Demonstrating sending logs from a Spring Boot application to Graylog.
This repo accompanies the following series of articles on Graylog:
- Application Logging & Alerting With Graylog (1 of 2): Introduction: An overview of application logging and alerting with Graylog.
- Application Logging & Alerting With Graylog (2 of 2): Spring Boot Demo: Demonstrating application logging and alerting with Graylog using a Spring Boot application.
The Spring Boot application provides a REST API that when called will log a message. This logging is piped through to Graylog where messages can be searched and filtered. Alerts can be configured to notify targets such as Slack, for example when error messages are received.
The Spring Boot application and docker image are built:
mvn clean install
docker build -t springboot-graylog-app .
This image will be used when the docker containers are started in the next step.
From root dir run the following to start dockerised Graylog, Graylog Data Node (Opensearch), MongoDB (used by Graylog), and the Spring Boot application (springboot-graylog-app):
docker-compose up -d
From version 5.2, Graylog uses Graylog Data Nodes, which uses Opensearch rather than Elasticsearch.
Password secret generation (for GRAYLOG_PASSWORD_SECRET):
openssl rand -hex 48
Password generation (for GRAYLOG_ROOT_PASSWORD_SHA2):
echo -n admin | shasum -a 256
Update environment variables in docker-compose.yml, or use the existing values which are admin / admin.
Navigate to Graylog Web UI:
http://localhost:9000/
Login with username/password that is output in the Graylog container logs. View the logs with:
docker logs -f graylog
For example, logging shows:
Initial configuration is accessible at 0.0.0.0:9000, with username 'admin' and password 'KmIvzhoGXr'.
Set up the certificate authority for the integration with the Graylog datanode by clicking:
Create CA / Create Policy / Provision certificate and continue / Resume startup
Now login with admin / admin.
Create Input: System / Inputs / Select input - select GELF TCP (in line with the appender defined in the logback.xml appender) / Launch new input / Enter name / Select Global checkbox / Launch Input.
View messages: Search.
To display the logging level, select FIELDS on the left menu / level_name / Add to all tables
Configure a Slack webhook endpoint for the Slack workspace that will be sent alert notifications by Graylog:
https://api.slack.com/messaging/webhooks
Create a Notification: Alerts / Notifications / Create notification / Notification Type: Slack Notification / Webhook URL: Enter generated URL / Channel: Required Slack channel / Create notification
Create an Event Definition: Alerts / Event Definitions / Create event definition / Condition type: Filter & Aggregation / Search query: level: <4 / Notifications / Add Notification: Select created notification / Create event definition
Trigger an INFO message by calling:
curl http://localhost:9001/v1/demo/success
View resultant application logging in Graylog.
Trigger an ERROR message by calling:
curl http://localhost:9001/v1/demo/error
This results in an alert notification being sent to Slack.
Stop containers:
docker-compose stop
To delete the volumes created (so the containers start afresh upon restart with no data):
docker volume rm springboot-graylog_graylog-data springboot-graylog_graylog-journal springboot-graylog_graylog-datanode springboot-graylog_mongodb-data
Manual clean up:
docker rm -f $(docker ps -aq)
Further docker clean up if network/other issues:
docker system prune
docker volume prune