
107 | # to your previous 1.x settings so they will be migrated to the database!
108 | # This configuration setting is only used on the first start of Graylog. After that,
109 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
110 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
111 | rotation_strategy = count
112 |
113 | # (Approximate) maximum number of documents in an Elasticsearch index before a new index
114 | # is being created, also see no_retention and elasticsearch_max_number_of_indices.
115 | # Configure this if you used 'rotation_strategy = count' above.
116 | #
117 | # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
118 | # to your previous 1.x settings so they will be migrated to the database!
119 | # This configuration setting is only used on the first start of Graylog. After that,
120 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
121 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
122 | elasticsearch_max_docs_per_index = 20000000
123 |
124 | # (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
125 | # no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
126 | # Configure this if you used 'rotation_strategy = size' above.
127 | #
128 | # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
129 | # to your previous 1.x settings so they will be migrated to the database!
130 | # This configuration setting is only used on the first start of Graylog. After that,
131 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
132 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
133 | #elasticsearch_max_size_per_index = 1073741824
134 |
135 | # (Approximate) maximum time before a new Elasticsearch index is being created, also see
136 | # no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
137 | # Configure this if you used 'rotation_strategy = time' above.
138 | # Please note that this rotation period does not look at the time specified in the received messages, but is
139 | # using the real clock value to decide when to rotate the index!
140 | # Specify the time using a duration and a suffix indicating which unit you want:
141 | # 1w = 1 week
142 | # 1d = 1 day
143 | # 12h = 12 hours
144 | # Permitted suffixes are: d for day, h for hour, m for minute, s for second.
145 | #
146 | # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
147 | # to your previous 1.x settings so they will be migrated to the database!
148 | # This configuration setting is only used on the first start of Graylog. After that,
149 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
150 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
151 | #elasticsearch_max_time_per_index = 1d
152 |
153 | # Disable checking the version of Elasticsearch for being compatible with this Graylog release.
154 | # WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
155 | #elasticsearch_disable_version_check = true
156 |
157 | # Disable message retention on this node, i. e. disable Elasticsearch index rotation.
158 | #no_retention = false
159 |
160 | # How many indices do you want to keep?
161 | #
162 | # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
163 | # to your previous 1.x settings so they will be migrated to the database!
164 | # This configuration setting is only used on the first start of Graylog. After that,
165 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
166 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
167 | elasticsearch_max_number_of_indices = 20
168 |
169 | # Decide what happens with the oldest indices when the maximum number of indices is reached.
170 | # The following strategies are availble:
171 | # - delete # Deletes the index completely (Default)
172 | # - close # Closes the index and hides it from the system. Can be re-opened later.
173 | #
174 | # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
175 | # to your previous 1.x settings so they will be migrated to the database!
176 | # This configuration setting is only used on the first start of Graylog. After that,
177 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
178 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
179 | retention_strategy = delete
180 |
181 | # How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
182 | # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
183 | # to your previous settings so they will be migrated to the database!
184 | # This configuration setting is only used on the first start of Graylog. After that,
185 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
186 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
187 | elasticsearch_shards = 4
188 | elasticsearch_replicas = 0
189 |
190 | # Prefix for all Elasticsearch indices and index aliases managed by Graylog.
191 | #
192 | # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
193 | # to your previous settings so they will be migrated to the database!
194 | # This configuration setting is only used on the first start of Graylog. After that,
195 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
196 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
197 | elasticsearch_index_prefix = graylog
198 |
199 | # Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
200 | # Default: graylog-internal
201 | #
202 | # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
203 | # to your previous settings so they will be migrated to the database!
204 | # This configuration setting is only used on the first start of Graylog. After that,
205 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
206 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
207 | #elasticsearch_template_name = graylog-internal
208 |
209 | # Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
210 | # be enabled with care. See also: https://docs.graylog.org/docs/query-language
211 | allow_leading_wildcard_searches = false
212 |
213 | # Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
214 | # should only be enabled after making sure your Elasticsearch cluster has enough memory.
215 | allow_highlighting = false
216 |
217 | # Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
218 | # All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
219 | # Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
220 | # Note that this setting only takes effect on newly created indices.
221 | #
222 | # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
223 | # to your previous settings so they will be migrated to the database!
