docs: Add 16, update 2 and remove 2 files

graylog/_volumes.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Define volume items for graylog containers
+# These are used across backup, restore, create, and destroy operations
+# Docker Compose creates volumes with project name prefix: {project}_{volume_name}
+
+get_graylog_volumes() {
+    echo "volume:mongodb_data:${CONTAINER_NAME}_mongodb_data"
+    echo "volume:opensearch_data:${CONTAINER_NAME}_opensearch_data"
+    echo "volume:graylog_data:${CONTAINER_NAME}_graylog_data"
+}

graylog/backup.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# shellcheck disable=SC1091
+source "${AGENT_PATH}/common.sh"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/_volumes.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# BACKUP SCRIPT
+# Creates a backup of all Graylog data volumes
+
+# Stop containers before backup
+docker compose -p "${CONTAINER_NAME}" stop || _die "Failed to stop Graylog stack"
+
+# Backup all volumes
+# shellcheck disable=SC2046
+backup_items $(get_graylog_volumes) || _die "Failed to create backup"
+
+# Restart containers
+docker compose -p "${CONTAINER_NAME}" start || _die "Failed to restart Graylog stack"
+
+echo "Backup created successfully"

graylog/config/service.env

@@ -0,0 +1,28 @@
+# Graylog Configuration
+CONTAINER_NAME=graylog
+
+# Server settings (REQUIRED by dropshell)
+SSH_USER="root"
+
+# Ports
+WEB_PORT=9000           # Graylog web UI
+GELF_UDP_PORT=12201     # GELF UDP input
+GELF_TCP_PORT=12202     # GELF TCP input
+SYSLOG_UDP_PORT=1514    # Syslog UDP input
+SYSLOG_TCP_PORT=1515    # Syslog TCP input
+BEATS_PORT=5044         # Beats input
+
+# Graylog Admin Password (CHANGE THIS!)
+# Generate a new secret with: pwgen -N 1 -s 96
+GRAYLOG_PASSWORD_SECRET="somepasswordpepper"
+# Admin password (plain text - converted to SHA256 during install)
+GRAYLOG_ROOT_PASSWORD="admin"
+
+# Graylog settings
+GRAYLOG_HTTP_EXTERNAL_URI="http://localhost:9000/"
+GRAYLOG_TIMEZONE="UTC"
+
+# OpenSearch/Elasticsearch settings
+OPENSEARCH_JAVA_OPTS="-Xms1g -Xmx1g"
+
+# MongoDB settings (no authentication by default for internal use)

graylog/destroy.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# shellcheck disable=SC1091
+source "${AGENT_PATH}/common.sh"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/_volumes.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# DESTROY SCRIPT
+# Completely removes the service AND all data
+# WARNING: This is irreversible!
+
+echo "WARNING: This will PERMANENTLY DELETE all data for ${CONTAINER_NAME}"
+echo "This includes all logs, configurations, dashboards, and indexes!"
+
+./uninstall.sh
+
+# Remove docker compose volumes
+docker compose -p "${CONTAINER_NAME}" down -v 2>/dev/null || true
+
+# shellcheck disable=SC2046
+destroy_items $(get_graylog_volumes) || _die "Failed to destroy docker volumes"
+
+echo "Destroyed ${CONTAINER_NAME} and all data."

