Graylog update because of Log4j
16 Dec 2021Graylog is running Log4j so my Graylog server needs to be updated. This will just be a quick docker-compose.yml update to latest Graylog (4.2.3) it should work for a new setup as well.
Updated docker-compose.yml
My updated docker-compose.yml file for the latest version of Graylog (4.2.3)
version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongo:
image: mongo:4.2
container_name: mongodb
restart: always
volumes:
- ./mongodb:/data/db
networks:
- graylog
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.x/docker.html
# Graylog will not run on higher than ES 7.10.2
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
container_name: elasticsearch
restart: always
environment:
- TZ=Europe/Stockholm
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true"
- action.auto_create_index=false
volumes:
- ./es-data:/usr/share/elasticsearch/data
- ./es-logs:/usr/share/elasticsearch/logs
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 9200:9200
networks:
- graylog
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:4.2.3
container_name: graylog
environment:
- TZ=Europe/Stockholm
- GRAYLOG_TIMEZONE=Europe/Stockholm
- GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.0.20:9000/
- GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.0.20/
- GRAYLOG_ELASTICSEARCH_VERSION=7
# - GRAYLOG_SERVER_JAVA_OPTS=”-Dlog4j2.formatMsgNoLookups=true”
entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh
volumes:
- ./graylog:/usr/share/graylog/data
- ./maxmind-geoip/GeoLite2-City.mmdb:/etc/graylog/server/GeoLite2-City.mmdb:ro
networks:
- graylog
restart: always
depends_on:
- mongo
- elasticsearch
ports:
# Graylog web interface and REST API
- 80:9000
# Syslog TCP
- 514:514
# Syslog UDP
- 514:514/udp
# Extra input stream ports UDP
- 1500-1599:1500-1599/udp
# Extra input stream ports TCP
- 1500-1599:1500-1599
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
networks:
graylog:
I have made some changes in my docker-compose.yml during my Graylog learning process, most of them is documented in my earlier #Graylog posts.
Quick list of some of the changes I have made
- Updated Graylog to 4.2.3
- Added
-Dlog4j2.formatMsgNoLookups=trueto Elasticsearch JVM Options - Added Maxmind GeoIP database for GeoIP tagging.
- Added a Port range to Graylog (1500-1599) so I don’t have to restart my service when I add a new input stream on a new port.
- Changed Volumes path to create persistent storage in the current folder
./xyzso it will be easier for me to backup/move all at once.
If you want to setup a new server, read my guide for a complete setup just make sure you change the Graylog version to, at least, 4.2.3.
Update:
GRAYLOG_SERVER_JAVA_OPTS=”-Dlog4j2.formatMsgNoLookups=true” is not working in my docker-compose. Commented in above docker-compose.yml, should not be needed because the docker container is updated to 4.2.3.