224 | # This configuration setting is only used on the first start of Graylog. After that,
225 | # index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
226 | # Also see https://docs.graylog.org/docs/index-model#index-set-configuration
227 | elasticsearch_analyzer = standard
228 |
229 | # Global timeout for index optimization (force merge) requests.
230 | # Default: 1h
231 | #elasticsearch_index_optimization_timeout = 1h
232 |
233 | # Maximum number of concurrently running index optimization (force merge) jobs.
234 | # If you are using lots of different index sets, you might want to increase that number.
235 | # Default: 20
236 | #elasticsearch_index_optimization_jobs = 20
237 |
238 | # Mute the logging-output of ES deprecation warnings during REST calls in the ES RestClient
239 | #elasticsearch_mute_deprecation_warnings = true
240 |
241 | # Time interval for index range information cleanups. This setting defines how often stale index range information
242 | # is being purged from the database.
243 | # Default: 1h
244 | #index_ranges_cleanup_interval = 1h
245 |
246 | # Time interval for the job that runs index field type maintenance tasks like cleaning up stale entries. This doesn't
247 | # need to run very often.
248 | # Default: 1h
249 | #index_field_type_periodical_interval = 1h
250 |
251 | # Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
252 | # module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
253 | # reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
254 | # that every outputbuffer processor manages its own batch and performs its own batch write calls.
255 | # ("outputbuffer_processors" variable)
256 | output_batch_size = 500
257 |
258 | # Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
259 | # batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
260 | # for this time period is less than output_batch_size * outputbuffer_processors.
261 | output_flush_interval = 1
262 |
263 | # As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
264 | # over again. To prevent this, the following configuration options define after how many faults an output will
265 | # not be tried again for an also configurable amount of seconds.
266 | output_fault_count_threshold = 5
267 | output_fault_penalty_seconds = 30
268 |
269 | # The number of parallel running processors.
270 | # Raise this number if your buffers are filling up.
271 | processbuffer_processors = 5
272 | outputbuffer_processors = 3
273 |
274 | # The following settings (outputbuffer_processor_*) configure the thread pools backing each output buffer processor.
275 | # See https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ThreadPoolExecutor.html for technical details
276 |
277 | # When the number of threads is greater than the core (see outputbuffer_processor_threads_core_pool_size),
278 | # this is the maximum time in milliseconds that excess idle threads will wait for new tasks before terminating.
279 | # Default: 5000
280 | #outputbuffer_processor_keep_alive_time = 5000
281 |
282 | # The number of threads to keep in the pool, even if they are idle, unless allowCoreThreadTimeOut is set
283 | # Default: 3
284 | #outputbuffer_processor_threads_core_pool_size = 3
285 |
286 | # The maximum number of threads to allow in the pool
287 | # Default: 30
288 | #outputbuffer_processor_threads_max_pool_size = 30
289 |
290 | # UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
291 | #udp_recvbuffer_sizes = 1048576
292 |
293 | # Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
294 | # Possible types:
295 | # - yielding
296 | # Compromise between performance and CPU usage.
297 | # - sleeping
298 | # Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
299 | # - blocking
300 | # High throughput, low latency, higher CPU usage.
301 | # - busy_spinning
302 | # Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
303 | processor_wait_strategy = blocking
304 |
305 | # Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
306 | # For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
307 | # Must be a power of 2. (512, 1024, 2048, ...)
308 | ring_size = 65536
309 |
310 | inputbuffer_ring_size = 65536
311 | inputbuffer_processors = 2
312 | inputbuffer_wait_strategy = blocking
313 |
314 | # Enable the message journal.
315 | message_journal_enabled = true
316 |
317 | # The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and
318 | # must not contain any other files than the ones created by Graylog itself.
319 | #
320 | # ATTENTION:
321 | # If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found'
322 | # in the root directory, you need to create a sub directory for your journal.
323 | # Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start.
324 | message_journal_dir = data/journal
325 |
326 | # Journal hold messages before they could be written to Elasticsearch.
327 | # For a maximum of 12 hours or 5 GB whichever happens first.
328 | # During normal operation the journal will be smaller.
329 | #message_journal_max_age = 12h
330 | #message_journal_max_size = 5gb
331 |
332 | #message_journal_flush_age = 1m
333 | #message_journal_flush_interval = 1000000
334 | #message_journal_segment_age = 1h
335 | #message_journal_segment_size = 100mb
336 |
337 | # Number of threads used exclusively for dispatching internal events. Default is 2.
