Send encrypted logs to Graylog (Bonus: Docker container)
This tutorial is detached from the series and is more of a bonus.
Docker supports the GELF protocol. Sending remotely to an instance is easily done with docker compose.
Unfortunately, however, TLS is not supported, which makes encryption impossible.
This is especially a nogo when sending logs over the World Wide Web.
This is where Wireguard steps in.
I recently described how to install and configure Wireguard here so only the rough steps:
Install Wireguard on the Docker host server and on the Graylog server.
Make sure that the firewall is set for the Wireguard connection.
If the connection is established, create a Graylog GELF UDP input.
Change the bind address to your wireguard IP or leave it at default if you have other Docker containers on other servers that should send logs.
bind_address: <Graylog_Wireguard_IP> decompress_size_limit: 8388608 number_worker_threads: 2 override_source: <empty> port: 12201 recv_buffer_size: 262144
The default port is 12201(UDP).
Now switch to your Docker container server.
Add the following under each container in your docker compose file:
logging: driver: gelf options: gelf-address: udp://<Your_Graylog_Wirguard_IP>:12201 tag: "<any tag to distinguish logs>
Rerun your docker container with your docker compose file.
It is important to note that the Gelf protocol must be used here. Docker supports TCP, but not TLS.
The tag entry is important, otherwise you will quickly get confused.