簡介
Graylog是一個開源的日志聚合、分析、審計、展現和預警工具。低成本,高性能。
Graylog與ELK對比
Graylog需要把日志源采集到graylog-server,經過處理后的數據,使用ES進行存儲。
Graylog提供了Web端,相當於Kibana。
集群架構分配參考
官方文檔架構圖:https://docs.graylog.org/en/3.3/pages/architecture.html
部署節點
| IP | 作用 |
| 192.168.122.71 | Graylog、MongoDB,Nginx |
| 192.168.122.72 | Graylog、MongoDB |
| 192.168.122.73 | Graylog、MongoDB |
| 192.168.122.74 | Elasticsearch |
| 192.168.122.75 | Elasticsearch |
| 192.168.122.76 | Elasticsearch |
前置工作
查看防火牆已關閉
sudo systemctl status firewalld
Active: inactive (dead)
...
查看SELinux已關閉
cat /etc/selinux/config
...
SELINUX=disabled
...
查看jdk版本
java -version
openjdk version "1.8.0_161"
...
71,72,73 搭建 Graylog+MongoDB 集群同步操作
安裝epel-release (epel源)、pwgen
sudo yum install epel-release pwgen -y
搭建MongoDB集群
MongoDB的用途是什么?
Graylog使用MongoDB來存儲您的配置數據,而不是您的日志數據。僅存儲元數據,例如用戶信息或流配置。您的任何日志消息都不會存儲在MongoDB中。這就是為什么MongoDB對系統沒有太大影響的原因,並且您不必為擴展它而過分擔心。通過我們推薦的設置架構,MongoDB可以與您的Graylog服務器進程一起運行,並且幾乎不使用任何資源。
sudo touch /etc/yum.repos.d/mongodb-org.repo
sudo vim /etc/yum.repos.d/mongodb-org.repo
添加內容:
[mongodb-org-4.0] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
安裝MongoDB
sudo yum install -y mongodb-org
啟動MongoDB
sudo mongod --config /etc/mongod.conf
關閉MongoDB
mongo
use admin
db.shutdownServer()
創建文件
mkdir -p /work/mongo/data mkdir -p /work/mongo/log touch /work/mongo/log/mongod.log
備份並編輯配置
sudo cp /etc/mongod.conf /etc/mongod.conf.bak
sudo vim /etc/mongod.conf
編輯 mongod.conf 配置
systemLog: destination: file logAppend: true path: /work/mongo/log/mongod.log #path: /var/log/mongodb/mongod.log storage: dbPath: /work/mongo/data #dbPath: /var/lib/mongo journal: enabled: true #配置遠程連接 net: port: 27017 bindIp: 0.0.0.0 # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting. #replication(集群配置): replication: replSetName: rs0
mongoDB重啟,參考上面先關閉mongoDB,再啟動。
初始化mongodb集群(在其中一台操作)
mongo >rs.initiate( { _id : "rs0", members: [ { _id : 0, host : "192.168.122.71:27017" } ] }) exit
驗證集群配置
mongo
rs0:PRIMARY> rs.conf()
將其他節點加入集群,並查看集群配置
rs0:PRIMARY> rs.add("192.168.122.72") rs0:PRIMARY> rs.add("192.168.122.73") rs0:PRIMARY> rs.status()
創建graylog數據庫,並添加graylog用戶,賦予readWrite和dbAdmin權限
rs0:PRIMARY> use graylog switched to db graylog rs0:PRIMARY> db.createUser( { user: "graylog", pwd: "xxxxx", roles: [ { role: "readWrite", db: "graylog" } ] }); rs0:PRIMARY> db.grantRolesToUser( "graylog" , [ { role: "dbAdmin", db: "graylog" } ]) rs0:PRIMARY> show users rs0:PRIMARY> db.auth("graylog","xxxxx")
Graylog 的ES
所有日志數據都存儲在Elasticsearch中。
ES 設置索引過期
Elasticsearch集群部署
graylog3.0 使用的elasticsearch不低於5.6.13版(且暫不支持7.x)
主機74,75,76同步操作
編譯安裝軟件包
cd /wrok wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.3.tar.gz tar -zxf elasticsearch-6.4.3.tar.gz
創建數據目錄
mkdir -p /work/elasticsearch-6.4.3/data
編輯ES配置
sudo vim /work/elasticsearch-6.4.3/config/elasticsearch.yml
三台機分別如下
#graylog01: cluster.name: graylog node.name: graylog01 node.master: true node.data: true bootstrap.memory_lock: false bootstrap.system_call_filter: false path.data: /work/elasticsearch-6.4.3/data path.logs: /work/elasticsearch-6.4.3/logs network.host: 0.0.0.0 http.port: 9200 discovery.zen.ping.unicast.hosts: ["192.168.122.74:9300", "192.168.122.75:9300","192.168.122.76:9300"] #graylog02 cluster.name: graylog node.name: graylog02 node.master: true node.data: true bootstrap.memory_lock: false bootstrap.system_call_filter: false path.data: /work/elasticsearch-6.4.3/data path.logs: /work/elasticsearch-6.4.3/logs network.host: 0.0.0.0 http.port: 9200 discovery.zen.ping.unicast.hosts: ["192.168.122.74:9300", "192.168.122.75:9300","192.168.122.76:9300"] #graylog03 cluster.name: graylog node.name: graylog03 node.master: true node.data: true bootstrap.memory_lock: false bootstrap.system_call_filter: false path.data: /work/elasticsearch-6.4.3/data path.logs: /work/elasticsearch-6.4.3/logs network.host: 0.0.0.0 http.port: 9200 discovery.zen.ping.unicast.hosts: ["192.168.122.74:9300", "192.168.122.75:9300","192.168.122.76:9300"]
