Graylog5.2部署
Graylog 5.2适配MongoDB 5.x~6.x,MongoDB5.0+要求CPU支持AVX指令集。
主机 | 说明 |
---|---|
localhost | 部署Graylog,需要安装mongodb-org-6.0、 Elasticsearch7.10.2 |
参考:
https://blog.csdn.net/qixiaolinlin/article/details/129966703
https://blog.csdn.net/weixin_39598069/article/details/111204754CentOS installation (graylog.org)
Install MongoDB Community Edition on Red Hat or CentOS — MongoDB Manual
1.环境配置
(1)关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
(2)关闭SELINUX
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
(3)安装JDKOpenJDK 17嵌入在 Graylog 5.0 中,不需要单独安装jdkyum -y install java-1.8.0-openjdk-headless.x86_64
(4)安装epel源
yum -y install epel-release
(5)安装pwgen(密码生成工具)
yum -y install pwgen
2.安装MongoDB
(1)配置MongoDB源
cat > /etc/yum.repos.d/mongodb-org.repo <<eof
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
eof
(2)安装MongoDB
yum clean all
yum list
yum -y install mongodb-org
(3)设置自启、启动
systemctl enable mongod
systemctl start mongod
systemctl status mongod
MongoDB默认目录
/var/lib/mongo
(数据目录)
/var/log/mongodb
(日志目录)所有者和组名称为
mongod
如果有权限问题:
chown -R mongod:mongod /var/lib/mongo chown -R mongod:mongod /var/log/mongodb
3.安装Elasticsearch7.10.2
Elasticsearch 7.10.2是唯一与Graylog 5.0兼容的版本。
Elasticsearch 7.10.2 is the only version that is compatible with Graylog 5.2
——CentOS installation (graylog.org)
(1)安装 Elasticsearch GPG 密钥
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
(2)配置Elasticsearch源
cat > /etc/yum.repos.d/elasticsearch.repo <<eof
[elasticsearch-7.10.2]
name=Elasticsearch repository for 7.10.2 packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
eof
(3)安装Elasticsearch
yum clean all
yum list
yum list elasticsearch-oss --showduplicates
yum install elasticsearch-oss-7.10.2
(4)修改配置文件 追加内容
cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
cat >> /etc/elasticsearch/elasticsearch.yml <<eof
cluster.name: graylog
action.auto_create_index: false
eof
(5)设置自启、启动
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch
如果出现failed to obtain node locks 尝试删除/var/lib/elasticsearch/nodes再重启
4.生成密码
(1)生成password_secret密钥
用于密码加密和解密的密钥。如果有多个节点graylog需要保证password_secret是一致的。至少64位的随机数即可。
pwgen -N 1 -s 96
(2)生成root_password_sha2 密码
用于登录Graylog的默认管理员用户admin。通过明文密码生成密文密码。
echo -n "mypassword" | sha256sum #此处mypassword为登录admin时的明文密码
5.安装Graylog5.2
(1)安装软件源
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.rpm
(2)安装Graylog5.2
yum clean all
yum list graylog-server --showduplicates
yum install graylog-server
(3)修改配置文件
将生成的password_secret密码和root_password_sha2密码字符串 添加到配置文件/etc/graylog/server/server.conf 并修改如下几项配置
1、admin帐号的时区
2、查询结果高亮
3、http绑定的IP与端口
cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf.bak
vim /etc/graylog/server/server.conf
#修改以下几项:
#秘钥
password_secret = 生成的password_secret
root_password_sha2 = 生成的root_password_sha2
#时区
root_timezone = Asia/Shanghai
#主机设置时区timedatectl set-timezone Asia/Shanghai
#结果查询高亮
allow_highlighting = true
#elasticsearch相关设置 使用默认设置即可
#elasticsearch_hosts = http://127.0.0.1:9200
#elasticsearch_shards =1
#elasticsearch_replicas = 0)
#数据库连接设置
mongodb_uri = mongodb://localhost/graylog
#web服务的监听端口
http_bind_address = 0.0.0.0:9000
(4)设置自启、启动
systemctl enable graylog-server
systemctl start graylog-server
systemctl status graylog-server
(5)访问web界面
浏览器访问http://ip:9000
默认管理员用户名admin
密码为生成root_password_sha2时输入的明文密码
6.Graylog界面配置
System——Inputs——Select input选择syslog UDP再点击 Launch new input
勾选Global
标题Title自定义
Port端口1514
(syslog为514 需要再用iptables做一下端口转发)
yum install iptables-services
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
service iptables save
7.syslog配置
将其他服务器的日志推送至graylog服务器
(1)Linux服务器
测试
logger -P514 -n <graylog服务器的ip> "测试消息1"
修改配置文件rsyslog.conf
vim /etc/rsyslog.conf添加
*.* @<graylog服务器的ip>:514
systemctl restart rsyslog
@
为UDP协议,@@
为TCP协议
(2)windows server
需要安装RSyslog Windows Agent
RSyslog Windows Agent 安装配置 - Bypass - 博客园 (cnblogs.com)
Windows 下日志保存至Linux rsyslog日志服务器 - 湖南馒头 - 博客园 (cnblogs.com)
windows rsyslog agent 乱码_could not find the configured table, maybe misspel-CSDN博客
Configuring — RSyslog Windows Agent 7.1 documentation
保活:
软件会自动生成RSyslog Windows Agent服务 并开机自启