使用 Graylog 收集、管理 log 事件記錄

Graylog 是一個事件記錄管理工具，它會搭配 ElasticSearch 、MongoDB，可以拿它來將所有主機的 log 作一個集中式的收集與管理

Seamless log data collection, faster analysis, and
the answers you need when you need them.

環境

CentOS 7

安裝 epel

yum install epel-release -y

安裝 java

yum -y install java-1.8.0-openjdk-headless.x86_64

安裝 elasticsearch

(參考 市面上流行的 ELK 就是 ElasticSearch + Logstash + Kibana 索引 收集 圖表化 )

version="7.13.4"
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${version}-x86_64.rpm
yum localinstall -y elasticsearch-${version}-x86_64.rpm

設定 elasticsearch

cat << EOF >> /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false
network.host: localhost
http.port: 9200
EOF

啟用 elasticsearch

systemctl start elasticsearch

安裝 mongodb

vi /etc/yum.repos.d/mongodb-org.repo

[mongodb-org]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/5.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc

yum install mongodb-org -y

啟用 mongodb

systemctl restart mongod.service

安裝 graylog

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.rpm
yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y

產生 root_password_sha2 (給 web 介面 admin 的密碼用，輸入你的明碼，它會加密，再貼入 conf 檔)

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

產生 password_secret (所有 graylog-server 需要同這組加密字串，再貼入 conf 檔)

yum install pwgen -y
pwgen -N 1 -s 96

設定 graylog

vi /etc/graylog/server/server.conf

password_secret = RH6QkmlZkuMRzQwWEo5sE80M9lDAAx1ihv0slsikkDij2wDfuy9hjKr3oQCFCqex1AAscmfDtGevOtL5eJnHzNB3qJ6EwI5k

root_password_sha2 = 18138372fad4b94533cd4881f03dc6c69296dd897234e0cee83f727e2e6b1f63

mongodb_uri = mongodb://localhost/graylog

root_timezone = Asia/Taipei
http_bind_address = 10.10.10.137:9000
elasticsearch_hosts = http://127.0.0.1:9200

啟用 graylog

systemctl start graylog-server.service

瀏覽 graylog

http://10.10.10.137:9000

設置 graylog input

(會打開一個 port ，用來收集資料用)

管理介面 > System/Input > Inputs > 選擇 Syslog UDP > Launch new input

Node > 下拉選擇這台 graylog server
Title > 隨便給
Port > 1514

然後 Save
然後 Start Input
狀態是 running 的

此時就會有 1514 udp port listen 起來

udp6       0      0 :::1514                 :::*                                21049/java

Client 端

設置 rsyslog 送記錄到 graylog server

vi /etc/rsyslog.conf

*.* @10.10.10.137:1514

systemctl restart rsyslog

回到 Server 端

graylog-server 就會收到結果如下圖