啟動Elasticsearch
bin/elasticsearch -d
ES啟動失敗如果遇到報錯
[2020-09-09T15:27:08,646][ERROR][o.e.b.Bootstrap ] [graylog01] node validation exception [2] bootstrap checks failed [1]: max file descriptors [65535] for elasticsearch process is too low, increase to at least [65536] [2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[1] increase to at least [65536]的解決辦法
sudo vim /etc/security/limits.conf
添加如下:
* - nofile 65536 * - memlock unlimited 或者 * soft nofile 65536 * hard nofile 65536 * soft nproc 4096 * hard nproc 4096
同時注釋掉當前用戶(如有)
#user - nproc 65535
#user - nofile 65535
#* soft core 0 #* hard core 0
最后重連登陸生效
[2] increase to at least [262144]的解決辦法
sudo vi /etc/sysctl.conf
添加下面配置:
vm.max_map_count=655360
並執行命令:
sudo sysctl -p
然后,重新啟動elasticsearch,即可啟動成功。
Graylog集群安裝
主機71,72,73同步操作
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm
生成密鑰,並加密Graylog的登陸密碼(這里為admin)
pwgen -N 1 -s 96 M39BrdTsF7EmzLc1x0iejVoCn3QAYuvgSc5OkitRspJBmBCL2XasAK2LgW5uvok0v2QT3gM8hgaNbNTED1UOjAgCSQVPznLy
echo -n admin | sha256sum 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
編輯Graylog配置文件
sudo vim /etc/graylog/server/server.conf
修改如下:
#主節點is_master = true,其他兩個節點的配置文件中設置為is_master = false is_master = true #密鑰 password_secret = M39BrdTsF7EmzLc1x0iejVoCn3QAYuvgSc5OkitRspJBmBCL2XasAK2LgW5uvok0v2QT3gM8hgaNbNTED1UOjAgCSQVPznLy #加密后的登陸密碼 root_password_sha2 = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 #時區 root_timezone = Asia/Shanghai # 網絡訪問相關,重要 http_bind_address = 0.0.0.0:9000 # 配置Nginx代理的外網地址 http_publish_uri = http://192.168.122.71:9100/ #高亮 allow_highlighting = true # ES 連接配置 elasticsearch_hosts = http://192.168.122.74:9200,http://192.168.122.75:9200,http://192.168.122:9200 # mongodb 連接配置,設置驗證 mongodb_uri = mongodb://graylog:graylog@192.168.122.71:27017,192.168.122.71:27017,192.168.122:27017/graylog # 或者,不設置驗證 mongodb_uri = mongodb://192.168.122.71:27017,192.168.122.71:27017,192.168.122:27017/graylog
啟動服務
sudo chkconfig --add graylog-server sudo systemctl daemon-reload sudo systemctl enable graylog-server.service sudo systemctl start graylog-server.service sudo systemctl status graylog-server.service sudo systemctl restart graylog-server.service
安裝Nginx
請參考:
設置指定的安裝nginx目錄
./configure \
--prefix=/work/graylog-nginx
配置Graylog 負載均衡
sudo vim /work/nginx/conf/nginx.conf
再http { } 中添加配置
upstream graylog_servers { least_conn; server 192.168.122.71:9000 max_fails=3 fail_timeout=30s; server 192.168.122.72:9000 max_fails=3 fail_timeout=30s; server 192.168.122:9000 max_fails=3 fail_timeout=30s; } server { listen 9100; server_name 192.168.122.71:9100; location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL http://$server_name/; proxy_pass http://graylog_servers; } }
Graylog訪問地址就是上面配置的
http://192.168.122.71:9100
賬戶admin,密碼amdin
Nginx相關命令操作
在線加載配置 cd /work/nginx/sbin sudo nginx -s reload 查看版本 nginx -v 停止nginx服務 sudo nginx -s stop 檢查配置文件語法是否有誤 sudo nginx -t 查看nginx 安裝了哪些模塊 nginx -V
Graylog生成的日志文件在哪里?
您可以在下面的目錄下找到Graylog的日志數據,其中包含時間戳,級別和異常消息。這對於調試或服務器無法啟動很有用。
cd /var/log/graylog-server/server.log
如何使用Logstash 轉發到 Graylog?
1. Graylog只能處理自己處理的消息。無法處理Elasticsearch數據庫中的外來消息 (不能直接發到ES)。
2. Graylog包含了kibana和logstash的功能,執行日志處理(logstash)並提供Web UI(kibana)。
3. 使用logstash的gelf output插件:
安裝插件
bin/logstash-plugin install logstash-output-gelf
Logstash配置
output { gelf { host => "graylog_ip_address" port => 12201 } stdout { codec => rubydebug } }
Graylog-Inputs 配置為GELF UDP,監聽端口12201