graylog/docker-compose.yml

@@ -0,0 +1,78 @@
+services:
+  # MongoDB - stores Graylog configuration and metadata
+  mongodb:
+    image: mongo:6.0
+    container_name: ${CONTAINER_NAME}_mongodb
+    volumes:
+      - mongodb_data:/data/db
+    restart: unless-stopped
+    networks:
+      - graylog-net
+
+  # OpenSearch - stores and indexes log data
+  opensearch:
+    image: opensearchproject/opensearch:2
+    container_name: ${CONTAINER_NAME}_opensearch
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=${OPENSEARCH_JAVA_OPTS:--Xms1g -Xmx1g}"
+      - "bootstrap.memory_lock=true"
+      - "discovery.type=single-node"
+      - "action.auto_create_index=false"
+      - "plugins.security.disabled=true"
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - opensearch_data:/usr/share/opensearch/data
+    restart: unless-stopped
+    networks:
+      - graylog-net
+
+  # Graylog - the main log management application
+  graylog:
+    image: graylog/graylog:6.1
+    container_name: ${CONTAINER_NAME}
+    environment:
+      - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET:-somepasswordpepper}
+      - GRAYLOG_ROOT_PASSWORD_SHA2=${GRAYLOG_ROOT_PASSWORD_SHA2:-8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918}
+      - GRAYLOG_HTTP_EXTERNAL_URI=${GRAYLOG_HTTP_EXTERNAL_URI:-http://localhost:9000/}
+      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
+      - GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:9200
+      - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
+      - GRAYLOG_TIMEZONE=${GRAYLOG_TIMEZONE:-UTC}
+    entrypoint: /usr/bin/tini -- wait-for-it opensearch:9200 -- /docker-entrypoint.sh
+    volumes:
+      - graylog_data:/usr/share/graylog/data
+    restart: unless-stopped
+    depends_on:
+      - mongodb
+      - opensearch
+    ports:
+      # Graylog web interface and REST API
+      - "${WEB_PORT:-9000}:9000"
+      # GELF UDP
+      - "${GELF_UDP_PORT:-12201}:12201/udp"
+      # GELF TCP
+      - "${GELF_TCP_PORT:-12202}:12202"
+      # Syslog UDP
+      - "${SYSLOG_UDP_PORT:-1514}:1514/udp"
+      # Syslog TCP
+      - "${SYSLOG_TCP_PORT:-1515}:1515"
+      # Beats
+      - "${BEATS_PORT:-5044}:5044"
+    networks:
+      - graylog-net
+
+networks:
+  graylog-net:
+    driver: bridge
+
+volumes:
+  mongodb_data:
+  opensearch_data:
+  graylog_data:

graylog/install.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+_check_required_env_vars "CONTAINER_NAME" "GRAYLOG_PASSWORD_SECRET" "GRAYLOG_ROOT_PASSWORD"
+
+# Convert plain text password to SHA256 for Graylog
+export GRAYLOG_ROOT_PASSWORD_SHA2=$(echo -n "${GRAYLOG_ROOT_PASSWORD}" | sha256sum | cut -d' ' -f1)
+
+# Check Docker
+_check_docker_installed || _die "Docker test failed"
+docker compose version >/dev/null 2>&1 || _die "Docker Compose V2 is required"
+
+# Check vm.max_map_count for OpenSearch
+CURRENT_MAP_COUNT=$(cat /proc/sys/vm/max_map_count 2>/dev/null || echo "0")
+if [ "$CURRENT_MAP_COUNT" -lt 262144 ]; then
+    echo "WARNING: vm.max_map_count is $CURRENT_MAP_COUNT (should be at least 262144)"
+    echo "OpenSearch may fail to start. To fix, run:"
+    echo "  sudo sysctl -w vm.max_map_count=262144"
+    echo "  echo 'vm.max_map_count=262144' | sudo tee -a /etc/sysctl.conf"
+fi
+
+# Stop any existing containers
+bash ./stop.sh 2>/dev/null || true
+
+# Start the stack
+echo "Starting Graylog..."
+docker compose -p "${CONTAINER_NAME}" up -d || _die "Failed to start Graylog stack"
+
+# Wait for Graylog to be ready
+echo -n "Waiting for Graylog to start (this may take a few minutes)..."
+MAX_WAIT=180
+WAITED=0
+while [ $WAITED -lt $MAX_WAIT ]; do
+    if curl -s "http://localhost:${WEB_PORT:-9000}/api/system/lbstatus" 2>/dev/null | grep -q "ALIVE"; then
+        echo " Ready!"
+        break
+    fi
+    echo -n "."
+    sleep 5
+    WAITED=$((WAITED + 5))
+done
+
+if [ $WAITED -ge $MAX_WAIT ]; then
+    echo ""
+    echo "WARNING: Graylog may still be starting. Check logs with: dropshell logs graylog"
+fi
+
+echo ""
+echo "========================================="
+echo "Graylog Installed!"
+echo "========================================="
+echo ""
+echo "Web UI: http://$(hostname -I | awk '{print $1}'):${WEB_PORT:-9000}"
+echo "Login: admin / ${GRAYLOG_ROOT_PASSWORD}"
+echo ""
+echo "INPUT PORTS:"
+echo "  GELF UDP: ${GELF_UDP_PORT:-12201}"
+echo "  GELF TCP: ${GELF_TCP_PORT:-12202}"
+echo "  Syslog UDP: ${SYSLOG_UDP_PORT:-1514}"
+echo "  Syslog TCP: ${SYSLOG_TCP_PORT:-1515}"
+echo "  Beats: ${BEATS_PORT:-5044}"
+echo ""
+echo "IMPORTANT: Configure inputs in the Graylog web UI:"
+echo "  System -> Inputs -> Select input type -> Launch"
+echo ""
+echo "SECURITY: Change GRAYLOG_PASSWORD_SECRET and"
+echo "GRAYLOG_ROOT_PASSWORD in service.env!"
+echo "========================================="

