This repository provides a simple setup for using Seq as a log aggregator with docker compose. The configuration includes a syslog input for ingesting logs from various sources, specifically for Proxmox environments.
- Docker installed
- Basic knowledge of
docker compose - A Proxmox node to send logs from
git clone https://github.com/ShonenNoSeishin/Seq-Log-Aggregator-with-Docker-Compose.git
cd Seq-Log-Aggregator-with-Docker-Compose To store a secure password for Seq, generate a hash and store it in a .env file:
echo "SEQ_ADMIN_PASSWORD_HASH=$(echo 'password' | docker run --rm -i datalust/seq config hash)" > .envReplace 'password' with your desired password.
Run the following command to start Seq and the syslog input service:
docker compose up --build -dOnce running, Seq will be accessible at:
http://localhost:5341
note : default password is "changeme" (configured in docker-compose file)
To forward logs from a Proxmox (PVE) node to Seq, follow these steps:
- Install
rsyslogif not already installed:
apt install rsyslog -y- Add the following line to
/etc/rsyslog.confin the machine you want to get logs, replacing<IP>with the IP address of your Seq server:
echo "*.* @<IP>:514" >> /etc/rsyslog.conf- Restart the syslog service:
systemctl restart syslog- Ensure firewall rules allow UDP traffic on port
514.
Seq should now start receiving logs from the Proxmox node.
The docker-compose.yml file includes two services:
services:
seq-input-syslog:
image: datalust/seq-input-syslog:latest
depends_on:
- seq
ports:
- "514:514/udp"
environment:
- SEQ_ADDRESS=http://seq:5341
- BASE_URI=http://<YOUR_IP>:5341
- SEQ_API_CANONICALURI=http://<YOUR_IP>:5341
- TZ="Europe/Paris"
restart: unless-stopped
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
seq:
image: datalust/seq:latest
ports:
- "5341:80"
environment:
- ACCEPT_EULA=Y
- BASE_URI=http://<YOUR_IP>:5341
- SEQ_API_CANONICALURI=http://<YOUR_IP>:5341
- TZ="Europe/Paris"
- SEQ_FIRSTRUN_ADMINPASSWORD=changeme
restart: unless-stopped
volumes:
- ./seq-data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:roSeq provides a clean and user-friendly interface for managing logs. To enable email notifications, install the Seq App Mail.
- Go to the Settings --> Applications page in Seq and then, click on "Install from Nugget"
- Install the Seq App Mail plugin.
- Click Add Instance to configure a new mail integration.
- To find the configured instance later, go to Settings → Notifications and click on the provided hyperlink. (Note: There may be a UI bug preventing it from appearing elsewhere.)
You can use Seq queries to filter specific log events.
Contains(@Message, 'authentication failure') or Contains(@Message, 'Failed password')
- SSH failures will log messages like:
pam_unix(sshd:auth)... - GUI login failures:
pam_unix(proxmox-ve-auth:auth)...
Contains(@Message, 'update VM') and Contains(@Message, 'memory')
Example log entry for changing a VM's RAM to 8192MB:
pvedaemon[3234877]: <root@pam> update VM 109: -delete balloon,shares -memory 8192
Contains(@Message, 'VM is locked')
Contains(@Message, 'qmreset')
This setup allows you to aggregate logs efficiently using Seq and Docker Compose, specifically tailored for Proxmox environments. You can further extend it by integrating additional log sources and notification mechanisms.
Feel free to contribute or open issues if you encounter any problems!
Seq, Log Aggregation, Docker Compose, Syslog, Proxmox, VM Monitoring, Logging, Infrastructure Monitoring