Graylog is an open-source, full-featured log-management system. It is included in CEP and can be used by applications running on the CEP infrastructure. This document outlines the setup steps needed in order for applications to be able to use the CEP Graylog infrastructure, and also briefly gives information as to how Graylog can be accessed and used.

Docker compose changes

The Docker Service (application) that needs to use the Graylog service needs to specify the logging driver to be the gelf driver, and the gelf-address needs to be specified as option to this driver. This can be done by editing the docker stack manifest file, docker-compose.yml used to deploy the application, and adding the following under the desired service. For example, if the web service needs to use Graylog, then the docker-compose.yml file should include the following:

            driver: gelf
                gelf-address: "udp://<graylog_service_name>:12201"

Application logging

The application needs to log to the standard console (stdout) as usual. The GELF driver takes care of posting these logs to the address specified by the gelf-address specified above. To be able to filter in a systematic way, the log statements written to console should be of a fixed format. For e.g., this could be a well-formed JSON, i.e., the whole message printed should be parseable as a JSON.

Graylog Usage

Once Graylog is setup as explained above, and the application is up and running, producing logs, we can access the Graylog web-UI at https://graylog.{domain-name} Graylog can be used to filter on various built-in fields like node-name, container-name, image-name, etc.,. We can also add custom fields which are part of the logged message, if the message is a well-formed JSON. This can be achieved by using “Graylog Extractors”, a builtin feature of Graylog.

See below links for documentation on how to use Graylog:

Also see the sidebar of these pages for extensive documentation on Graylog usage.