338 | #async_eventbus_processors = 2
339 |
340 | # How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
341 | # shutdown process. Set to 0 if you have no status checking load balancers in front.
342 | lb_recognition_period_seconds = 3
343 |
344 | # MongoDB connection string
345 | # See https://docs.mongodb.com/manual/reference/connection-string/ for details
346 | #mongodb_uri = mongodb://localhost/graylog
347 | mongodb_uri = mongodb://mongodb/graylog
348 |
349 | # Authenticate against the MongoDB server
350 | # '+'-signs in the username or password need to be replaced by '%2B'
351 | #mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
352 |
353 | # Use a replica set instead of a single host
354 | #mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog?replicaSet=rs01
355 |
356 | # DNS Seedlist https://docs.mongodb.com/manual/reference/connection-string/#dns-seedlist-connection-format
357 | #mongodb_uri = mongodb+srv://server.example.org/graylog
358 |
359 | # Increase this value according to the maximum connections your MongoDB server can handle from a single client
360 | # if you encounter MongoDB connection problems.
361 | mongodb_max_connections = 1000
362 |
363 | # Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
364 | # If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
365 | # then 500 threads can block. More than that and an exception will be thrown.
366 | # http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
367 | mongodb_threads_allowed_to_block_multiplier = 5
368 |
369 | # For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
370 | # of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
371 | # Should be http_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
372 | proxied_requests_thread_pool_size = 32
373 |
374 | # The allowed TLS protocols for system wide TLS enabled servers. (e.g. message inputs, http interface)
375 | # Setting this to an empty value, leaves it up to system libraries and the used JDK to chose a default.
376 | # Default: TLSv1.2,TLSv1.3 (might be automatically adjusted to protocols supported by the JDK)
377 | enabled_tls_protocols= TLSv1.2,TLSv1.3
378 |
379 | # Enable Prometheus exporter HTTP server.
380 | # Default: false
381 | prometheus_exporter_enabled = true
382 |
383 | # IP address and port for the Prometheus exporter HTTP server.
384 | # Default: 127.0.0.1:9833
385 | prometheus_exporter_bind_address = 127.0.0.1:9833
386 |
387 | #Email Settings
388 | transport_email_enabled = true
389 | transport_email_hostname = outbound.mailhop.org
390 | transport_email_port = 587
391 | transport_email_use_auth = true
392 | transport_email_use_tls = true
393 | transport_email_use_ssl = false
394 | transport_email_auth_username = xxxxx
395 | transport_email_auth_password = xxxxxx
396 | transport_email_subject_prefix = [graylog]
397 | transport_email_from_email = graylog@example.com
398 | transport_email_web_interface_url = https://graylog.example.com
399 |
400 |
--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
1 | version: '3'
2 |
3 | networks:
4 | graynet:
5 | driver: bridge
6 |
7 | # This is how you persist data between container restarts
8 | volumes:
9 | mongo_data:
10 | driver: local
11 | log_data:
12 | driver: local
13 | graylog_data:
14 | driver: local
15 |
16 | services:
17 | # Graylog stores configuration in MongoDB
18 | mongo:
19 | image: mongo:6.0.5-jammy
20 | container_name: mongodb
21 | volumes:
22 | - "mongo_data:/data/db"
23 | networks:
24 | - graynet
25 | restart: unless-stopped
26 |
27 | # The logs themselves are stored in Opensearch
28 | opensearch:
29 | image: opensearchproject/opensearch:2
30 | container_name: opensearch
31 | environment:
32 | - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
33 | - "bootstrap.memory_lock=true"
34 | - "discovery.type=single-node"
35 | - "action.auto_create_index=false"
36 | - "plugins.security.ssl.http.enabled=false"
37 | - "plugins.security.disabled=true"
38 | - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=SetPassw0rdL3ttersAndNumb3r5"
39 | volumes:
40 | - "log_data:/usr/share/opensearch/data"
41 | ulimits:
42 | memlock:
43 | soft: -1
44 | hard: -1
45 | nofile:
46 | soft: 65536
47 | hard: 65536
48 | ports:
49 | - 9200:9200/tcp
50 | networks:
51 | - graynet
52 | restart: unless-stopped
53 |
54 | graylog:
55 | image: graylog/graylog:6.2
56 | container_name: graylog
57 | environment:
58 | # CHANGE ME (must be at least 16 characters)!
