Automatically create UDP input for Graylog2 server running in Docker?
I use ansible for starting and preparing graylog2 in containers. And I just create global udp input via calling graylog2 rest api (after graylog2 auto configuration has been finished):
- name: create graylog global udp input for receiving logs
uri:
url: http://{{ ipv4_address }}:9000/api/system/inputs
method: POST
user: "{{ graylog_admin }}"
password: "{{ graylog_pwd }}"
body: '{"title":"xxx global input","type":"org.graylog2.inputs.gelf.udp.GELFUDPInput","configuration":{"bind_address":"0.0.0.0","port":12201,"recv_buffer_size":262144,"override_source":null,"decompress_size_limit":8388608},"global":true}'
force_basic_auth: yes
status_code: 201
body_format: json
[ansible] [docker] [graylog2]
Steps to create multiple inputs using a contentpack:
Write them into a file with json format (e.g.)
{"id" : null, "name":" Inputs", "description":"Contentpack that adds global inputs", "category":"Inputs", "inputs":[ { "title":"udp input", "configuration":{ "override_source":null, "recv_buffer_size":262144, "bind_address":"0.0.0.0", "port":12201, "decompress_size_limit":8388608 }, "static_fields":{}, "type":"org.graylog2.inputs.gelf.udp.GELFUDPInput", "global":true, "extractors":[] }, { "title":"tcp input", "configuration":{ "override_source":null, "recv_buffer_size":262144, "bind_address":"0.0.0.0", "port":12202, "decompress_size_limit":8388608 }, "static_fields":{}, "type":"org.graylog2.inputs.gelf.tcp.GELFTCPInput", "global":true, "extractors":[] }] }copy the contentpack to the contentpacks directory in graylog using ansible
- name: create graylog inputs for receiving logs shell: cp .templates/inputs.json /usr/share/graylog-server/contentpacks/inputs.jsonSet contentpacks autoload to
Trueingraylog.confor via ansiblegraylog_content_packs_loader_enabled: trueSet contentpacks autoload to load
inputs.json(e.g. via ansible)graylog_content_packs_auto_load: inputs.json
Hope this helps!
Use a auto-loaded content pack in a newly created docker container.
Dockerfile (since Graylog 3.2 - thanks to T. van den Berg):
FROM graylog2/server:latest
COPY udp-input-graylog.json /usr/share/graylog/data/contentpacks
ENV GRAYLOG_CONTENT_PACKS_AUTO_INSTALL udp-input-graylog.json
ENV GRAYLOG_CONTENT_PACKS_LOADER_ENABLED true
ENV GRAYLOG_CONTENT_PACKS_DIR data/contentpacks
Dockerfile (pre 3.0, see this pull request ). :
FROM graylog2/server:latest
COPY udp-input-graylog.json /usr/share/graylog/data/contentpacks
ENV GRAYLOG_CONTENT_PACKS_AUTO_LOAD udp-input-graylog.json
ENV GRAYLOG_CONTENT_PACKS_LOADER_ENABLED true
ENV GRAYLOG_CONTENT_PACKS_DIR data/contentpacks
udp-input-graylog.json (Pre 3.0):
{
"name":"UDP GELF input on 12201",
"description":"Adds a global UDP GELF input on port 12201",
"category":"Inputs",
"inputs":[
{
"title":"udp input",
"configuration":{
"override_source":null,
"recv_buffer_size":262144,
"bind_address":"0.0.0.0",
"port":12201,
"decompress_size_limit":8388608
},
"static_fields":{},
"type":"org.graylog2.inputs.gelf.udp.GELFUDPInput",
"global":true,
"extractors":[]
}
],
"streams":[],
"outputs":[],
"dashboards":[],
"grok_patterns":[]
}
To get a contentpack json compatible with 3.0, just create the input via the GUI and then create and download the contentpack via the GUI as well.