Introduction

Logging and traffic monitoring are crucial for information security. Stored logs that can be searched offer valuable information about security breaches.

For instance, logs from individual computers can reveal an attacker’s movements within a network. Authentication logs from Active Directory can provide a more detailed view of these movements and establish a timeline. Firewall logs can show an attacker’s initial point of entry or the first time a specific command or control domain was used. NetFlow logs offer information about a user’s interactions with other devices on the network.

These examples illustrate how logging is essential for providing critical data, especially during or after a security incident.

This is not intended to be an exhaustive analysis of logging and monitoring. Further research into the theoretical and practical reasons for logging in a secure systems environment is strongly recommended.

Graylog

Graylog is a robust open-source log management system that is ideal for homelab environments and beyond. It is a powerful tool suitable even for enterprise environments and has enterprise-friendly options available.

However, for our needs on Unraid, the open-source version will be more than enough.

Graylog has been challenging to set up on Unraid in the past. Docker Compose simplifies the installation process, so we’ll use it on Unraid to overcome these challenges and get Graylog working.

Prepping Unraid

This setup requires the Docker Compose Manager plugin. You can install it from the Community Applications page in Unraid. Just search for “Docker Compose Manager” and install the package from “dcflachs”. More information can be found in the Docker Compose forum post. See the image below for reference.

_Note: As of this writing, Unraid’s Docker Compose implementation is in beta. However, I have been using it without issues since its initial release. It’s always recommended to have backups and parity set up before using beta software. _

Once installed, we can proceed to the next steps.

Configuring a Docker Compose Stack on Unraid

This step requires Docker to be enabled on your Unraid server. Refer to Unraid’s Wiki for information on Docker in Unraid and how to enable it.

Once enabled, navigate to “Docker” in the menu. If the installation was successful, you should see a “Compose” section at the bottom of the page.

Click ADD NEW STACK and name the stack something clear like “graylog”, as shown in the image.

Next, click the gear icon next to the “graylog” stack and select EDIT STACK. A large text edit box should appear, displaying something similar to “Editing /boot/config/plugins/compose.manager/projects/graylog/compose.yml”. Copy and paste the following code into the box:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

version: "3.8"

services:
  mongodb:
    image: "mongo:5.0"
    volumes:
      - "/your/unraid/path/here:/data/db"
    restart: "on-failure"

  elasticsearch:
    environment:
      ES_JAVA_OPTS: "-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true"
      bootstrap.memory_lock: "true"
      discovery.type: "single-node"
      http.host: "0.0.0.0"
      action.auto_create_index: "false"
    image: "docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2"
    ulimits:
      memlock:
        hard: -1
        soft: -1
    volumes:
       - "/your/unraid/path/here:/usr/share/elasticsearch/data"
    restart: "on-failure"

  graylog:
    image: "graylog/graylog:4.2"
    depends_on:
      elasticsearch:
        condition: "service_started"
      mongodb:
        condition: "service_started"
    entrypoint: "/usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh"
    environment:
      GRAYLOG_TIMEZONE: "America/New_York"
      TZ: "America/New_York"
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
      GRAYLOG_PASSWORD_SECRET: "enter secret here"
      GRAYLOG_ROOT_PASSWORD_SHA2: "enter SHA2 of secret here"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
      GRAYLOG_HTTP_EXTERNAL_URI: "http://localhost:9000/"
      GRAYLOG_ELASTICSEARCH_HOSTS: "http://elasticsearch:9200"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"

    ports:
    - "5044:5044/tcp"   # Beats
    - "5140:5140/udp"   # Syslog
    - "5140:5140/tcp"   # Syslog
    - "5555:5555/tcp"   # RAW TCP
    - "5555:5555/udp"   # RAW TCP
    - "9000:9000/tcp"   # Server API
    - "12201:12201/tcp" # GELF TCP
    - "12201:12201/udp" # GELF UDP
    - "10000:10000/tcp" # Custom TCP port
    - "10000:10000/udp" # Custom UDP port
    - "13301:13301/tcp" # Forwarder data
    - "13302:13302/tcp" # Forwarder config
    volumes:
      - "/your/unraid/path/here:/usr/share/graylog/data/data"
      - "/your/unraid/path/here:/usr/share/graylog/data/journal"
    restart: "on-failure"
volumes:
  mongodb_data:
  es_data:
  graylog_data:
  graylog_journal:

