@@LAWRENCESYSTEMS Thank you for your reply man! Do you know where you could possibly point me in the right direction - I have been chasing my tail any insight would be greatly appreciated.
I have been a linux admin for about as long as linux admins have been a thing, but I have managed to avoid Docker for some reason. I saw that this was on docker and it was a project I wanted to try... my first instinct was "No, find the source" but I decided to give it a shot. Thanks for making this really easy.
Minor thing - I'd recommend adding an extra space to the beginning of the echo command at the early stage where you create the SHA256sum for the password - this stops the password being visible in that user's history. Minor thing but I've heard of history files being a juicy target like this.
Must have paused and rewound the video about 100 times but got my pfsense logs flowing to a graylog testbed as per this video. Requested a login acct as "mark" on your Forum to post some further questions. Great video.
Thanks for the updated tutorial! I set up graylog using docker compose a few months back, and followed the old video for the in-app setup part. It's great for folks to have an up-to-date version of the instructions. For anyone looking to set this up - inevitably some servers will disagree about the timezone, so even if you set your user and timezone correctly, its worth having a pipeline that can adjust a source between UTC and local time.
I'm just guessing but maybe making sure the timezone set in the docker compose environment variable matches that of the server docker is running on is a good place to start. :)
14:08 you can mark, that new user with own timezone will be see logs with corrected time and mark diff that admin see utc. This video is better then previous. Good job and I hope you create a video about extractors.
Strange, last night I finally got around to starting work on testing a Graylog server. noticed your instructions were for V4, and decided I would do get the docker image working today.. now Look at this! what timing.
I'd really like to use it but the fact that "log view" is behind the enterprise version paywall is just insane. will stay with Grafana Loki as logs are just so much easier to read there - such a shame for homelab users like me.
Thanks for the recommendations! Was a bit finicky but got it running on my proxmox cluster and ingesting logs from the xigmanas box now! nice to have logs I can search instead of losing on reboot. Anyone else going thru the install make sure you set the CPU up to at least x86_64_v3 for the intruction set for mongodb. Took me a bit to find the error.
Great quick tutorial! However the part I am most struggling with is the connection between inputs, streams, indices and extractors. A comprehensive overview of the architectural model of Graylog would be much appreciated.
Thanks for the great tutorial! I would be interested in a discussion about Sentry - an open source tool for catching unhandled exceptions, collecting related context data and alerting the developers. It seems that some of this logic can be implemented with Graylog, and I was wondering whether it makes sense to use both systems, or if one would suffice.
But 1514 is unencrypted right?, I mean syslog data are being sent "naked"? It means that network connection should be trustfull. Like separate VLAN or something?
Maybe I missed it but I don't think you mentioned the pros/cons of installing via docker instead of a "normal" install. I'd also be interested in your opinion on graylog vs loki/grafana. Also you're using opensearch and I think elastic was my only option when I set this up and I'm not a fan of elastic -- would be interested in hearing why you chose opensearch. I have graylog running in a proxmox vm that I set up years ago. Struggled to get it setup and configured, I have some ongoing issues where some feeds have accurate times and others have their timestamps in a different timezone, but it feels like such a headache to configure as a hobbyist who doesn't work with it daily. I know there's a lot more I could be getting out of it, but right now it basically sits as a "well if something goes terribly wrong i can search graylog" and that's about the extent of the value I get from it. Thinking about switching to loki/grafana in the hopes the config is easier for someone who doesn't interact with it daily where currently any changes I want to make mean I'm going to spend hours researching the syntax or formatting for graylog. It's 100% lack of familiarity on my part combined with user error but the thought of having to make changes to graylog gives me a headache.
Docker is easier to use and maintain for Graylog, the Elasitic licence changes as I understand them makes OpenSeach a better choice, Loki looks much more complicated to configure.
@@LAWRENCESYSTEMS Thanks Tom! I found Graylog's youtube channel has a video on migrating from elastic to Opensearch so it looks like that might be in my future. Sounds like my hopes on Loki won't likely pan out then haha.
Thank you for making this video. I know we all copy and paste at times for expediency. However, to recommend that users do this, in a video, may enforce dangerous behaviors. Should people just have common sense and read the commands before they paste them? Yes, of course. But, hey, that's what we have disclaimers for. "If you feel confident in my instructions, and you are running this in a development environment, you can go ahead and copy and paste these commands into your terminal." Obviously, if your hat is really, really dark, making people dumber is obviously a worthwhile goal.
Having multiple issues with docker compose erroring on the depends_on section of the YAML, first error is needs to be an array and then values need to be a string, any ideas ?
Hello Tom! I managed to setup this just like you. I use version 5.1. Is there a guide or is there a way you can help to setup the SSL certs so I can use a https?
One thing I cannot for the life of me figure out is how to use NFS to store the actual log data (opensearch). If you try and use docker-compose to store the data on an NFS volume, the container fails to launch as it seems the image is trying to run chown on the data storage directory, which I guess nfs doesn't allow.
I have the exact same problem. Did you ever fix? Are you using TrueNAS to serve the NFS? I am- I believe the solution is either dataset permissions or the NFS share mapping. Have read a bunch on NFS permissions and I cannot seem to figure this out.
@@charlescc1000I never did, no, but I didn't spend a ton of time trying as it wasn't that critical. I suspect the best approach would be to tweak the docker image so it doesn't try and fiddle with ownership/permissions.
