#create all folders
mkdir -p /mnt/graylog/mongodb_data
mkdir -p /mnt/graylog/elasticsearch_data
 
 
#important IDs that inside container will be used outside.
chown 999:root /mnt/graylog/mongodb_data
chown 1000:root /mnt/graylog/elasticsearch_data
 
 
#create mongodb container. not put any password. can later after setup. but not need.
podman run -d --name mongodb -p 27017:27017 --restart=always \
        -v /mnt/graylog/mongodb_data:/data/db \
        -e MONGO_INITDB_ROOT_USERNAME= \
        -e MONGO_INITDB_ROOT_PASSWORD= \
        docker.io/mongo:5.0.13
 
 
#generate random password
pwgen -N 1 -s 96
 
 
#login to mongodb for create users
podman exec -it mongodb mongosh
 
 
#create an root user with all permissions in mongodb
use admin
db.createUser({
  user: "admin",
  pwd: "YOURPWGENPASSWORD",
  roles: ["root"]
})
 
 
#already have all permissions. just test for login
use admin
db.auth("admin", "YOURPWGENPASSWORD")
 
 
#create database graylog and user
use graylog
db.createUser({
    user: "graylog",
    pwd: "ANOTHERPASSWORD",
    roles: [ { role: "readWrite", db: "graylog" }]
})
 
 
#create elasticsearch container
podman run -d --name elasticsearch -p 9200:9200 --restart=always \
        -e http.host=0.0.0.0 \
        -e transport.host=localhost \
        -e network.host=0.0.0.0 \
        -e ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx512m" \
        -v /mnt/graylog/elasticsearch_data:/usr/share/elasticsearch/data \
        docker.elastic.co/elasticsearch/elasticsearch:7.10.2
 
 
#put YOURPWGENPASSWORD here 
echo -n "Enter Password: " && head -1 < /dev/stdin | tr -d '\n' | sha256sum | cut -d " " -f1
 
 
#create the graylog container
podman run -d --name graylog --restart=always \
  -p 9000:9000 -p 12201:12201/udp -p 1514:1514/udp -p 1514:1514 \
  -e GRAYLOG_PASSWORD_SECRET=YOURPWGENPASSWORD \
  -e GRAYLOG_ROOT_PASSWORD_SHA2=CRYPTED_YOURPWGENPASSWORD \
  -e GRAYLOG_HTTP_EXTERNAL_URI=http://SERVERIP:9000/ \
  -e GRAYLOG_WEB_ENDPOINT_URI="http://SERVERIP:9000/api" \
  -e GRAYLOG_MONGODB_URI="mongodb://graylog:ANOTHERPASSWORD@SERVERIP:27017/graylog" \
  -e GRAYLOG_ELASTICSEARCH_HOSTS="http://SERVERIP:9200" \
  -v graylog_data:/usr/share/graylog/data \
  docker.io/graylog/graylog:5.1
 
 
#that put in your clients in rsyslog config for send logs to your server
echo "*.*@10.0.3.3:1514;RSYSLOG_SyslogProtocol23Format" > /etc/rsyslog.d/graylog.conf
systemctl restart rsyslog
 
 
 
#INFO
#graylog config files are in "/var/lib/containers/storage/volumes"
#check login status inside mongodb "db.runCommand({ connectionStatus: 1 })"
#get users inside mongodb "db.getUsers()"
#delete some user in mongodb "db.dropUser("username")"
#connect to mongodb from external tool "mongosh --host DBSERVER --authenticationDatabase admin -u admin"