軟件版本:
- mongodb-org-3.2.10
- jdk-1.8.0 (推薦rpm包,不然要修改Graylog啟動腳本定義的JAVA命令路徑)
- elasticsearch-2.4.1 (Graylog 2.x does not work with Elasticsearch 5.x)
- graylog-server-2.1.1 (1.3版本之后已經集成graylog-web)
1.MongoDB
編輯/etc/yum.repos.d/mongodb-org-3.2.repo文件
[mongodb-org-3.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc
安裝mongodb
yum install mongodb-org
啟動mongodb
/etc/init.d/mongod start
2.Elasticsearch
編輯/etc/yum.repos.d/elasticsearch.repo文件
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
安裝elasticsearch
yum install elasticsearch
修改/etc/elasticsearch/elasticsearch.yml文件
cluster.name: graylog
啟動elasticsearch
/etc/init.d/elasticsearch start
3.Graylog
安裝graylog倉庫
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.rpm yum install graylog-server
安裝epel倉庫和pwgen軟件
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm yum install -y pwgen (后面生成密碼使用)
生成password_secret密碼
pwgen -N 1 -s 96
生成root_password_sha2密碼
echo -n 123456 | sha256sum
修改/etc/graylog/server/server.conf配置文件,將上面生成的密碼寫入到對應的變量
password_secret = root_password_sha2 = root_timezone = Asia/Shanghai rest_listen_uri = http://0.0.0.0:9000/api/ web_listen_uri = http://0.0.0.0:9000/ allow_highlighting = true (運行查詢結果高亮) elasticsearch_shards = 1 (當前只安裝了一個elasticsearch) elasticsearch_index_prefix = graylog
啟動graylog
/etc/init.d/graylog-server start
登錄graylog
http://IP(graylog-server):9000 進入graylog登錄頁 管理員帳號/密碼: admin/123456(前面生成的密碼)
4.日志采集
4.1測試日志獲取
- 添加tcp協議
進入 System > Inputs > Inputs in Cluster > Raw/Plaintext TCP | Launch new input
取名"tcp 5555" 完成創建:
在安裝有nc命令的Linux機器上執行:
echo `date` | nc graylog-server 5555
登錄web頁面查看獲取的信息:
4.2 系統日志采集,使用rsyslog服務推送
添加Inputs端口,例如1514
修改采集端的rsyslog配置文件/etc/rsyslog.conf,開啟UDP端口。重啟rsyslog服務
$ModLoad imudp
$UDPServerRun 514
修改被采集端的rsyslog配置文件/etc/rsyslog.conf。重啟rsyslog服務
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%\n"*.* @172.17.20.123:1514(Inputs定義的端口);GRAYLOGRFC5424
搜集到的系統日志信息:
4.3 nginx日志采集,使用rsyslog服務推送
在nginx服務器上,修改rsyslog配置文件/etc/rsyslog.conf,修改如下配置
$ModLoad imfile
添加配置文件/etc/rsyslog.d/nginx.conf(名稱自定義)
$InputFileName /var/log/nginx/error.log
$InputFileTag graylog-nginx-errorlog:
$InputFileStateFile state-graylog-nginx-errorlog
$InputRunFileMonitor
$InputFileName /var/log/nginx/access.log
$InputFileTag graylog-nginx-accesslog:
$InputFileStateFile state-graylog-nginx-accesslog
$InputRunFileMonitor
$InputFilePollInterval 10 #等待10秒鍾發送一次
if $programname == 'graylog-nginx-errorlog' then @172.17.20.123:514
if $programname == 'graylog-nginx-errorlog' then ~
if $programname == 'graylog-nginx-accesslog' then @172.17.20.123:514
if $programname == 'graylog-nginx-accesslog' then ~
*.* @172.17.20.123:514
重啟rsyslog服務
/etc/init.d/rsyslog restart
搜集到的nginx日志信息:
5.和kibana集成
- 安裝kibana
rpm -ivh https://download.elastic.co/kibana/kibana/kibana-4.6.2-x86_64.rpm
- 啟動kibana
/etc/init.d/kibana start
- 創建graylog index mapping 文件,graylog-custom-mapping.json
{
"template": "graylog_*",
"mappings" : {
"message" : {
"properties" : {
"http_method" : {
"type" : "string",
"index" : "not_analyzed"
},
"http_response_code" : {
"type" : "long"
},
"ingest_time" : {
"type" : "date",
"format": "strict_date_time"
},
"took_ms" : {
"type" : "long"
}
}
}
}
}
- 加載index mapping到Elasticsearch
$ curl -X PUT -d @'graylog-custom-mapping.json' 'http://localhost:9200/_template/graylog-custom-mapping?pretty'
{
"acknowledged" : true
}
- 打開kibana頁面,創建graylog_*索引