graylog/logs.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# LOGS SCRIPT
+# Shows the container logs
+
+echo "Graylog logs:"
+_grey_start
+docker compose -p "${CONTAINER_NAME}" logs "$@"
+_grey_end

graylog/ports.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "WEB_PORT" "GELF_UDP_PORT" "GELF_TCP_PORT" "SYSLOG_UDP_PORT" "SYSLOG_TCP_PORT" "BEATS_PORT"
+
+# PORTS SCRIPT
+# Lists the exposed ports
+
+echo "${WEB_PORT:-9000}"
+echo "${GELF_UDP_PORT:-12201}"
+echo "${GELF_TCP_PORT:-12202}"
+echo "${SYSLOG_UDP_PORT:-1514}"
+echo "${SYSLOG_TCP_PORT:-1515}"
+echo "${BEATS_PORT:-5044}"

graylog/restore.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# shellcheck disable=SC1091
+source "${AGENT_PATH}/common.sh"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/_volumes.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# RESTORE SCRIPT
+# Restores Graylog data from a backup
+
+# Uninstall containers before restore
+./uninstall.sh || _die "Failed to uninstall service before restore"
+
+# Restore data from backup file
+# shellcheck disable=SC2046
+restore_items $(get_graylog_volumes) || _die "Failed to restore data from backup file"
+
+# Reinstall service
+./install.sh || _die "Failed to reinstall service after restore"
+
+echo "Restore complete! Graylog is running again."

graylog/ssh.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# SSH SCRIPT
+# Opens a shell inside the main Graylog container
+
+docker exec -it "${CONTAINER_NAME}" /bin/bash

graylog/start.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME" "GRAYLOG_ROOT_PASSWORD"
+
+# START SCRIPT
+# The start script is required for all templates.
+# It is used to start the service on the server.
+
+# Convert plain text password to SHA256 for Graylog
+export GRAYLOG_ROOT_PASSWORD_SHA2=$(echo -n "${GRAYLOG_ROOT_PASSWORD}" | sha256sum | cut -d' ' -f1)
+
+docker compose -p "${CONTAINER_NAME}" up -d || _die "Failed to start Graylog stack"
+
+echo "Graylog stack started"
+echo "Access Graylog at http://localhost:${WEB_PORT:-9000}"

