软件版本:
- mongodb-org-3.2.10
- jdk-1.8.0 (推荐rpm包,不然要修改Graylog启动脚本定义的JAVA命令路径)
- elasticsearch-2.4.1 (Graylog 2.x does not work with Elasticsearch 5.x)
- graylog-server-2.1.1 (1.3版本之后已经集成graylog-web)
1.MongoDB
编辑/etc/yum.repos.d/mongodb-org-3.2.repo文件
[mongodb-org-3.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.2.asc
安装mongodb
yum install mongodb-org
启动mongodb
/etc/init.d/mongod start
2.Elasticsearch
编辑/etc/yum.repos.d/elasticsearch.repo文件
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
安装elasticsearch
yum install elasticsearch
修改/etc/elasticsearch/elasticsearch.yml文件
cluster.name: graylog
启动elasticsearch
/etc/init.d/elasticsearch start
3.Graylog
安装graylog仓库
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.1-repository_latest.rpm yum install graylog-server
安装epel仓库和pwgen软件
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm yum install -y pwgen (后面生成密码使用)
生成password_secret密码
pwgen -N 1 -s 96
生成root_password_sha2密码
echo -n 123456 | sha256sum
修改/etc/graylog/server/server.conf配置文件,将上面生成的密码写入到对应的变量
password_secret = root_password_sha2 = root_timezone = Asia/Shanghai rest_listen_uri = http://0.0.0.0:9000/api/ web_listen_uri = http://0.0.0.0:9000/ allow_highlighting = true (运行查询结果高亮) elasticsearch_shards = 1 (当前只安装了一个elasticsearch) elasticsearch_index_prefix = graylog
启动graylog
/etc/init.d/graylog-server start
登录graylog
http://IP(graylog-server):9000 进入graylog登录页 管理员帐号/密码: admin/123456(前面生成的密码)
4.日志采集
4.1测试日志获取
- 添加tcp协议
进入 System > Inputs > Inputs in Cluster > Raw/Plaintext TCP | Launch new input
取名"tcp 5555" 完成创建:
在安装有nc命令的Linux机器上执行:
echo `date` | nc graylog-server 5555
登录web页面查看获取的信息:
4.2 系统日志采集,使用rsyslog服务推送
添加Inputs端口,例如1514
修改采集端的rsyslog配置文件/etc/rsyslog.conf,开启UDP端口。重启rsyslog服务
$ModLoad imudp
$UDPServerRun 514
修改被采集端的rsyslog配置文件/etc/rsyslog.conf。重启rsyslog服务
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg% "*.* @172.17.20.123:1514(Inputs定义的端口);GRAYLOGRFC5424
搜集到的系统日志信息:
4.3 nginx日志采集,使用rsyslog服务推送
在nginx服务器上,修改rsyslog配置文件/etc/rsyslog.conf,修改如下配置
$ModLoad imfile
添加配置文件/etc/rsyslog.d/nginx.conf(名称自定义)
$InputFileName /var/log/nginx/error.log
$InputFileTag graylog-nginx-errorlog:
$InputFileStateFile state-graylog-nginx-errorlog
$InputRunFileMonitor
$InputFileName /var/log/nginx/access.log
$InputFileTag graylog-nginx-accesslog:
$InputFileStateFile state-graylog-nginx-accesslog
$InputRunFileMonitor
$InputFilePollInterval 10 #等待10秒钟发送一次
if $programname == 'graylog-nginx-errorlog' then @172.17.20.123:514
if $programname == 'graylog-nginx-errorlog' then ~
if $programname == 'graylog-nginx-accesslog' then @172.17.20.123:514
if $programname == 'graylog-nginx-accesslog' then ~
*.* @172.17.20.123:514
重启rsyslog服务
/etc/init.d/rsyslog restart
搜集到的nginx日志信息:
5.和kibana集成
- 安装kibana
rpm -ivh https://download.elastic.co/kibana/kibana/kibana-4.6.2-x86_64.rpm
- 启动kibana
/etc/init.d/kibana start
- 创建graylog index mapping 文件,graylog-custom-mapping.json
{
"template": "graylog_*",
"mappings" : {
"message" : {
"properties" : {
"http_method" : {
"type" : "string",
"index" : "not_analyzed"
},
"http_response_code" : {
"type" : "long"
},
"ingest_time" : {
"type" : "date",
"format": "strict_date_time"
},
"took_ms" : {
"type" : "long"
}
}
}
}
}
- 加载index mapping到Elasticsearch
$ curl -X PUT -d @'graylog-custom-mapping.json' 'http://localhost:9200/_template/graylog-custom-mapping?pretty'
{
"acknowledged" : true
}
- 打开kibana页面,创建graylog_*索引
- 点击“ Discover ”,查看数据