Your Unraid interface should resemble the image:

Before saving, you’ll need to modify Lines 7, 23, 59, and 60. Replace /your/unraid/path/here with the desired directory path for Graylog files. For example, I used /mnt/disk7/graylog/mongodb_data for Line 7, /mnt/disk7/graylog/es_data for Line 23, /mnt/disk7/graylog/graylog_data for Line 59, and /mnt/disk7/graylog/graylog_journal for Line 60.

Remember to keep the " : " and everything after it unchanged. For example, Line 7 in my case would be "/mnt/disk7/graylog/mongodb_data:/data/db".

I opted to store Graylog data on a dedicated disk, separate from my cache drive, for long-term storage and to avoid consuming Docker image or cache storage space.

Important Note: DO NOT place all the folders within the same subdirectory. I used /mnt/disk7/graylog as the root directory for Graylog data, with each volume in the Docker Compose file having its own subdirectory. Putting all Graylog volumes in the same subdirectory is not recommended and may cause issues, potentially preventing the application from running.

Next, before saving, generate a password and its SHA2 hash. These values will be used on Lines 38 and 39 respectively. I utilized another Docker container on Unraid called CyberChef (mpepping/cyberchef). You can also use Unraid’s terminal. Click the Terminal icon in the top right corner of Unraid’s menu. Copy and paste the following command:

1

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Press Enter. You will be prompted to enter your desired Graylog password (for Line 38). After entering your password, press Enter again. The terminal should output the corresponding SHA2 hash. Copy this hash and paste it into Line 39 of the docker-compose.yml file on Unraid. See the image below for reference.

Finally, click SAVE CHANGES.

Start the Stack - Compose Up

Now, click COMPOSE UP under Commands associated with your graylog stack. This is equivalent to the standard Docker Compose command:

1

docker-compose up -d

A popup titled “Stack graylog Up” should appear, and you should see Docker Compose searching for and downloading any missing images. Once all necessary files are downloaded, the final output should look like this:

1
2
3

Container graylog-mongodb-1 Running
Container graylog-elasticsearch-1 Running
Container graylog-graylog-1 Running

This output confirms that your Graylog containers, including network settings and dependencies, have been successfully launched on your Unraid server.

You should now see three new containers at the top of the running containers list in Unraid’s Docker menu. See the image below for reference:

You can now access your Graylog instance by going to your Unraid server’s IP address on port 9000 (e.g., 172.16.1.10:9000). Use the username admin and yourpassword from Line 38 to log in (not your SHA2 hash).

Bonus: Send Other Unraid Container Syslogs to Graylog

To send syslog data to Graylog, enable Syslog TCP incoming connections in Graylog. Go to System / Inputs in the Graylog interface and select Inputs. Choose Syslog TCP from the Select input dropdown. Click Launch new input.

Give your input a descriptive title and change the incoming port from 514 to 5140. Leave the remaining settings at their defaults unless you have specific requirements. Scroll down and click Save.

Back in Unraid, navigate to a running container that you wish to configure or add a new container as needed.

Under “Extra Parameters”, add the following code snippet to the Extra Parameters field, placing it after any existing parameters.

1

--log-driver=syslog --log-opt tag="varken" --log-opt syslog-address=tcp://YOUR_GRAYLOG_IP:5140

Replace varken with a descriptive name for the container you are configuring and YOUR_GRAYLOG_IP with the IP address you used to access Graylog.

Scroll to the bottom of the container configuration and click SAVE. If your network settings are correct and communication is successful, your container should start, and its syslog data should be forwarded to your Graylog instance!