Very cool video! I'll definitely be watching it! If I may make a request for another video: could you do one on Fluentbit/Fluentd? (I never know what to call it). It's always been such a headache for me to get back into the config logic once something decides to break again, but it's otherwise been working so perfectly for us! I'd love to see your take on it and see if I missed anything.
@16:35 - why does graylog don't have template extractors (plus make it auto detect) for standard stuff: windows.linux-pc/laptops/servers, mac, pfsense, etc...?
Saw in the latest docs that the virtual appliances is no longer available, neither able to find the OVA image. Not sure if its possible to install this in docker on a mac setup.
i'm trying to find a way to have it alert me when dhcp leases are given out for new MAC addresses on the network, i have this working via syslog-ng and a bash script but if i can do through the GUI in Greylog that would be great
This was a great tutorial, Thank you. Do you know if its possible to have Graylog record information on each of the TCP sessions from PFsense firewall, for example, how many bytes sent/received for each TCP session, and if the TCP session ended with FIN or RST ?
I've more than 25 docker containers running on few different VMs, I'm no expert in docker but not really a newbie either But starting Graylog? I just can't do it The way they implemented the $USER is beyond my understanding Keep getting stuck at this error when Graylog is starting: ERROR org.graylog2.bootstrap.CmdLineTool - Couldn't load configuration: Properties file /usr/share/graylog/data/config/graylog.conf doesn't exist! (And yes it exist, and it is mapped correctly) I've tried to set user variables, tried to change directly the mounted directory ownership to 1100:1100 I've tried with other versions of docker-compose Tried also changing the owner to docker:docker Executed multiple times that "sudo usermod -aG docker $USER" Rebooted the server, tried other mounting points that are not in the /home directory Nothing works Sorry but the Graylog docker image is broken for me (and no I'm not using snap docker package even tho I'm running on Ubuntu Server) Thank you for the tutorial but sadly I might have to many skill issues to solve this
It’s odd I set this up and found that windows 11 default firewall blocks port 9000 so I thought it wasn’t working and then decided to try my phone and it was working except that some reason my password I placed was not working.
@Lawrencesystems Tom, Have you used the SIEM product (Graylog Security) before. I'm interested in a platform like that to help with cyber threats. Do have any other suggestions as far as an SIEM log platform?
Hey Tom, could you make a video about zabbix as a comparison. It has pre-defined templates and triggers for the most popular systems, linux, windows, firewalls, etc. Very powerful tool. I would love to see it on your channel. It comes containerized as well.
I may have done something wrong because messages are only hitting the very last stream/indices I created. In other words, PFsense was the first one created, and messages were hitting it. The last one I created was for a Cisco switch, and now no PfSense messages, but lots of messages to the Cisco switch. Any thoughts on this? Thanks!
@@LAWRENCESYSTEMSI think your focus is wrong on this because ipv6 has many advantages and we will have to move to it anyway, so better be up to date sooner than later
Hey Tom, thanks for your amazing videos! Small request, would it be possible to raise the volume on your videos, I find it even with my speakers cranked to to max I still have a hard time hearing you. (If it's too loud for someone they can always reduce volume vs raising isn't always possible).
Thanks for the video for deploying graylog. It seems your demo server has 8 core 4GB memory. I know it is for demo purpose. But how can I calcurate the necessary hardware resource for certain system ?
@@LAWRENCESYSTEMS I didn't put specific IP yet on the syslog. May I know what is the command to show the syslog were I can input the switch ip or if there's a guide on how to add switches and router in graylog. I really need your help sir. Thanks
Clean install of Ubuntu 22.04. Graylog container wont start. Stays in thee 'starting' status. I then instead install graylog natively with opensearch and mongo. Runs without issue. Something wrong with the compose file maybe?
Zabbix is not a log server, Prometheus is not really a log server, and I don't think ELK Stack is open source anymore. Maybe I should do a video on monitoring vs logging.
@@LAWRENCESYSTEMS awesome! I’ve seem companies say “use this for testing and not production” so it’s good to hear that’s not the case here! Like you mentioned on HLS, using docker compose is an easy way to not worry about Linux distro for your apps! Lol
Great video - I used your compose file and i get this "mongodb exited with code 132" every time I try to run docker-compose up. I can't find any errors - It runs on proxmox in a ubuntu 22.04 LTS VM. any ideas ?
@@LAWRENCESYSTEMS Looking forward to it. Been struggling to implement that for my org, and can't find a useful tutorial for implementing sidecar with Graylog containorized
this was such a fucking mess for me. Once I got permissions all figured out, I found out that mongo 5.0+ required hardware that apperantly my box didn't have, and then I tried to figure out compatability between all three, and i just gave up, it's not worth it for something to needless for me...
Hey Hirschy, try replacing docker image "mongo:6.0.5-jammy" with "nwzz/mongo-without-avx:6.0.5-jammy" , and make sure you remove all data volumes first if you might have tried using an older version of mongo
Hi Tom, I added this to my existing docker (installed via apt) but the graylog container is not starting up. I'm getting this in the logs: com.mongodb.MongoSocketException: mongodb: Temporary failure in name resolution Caused by: java.net.UnknownHostException: mongodb: Temporary failure in name resolution 2023-05-13 15:13:58,222 INFO : org.graylog2.bootstrap.preflight.MongoDBPreflightCheck - MongoDB is not available. Retry #1 2023-05-13 15:14:00,222 INFO : org.mongodb.driver.cluster - Cluster description not yet available. Waiting for 30000 ms before timing out I've tried removing and re-deploying but no luck.