Version: 1.0

Graylog Getting Started

Graylog is on a mission to make Log Management and SIEM easier, faster, more affordable, and more effective.

If you have installed Websoft9 Graylog, the following steps is for your quick start

Preparation

Get the Internet IP of your Server on Cloud
Check your Inbound of Security Group Rule of Cloud Console to ensure the TCP:80 is allowed
Complete Five steps for Domain if you want to use Domain for Graylog
Get default username and password of Graylog

Graylog Initialization

Steps for you

Using local Chrome or Firefox to visit the URL http://DNS or http://Server's Internet IP, you can see the login page of Graylog.
Input the login account and enter to Graylog Console(Don't have password?)
if you want to bind domain for Graylog, refer to here

More useful Graylog guide, please refer to Configuring Graylog

Having trouble?

Below is for you to solve problem, and you can contact Websoft9 Support or refer to Troubleshoot + FAQ to get more.

Graylog QuickStart

正在编写

Graylog Setup

Configure SMTP

Get SMTP related parameters in the mailbox management console
Refer to Official email setting by editing the email Graylog configuration file: /etc/graylog/server/server.conf
Modify the items transport_email of Graylog configuration file
Restart Graylog service
```
sudo docker restart graylog
```

Reset Password

Try to reset your password if you can't use email to reset it:

Use SSH tool to login Server, then run the below commands

new_password=admin123@graylog
sha_password=$(echo -n $new_password | sha256sum | awk '{ print $1 }')
sudo sed -i "s/8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918/$sha_password/g" /data/wwwroot/graylog/.env

You new password is admin123@graylog now after docker-compose recreate
```
cd /data/wwwroot/graylog && sudo docker-compose up -d
```

You can set the new_password to any string if you want

Configure Graylog

Every configuration option can be set via environment variables.. Simply prefix the parameter name with GRAYLOG_ and put it all in upper case.

For example, setting up the SMTP configuration for sending Graylog alert notifications via email, the docker-compose.yml would look like this:

version: '2'
  services:
    mongo:
      image: "mongo:4.2"
      # Other settings [...]
    elasticsearch:
      image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
      # Other settings [...]
    graylog:
      image: graylog/graylog:4.2
      # Other settings [...]
      environment:
        GRAYLOG_TRANSPORT_EMAIL_ENABLED: "true"
        GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: smtp
        GRAYLOG_TRANSPORT_EMAIL_PORT: 25
        GRAYLOG_TRANSPORT_EMAIL_USE_AUTH: "false"
        GRAYLOG_TRANSPORT_EMAIL_USE_TLS: "false"
        GRAYLOG_TRANSPORT_EMAIL_USE_SSL: "false"

Reference sheet

The below items and General parameter sheet is maybe useful for you manage Graylog

Run docker ps command, view all Containers when Graylog is running:

CONTAINER ID   IMAGE                                                  COMMAND                  CREATED              STATUS                        PORTS                                                                                                                                                                                                                           NAMES
aba3f411351a   websoft9dev/mongocompass:v1.31                         "/dockerstartup/kasm…"   39 seconds ago       Up 37 seconds                 4901/tcp, 5901/tcp, 0.0.0.0:9091->6901/tcp, :::9091->6901/tcp                                                                                                                                                                   mongocompass
8285b315009a   graylog/graylog:4.3                                    "/usr/bin/tini -- wa…"   About a minute ago   Up About a minute (healthy)   0.0.0.0:1514->1514/tcp, 0.0.0.0:1514->1514/udp, :::1514->1514/tcp, :::1514->1514/udp, 0.0.0.0:12201->12201/tcp, 0.0.0.0:12201->12201/udp, :::12201->12201/tcp, :::12201->12201/udp, 0.0.0.0:9001->9000/tcp, :::9001->9000/tcp   graylog
7795d2333c74   docker.elastic.co/elasticsearch/elasticsearch:7.16.3   "/bin/tini -- /usr/l…"   About a minute ago   Up About a minute             9200/tcp, 9300/tcp                                                                                                                                                                                                              graylog-elasticsearch
04dc27b0962c   mongo:4.2                                              "docker-entrypoint.s…"   About a minute ago   Up About a minute             27017/tcp                                          "docker-entrypoint.s…"   8 minutes ago   Up 3 minutes             0.0.0.0:9091->1234/tcp, :::9091->1234/tcp                                                                                                                                                                                       adminmongo

Path

Graylog installation directory:: /data/apps/graylog
Graylog data directory: /data/apps/graylog/data/graylog/graylog_data
Graylog plugin directory: /data/apps/graylog/data/graylog/graylog_plugin

Port

No special port

Version

# Graylog Version
docker images |grep graylog/graylog |awk '{print $2}'

Service

sudo docker  start | stop | restart | status graylog
sudo docker  start | stop | restart | status graylog-mongo
sudo docker  start | stop | restart | status graylog-elasticsearch
sudo docker  start | stop | restart | status mongocompass

CLI

API

[Graylog API] (https://docs.graylog.org/v1/docs/rest-api) Using the REST API 2.0 specification, even the Graylog web interface specifically uses the Graylog REST API to interact with the Graylog cluster.

API access mode: https://IP/api/api-browser/global/index.html, without /global/index.html is inaccessible.

Preparation​

Graylog Initialization​

Steps for you​

Having trouble?​

Graylog QuickStart​

Graylog Setup​

Configure SMTP​

Reset Password​

Configure Graylog​

Reference sheet​

Path​

Port​

Version​

Service​

CLI​

API​