graylog/status.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# STATUS SCRIPT
+# The status script is REQUIRED.
+# It is used to return the status of the service.
+# Must output exactly one of: Running, Stopped, Error, Unknown
+
+# Check if main graylog container exists
+if ! docker ps -a --format "{{.Names}}" | grep -q "^${CONTAINER_NAME}$"; then
+    echo "Unknown"
+    exit 0
+fi
+
+# Check all container states
+GRAYLOG_STATE=$(docker inspect -f '{{.State.Status}}' "$CONTAINER_NAME" 2>/dev/null)
+MONGODB_STATE=$(docker inspect -f '{{.State.Status}}' "${CONTAINER_NAME}_mongodb" 2>/dev/null)
+OPENSEARCH_STATE=$(docker inspect -f '{{.State.Status}}' "${CONTAINER_NAME}_opensearch" 2>/dev/null)
+
+# All must be running for "Running" status
+if [ "$GRAYLOG_STATE" = "running" ] && [ "$MONGODB_STATE" = "running" ] && [ "$OPENSEARCH_STATE" = "running" ]; then
+    echo "Running"
+    exit 0
+fi
+
+# Any stopped means "Stopped"
+if [ "$GRAYLOG_STATE" = "exited" ] || [ "$GRAYLOG_STATE" = "stopped" ] || \
+   [ "$MONGODB_STATE" = "exited" ] || [ "$MONGODB_STATE" = "stopped" ] || \
+   [ "$OPENSEARCH_STATE" = "exited" ] || [ "$OPENSEARCH_STATE" = "stopped" ]; then
+    echo "Stopped"
+    exit 0
+fi
+
+# Any restarting or paused means "Error"
+if [ "$GRAYLOG_STATE" = "restarting" ] || [ "$GRAYLOG_STATE" = "paused" ] || \
+   [ "$MONGODB_STATE" = "restarting" ] || [ "$MONGODB_STATE" = "paused" ] || \
+   [ "$OPENSEARCH_STATE" = "restarting" ] || [ "$OPENSEARCH_STATE" = "paused" ]; then
+    echo "Error"
+    exit 0
+fi
+
+echo "Unknown"

graylog/stop.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# STOP SCRIPT
+# The stop script is required for all templates.
+# It is used to stop the service on the server.
+
+docker compose -p "${CONTAINER_NAME}" stop || _die "Failed to stop Graylog stack"
+
+echo "Graylog stack stopped"

graylog/template_info.env

@@ -0,0 +1,22 @@
+# DO NOT EDIT THIS FILE FOR YOUR SERVICE!
+# This file is replaced from the template whenever there is an update.
+# Edit the service.env file to make changes.
+
+# Template metadata
+TEMPLATE=graylog
+TEMPLATE_VERSION="1.0.0"
+TEMPLATE_DESCRIPTION="Graylog log management platform with OpenSearch and MongoDB. Enterprise-grade centralized log collection, analysis, and alerting."
+TEMPLATE_AUTHOR="Dropshell"
+TEMPLATE_LICENSE="MIT"
+TEMPLATE_HOMEPAGE="https://github.com/dropshell/templates"
+TEMPLATE_TAGS="logging,monitoring,graylog,opensearch,mongodb,siem"
+TEMPLATE_REQUIRES="docker,docker-compose"
+TEMPLATE_CONFLICTS=""
+TEMPLATE_MIN_MEMORY="4096"
+TEMPLATE_MIN_DISK="10000"
+TEMPLATE_CATEGORY="monitoring"
+
+# System requirements
+REQUIRES_HOST_ROOT=false
+REQUIRES_DOCKER=true
+REQUIRES_DOCKER_ROOT=false

graylog/uninstall.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+source "${AGENT_PATH}/common.sh"
+_check_required_env_vars "CONTAINER_NAME"
+
+# UNINSTALL SCRIPT
+# The uninstall script is required for all templates.
+# It is used to uninstall the service from the server.
+# IMPORTANT: This script MUST preserve data volumes!
+
+# Stop and remove containers
+docker compose -p "${CONTAINER_NAME}" down 2>/dev/null || true
+
+# Verify containers are removed
+for suffix in "" "_mongodb" "_opensearch"; do
+    container="${CONTAINER_NAME}${suffix}"
+    if docker ps -a --format "{{.Names}}" | grep -q "^${container}$"; then
+        docker rm -f "$container" 2>/dev/null || true
+    fi
+done
+
+echo "Uninstallation of ${CONTAINER_NAME} complete."
+echo "Data volumes preserved. To remove all data, use destroy.sh"