6.使用Nxlog+Graylog Collector Sidecar搜集日志
6.1安装Nxlog
wget https://nxlog.co/system/files/products/files/348/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm yum install -y nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm
可参考:http://blog.csdn.net/iwannarun/article/details/52604646
修改 /etc/nxlog.conf配置文件
Group nxlog LogFile /var/log/nxlog/nxlog.log LogLevel INFO ######################################## # Modules # ######################################## <Extension gelf> Module xm_gelf </Extension> <Input in1> Module im_file File "/var/log/messages" </Input> <Input in2> Module im_file File "/var/log/cron" </Input> <Output out1> Module om_udp Host 10.101.21.229 Port 12201 OutputType GELF </Output> ######################################## # Routes # ######################################## <Route 1> Path in1 => out1 </Route> <Route 2> Path in2 => out1
启动nxlog服务
/etc/init.d/nxlog start
查看日志排错
/var/log/nxlog/nxlog.log
6.2安装Graylog Collector Sidecar
官方文档:http://docs.graylog.org/en/latest/pages/collector_sidecar.html#id3
service nxlog stop chkconfig --del nxlog gpasswd -a nxlog root chown -R nxlog.nxlog /var/spool/collector-sidecar/nxlog https://github.com/Graylog2/collector-sidecar/releases 下载地址 rpm -ivh collector-sidecar-0.1.4-1.x86_64.rpm graylog-collector-sidecar -service install
修改/etc/graylog/collector-sidecar/collector_sidecar.yml 配置文件
server_url: http://127.0.0.1:9000/api/ #改为graylog server机器的IP update_interval: 10 tls_skip_verify: false send_status: true list_log_files: node_id: graylog-collector-sidecar collector_id: file:/etc/graylog/collector-sidecar/collector-id cache_path: /var/cache/graylog/collector-sidecar log_path: /var/log/graylog/collector-sidecar log_rotation_time: 86400 log_max_age: 604800 tags: - messages backends: - name: nxlog enabled: true binary_path: /usr/bin/nxlog configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf
6.3在web页面配置
可参考:http://blog.csdn.net/iwannarun/article/details/52802680
7.使用filebeat+Graylog Collector Sidecar搜集日志
7.1安装Graylog Collector Sidecar
https://github.com/Graylog2/collector-sidecar/releases 下载地址 rpm -ivh collector-sidecar-0.1.4-1.x86_64.rpm graylog-collector-sidecar -service install
7.2修改/etc/graylog/collector-sidecar/collector_sidecar.yml 配置文件
server_url: http://IP:9000/api/ #改为graylog server机器的IP update_interval: 10 tls_skip_verify: false send_status: true list_log_files: node_id: graylog-collector-sidecar collector_id: file:/etc/graylog/collector-sidecar/collector-id cache_path: /var/cache/graylog/collector-sidecar log_path: /var/log/graylog/collector-sidecar log_rotation_time: 86400 log_max_age: 604800 tags: - nginx log #按需修改 backends: - name: nxlog enabled: false #不开启ngxlog binary_path: /usr/bin/nxlog configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf - name: filebeat enabled: true #开启filebeat binary_path: /usr/bin/filebeat configuration_path: /etc/graylog/collector-sidecar/generated/filebeat.yml
7.3在web页面上配置
可参考:https://www.linuxea.com/1599.html
a)配置收集器
b)配置收集器中的OUTPUT
c)配置收集器中的INPUT
如果有多个日志文件可以使用*号等正则匹配,或者['/var/log/openresty/int.error.log', '/var/log/openresty/ext.error.log']定义多个。
d)在收集日志的客户端启动 collector-sidecar
/etc/init.d/collector-sidecar start
/var/log/collector-sidecar.err 可查看日志排错
启动成功后会把刚在页面上的配置自动生成filebeat配置文件
启动后生成的配置文件
/etc/graylog/collector-sidecar/generated/filebeat.yml
e)配置Graylog Server的INPUT接口
配置完保存后,garylog会在服务端启动定义的tcp端口5044
在web页面验证是否收到日志
graylog有告警功能,可以匹配到需要触发的条件进行日志告警。