59 | GRAYLOG_PASSWORD_SECRET: "somepasswordpepper"
60 | # Password: admin
61 | GRAYLOG_ROOT_PASSWORD_SHA2: "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
62 | GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
63 | GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
64 | GRAYLOG_ELASTICSEARCH_HOSTS: "http://opensearch:9200"
65 | GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
66 | GRAYLOG_TIMEZONE: "America/Detroit"
67 | TZ: "America/Detroit"
68 | GRAYLOG_TRANSPORT_EMAIL_PROTOCOL: "smtp"
69 | GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL: "http://192.168.3.233:9000/"
70 | GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: "outbound.mailhop.org"
71 | GRAYLOG_TRANSPORT_EMAIL_ENABLED: "true"
72 | GRAYLOG_TRANSPORT_EMAIL_PORT: "587"
73 | GRAYLOG_TRANSPORT_EMAIL_USE_AUTH: "true"
74 | GRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME: "xxxxx"
75 | GRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD: "xxxxx"
76 | GRAYLOG_TRANSPORT_EMAIL_USE_TLS: "true"
77 | GRAYLOG_TRANSPORT_EMAIL_USE_SSL: "false"
78 | GRAYLOG_TRANSPORT_FROM_EMAIL: "graylog@example.com"
79 | GRAYLOG_TRANSPORT_SUBJECT_PREFIX: "[graylog]"
80 |
81 | entrypoint: /usr/bin/tini -- wait-for-it opensearch:9200 -- /docker-entrypoint.sh
82 | volumes:
83 | - "${PWD}/config/graylog/graylog.conf:/usr/share/graylog/config/graylog.conf"
84 | - "graylog_data:/usr/share/graylog/data"
85 | networks:
86 | - graynet
87 | restart: always
88 | depends_on:
89 | opensearch:
90 | condition: "service_started"
91 | mongo:
92 | condition: "service_started"
93 | ports:
94 | - 9000:9000/tcp # Graylog web interface and REST API
95 | - 1514:1514/tcp # Syslog
96 | - 1514:1514/udp # Syslog
97 | - 12201:12201/tcp # GELF
98 | - 12201:12201/udp # GELF
99 |
--------------------------------------------------------------------------------
/nxlog.conf:
--------------------------------------------------------------------------------
1 | Panic Soft
2 | #NoFreeOnExit TRUE
3 |
4 | define ROOT C:\Program Files\nxlog
5 | define CERTDIR %ROOT%\cert
6 | define CONFDIR %ROOT%\conf\nxlog.d
7 | define LOGDIR %ROOT%\data
8 |
9 | include %CONFDIR%\\*.conf
10 | define LOGFILE %LOGDIR%\nxlog.log
11 | LogFile %LOGFILE%
12 |
13 | Moduledir %ROOT%\modules
14 | CacheDir %ROOT%\data
15 | Pidfile %ROOT%\data\nxlog.pid
16 | SpoolDir %ROOT%\data
17 |
18 |
19 | Module xm_syslog
20 |
21 |
22 |
23 | Module xm_charconv
24 | AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
25 |
26 |
27 |
28 | Module xm_exec
29 |
30 |
31 |
32 | Module xm_fileop
33 |
34 | # Check the size of our log file hourly, rotate if larger than 5MB
35 |
36 | Every 1 hour
37 | Exec if (file_exists('%LOGFILE%') and \
38 | (file_size('%LOGFILE%') >= 5M)) \
39 | file_cycle('%LOGFILE%', 8);
40 |
41 |
42 | # Rotate our log file every week on Sunday at midnight
43 |
44 | When @weekly
45 | Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
46 |
47 |
48 |
49 |
50 | Module xm_gelf
51 |
52 |
53 | # Snare compatible example configuration
54 | # Collecting event log
55 |
56 | Module im_msvistalog
57 |
58 |
59 | # Sends Eevent in GELF format to Graylog
60 |
66 | #
67 | # Connect input 'in' to output 'out'
68 |
69 | Path in => out
70 |
71 |
--------------------------------------------------------------------------------