- 點擊“ Discover ”,查看數據
6.使用Nxlog+Graylog Collector Sidecar搜集日志
6.1安裝Nxlog
wget https://nxlog.co/system/files/products/files/348/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm yum install -y nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm
可參考:http://blog.csdn.net/iwannarun/article/details/52604646
修改 /etc/nxlog.conf配置文件
Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension gelf> Module xm_gelf </Extension> <Input in1> Module im_file File "/var/log/messages" </Input> <Input in2> Module im_file File "/var/log/cron" </Input> <Output out1> Module om_udp Host 10.101.21.229 Port 12201 OutputType GELF </Output> ######################################## # Routes # ######################################## <Route 1> Path in1 => out1 </Route> <Route 2> Path in2 => out1
啟動nxlog服務
/etc/init.d/nxlog start
查看日志排錯
/var/log/nxlog/nxlog.log
6.2安裝Graylog Collector Sidecar
官方文檔:http://docs.graylog.org/en/latest/pages/collector_sidecar.html#id3
service nxlog stop chkconfig --del nxlog gpasswd -a nxlog root chown -R nxlog.nxlog /var/spool/collector-sidecar/nxlog https://github.com/Graylog2/collector-sidecar/releases 下載地址 rpm -ivh collector-sidecar-0.1.4-1.x86_64.rpm graylog-collector-sidecar -service install
修改/etc/graylog/collector-sidecar/collector_sidecar.yml 配置文件
server_url: http://127.0.0.1:9000/api/ #改為graylog server機器的IP update_interval: 10 tls_skip_verify: false send_status: true list_log_files: node_id: graylog-collector-sidecar collector_id: file:/etc/graylog/collector-sidecar/collector-id cache_path: /var/cache/graylog/collector-sidecar log_path: /var/log/graylog/collector-sidecar log_rotation_time: 86400 log_max_age: 604800 tags: - messages backends: - name: nxlog enabled: true binary_path: /usr/bin/nxlog configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf
6.3在web頁面配置
可參考:http://blog.csdn.net/iwannarun/article/details/52802680
7.使用filebeat+Graylog Collector Sidecar搜集日志
7.1安裝Graylog Collector Sidecar
https://github.com/Graylog2/collector-sidecar/releases 下載地址 rpm -ivh collector-sidecar-0.1.4-1.x86_64.rpm graylog-collector-sidecar -service install
7.2修改/etc/graylog/collector-sidecar/collector_sidecar.yml 配置文件
server_url: http://IP:9000/api/ #改為graylog server機器的IP update_interval: 10 tls_skip_verify: false send_status: true list_log_files: node_id: graylog-collector-sidecar collector_id: file:/etc/graylog/collector-sidecar/collector-id cache_path: /var/cache/graylog/collector-sidecar log_path: /var/log/graylog/collector-sidecar log_rotation_time: 86400 log_max_age: 604800 tags: - nginx log #按需修改 backends: - name: nxlog enabled: false #不開啟ngxlog binary_path: /usr/bin/nxlog configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf - name: filebeat enabled: true #開啟filebeat binary_path: /usr/bin/filebeat configuration_path: /etc/graylog/collector-sidecar/generated/filebeat.yml
7.3在web頁面上配置
可參考:https://www.linuxea.com/1599.html
a)配置收集器
b)配置收集器中的OUTPUT
c)配置收集器中的INPUT
如果有多個日志文件可以使用*號等正則匹配,或者['/var/log/openresty/int.error.log', '/var/log/openresty/ext.error.log']定義多個。
d)在收集日志的客戶端啟動 collector-sidecar
/etc/init.d/collector-sidecar start
/var/log/collector-sidecar.err 可查看日志排錯
啟動成功后會把剛在頁面上的配置自動生成filebeat配置文件
啟動后生成的配置文件
/etc/graylog/collector-sidecar/generated/filebeat.yml
e)配置Graylog Server的INPUT接口
配置完保存后,garylog會在服務端啟動定義的tcp端口5044
在web頁面驗證是否收到日志
graylog有告警功能,可以匹配到需要觸發的條件進行日志告警。