Graylog 是一個事件記錄管理工具,它會搭配 ElasticSearch 、MongoDB,可以拿它來將所有主機的 log 作一個集中式的收集與管理
Seamless log data collection, faster analysis, and
the answers you need when you need them.
環境
CentOS 7
安裝 epel
yum install epel-release -y
安裝 java
yum -y install java-1.8.0-openjdk-headless.x86_64
安裝 elasticsearch
(參考 市面上流行的 ELK 就是 ElasticSearch + Logstash + Kibana 索引 收集 圖表化 )
version="7.13.4" wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${version}-x86_64.rpm yum localinstall -y elasticsearch-${version}-x86_64.rpm
設定 elasticsearch
cat << EOF >> /etc/elasticsearch/elasticsearch.yml cluster.name: graylog action.auto_create_index: false network.host: localhost http.port: 9200 EOF
啟用 elasticsearch
systemctl start elasticsearch
安裝 mongodb
vi /etc/yum.repos.d/mongodb-org.repo
[mongodb-org] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/5.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-5.0.asc
yum install mongodb-org -y
啟用 mongodb
systemctl restart mongod.service
安裝 graylog
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.rpm yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y
產生 root_password_sha2 (給 web 介面 admin 的密碼用,輸入你的明碼,它會加密,再貼入 conf 檔)
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
產生 password_secret (所有 graylog-server 需要同這組加密字串,再貼入 conf 檔)
yum install pwgen -y pwgen -N 1 -s 96
設定 graylog
vi /etc/graylog/server/server.conf
password_secret = RH6QkmlZkuMRzQwWEo5sE80M9lDAAx1ihv0slsikkDij2wDfuy9hjKr3oQCFCqex1AAscmfDtGevOtL5eJnHzNB3qJ6EwI5k root_password_sha2 = 18138372fad4b94533cd4881f03dc6c69296dd897234e0cee83f727e2e6b1f63 mongodb_uri = mongodb://localhost/graylog root_timezone = Asia/Taipei http_bind_address = 10.10.10.137:9000 elasticsearch_hosts = http://127.0.0.1:9200
啟用 graylog
systemctl start graylog-server.service
瀏覽 graylog
http://10.10.10.137:9000
設置 graylog input
(會打開一個 port ,用來收集資料用)
管理介面 > System/Input > Inputs > 選擇 Syslog UDP > Launch new input
Node > 下拉選擇這台 graylog server
Title > 隨便給
Port > 1514
然後 Save
然後 Start Input
狀態是 running 的
此時就會有 1514 udp port listen 起來
udp6 0 0 :::1514 :::* 21049/java
Client 端
設置 rsyslog 送記錄到 graylog server
vi /etc/rsyslog.conf
*.* @10.10.10.137:1514
systemctl restart rsyslog
回到 Server 端
graylog-server 就會收到結果如下圖
留言