Graylog
graylog是一个简单易用、功能较全面的日志管理工具,graylog采用Elasticsearch或OpenSearch作为存储和索引以保障性能,
MongoDB用来存储少量的自身配置信息,master-node模式具有很好的扩展性,UI上自带的基础查询与分析功能比较实用且高效,
支持LDAP、权限控制并有丰富的日志类型和标准(如syslog,GELF)并支持基于日志的报警。
在日志接收方面通常是网络传输,可以是TCP也可以是UDP,在实际生产环境量级较大多数采用UDP,也可以通过MQ来消费日志。
优势
- 部署维护简单
- 资源占用较少
- 查询语法简单易懂(对比ES的语法…)
- 内置简单的告警
- 可以将搜索结果导出为 json
- UI 比较友好
安装依赖
以Graylog 5.0版本安装依赖项:
- OpenJDK 17 (内嵌在graylog 5.0中,不需要单独安装)
- OpenSearch 1.x、2.x或Elasticsearch 7.10.2
- MongoDB 5.x或6.x
在Centos 7/8安装Graylog 5.0
安装MongoDB
- 添加仓库源文件
/etc/yum.repos.d/mongodb-org.repo, 内容如下:
1
2
3
4
5
6
|
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
|
- 安装最新版本
1
|
sudo yum install mongodb-org
|
- 启动运行MongoDB
1
2
3
4
|
systemctl daemon-reload
systemctl enable mongod.service
systemctl start mongod.service
systemctl --type=service --state=active | grep mongod
|
安装OpenSearch
可以选择安装OpenSearch,或者Elasticsearch,这里选择安装OpenSearch
- 关闭THP提高性能
1
2
3
4
5
6
7
8
|
sudo echo "Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target" | sudo tee /etc/systemd/system/disable-transparent-huge-pages.service
|
然后启动服务:
1
2
3
|
sudo systemctl daemon-reload
sudo systemctl enable disable-transparent-huge-pages.service
sudo systemctl start disable-transparent-huge-pages.service
|
- 创建本地repo文件
1
|
sudo curl -SL https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/opensearch-2.x.repo -o /etc/yum.repos.d/opensearch-2.x.repo
|
- 安装最新版本
- 配置文件
1
2
3
4
5
6
7
8
|
vim /etc/opensearch/opensearch.yml
path.data: /var/lib/opensearch
path.logs: /var/log/opensearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
plugins.security.disabled: true
|
- 启动服务
1
2
3
|
systemctl enable opensearch
systemctl start opensearch
systemctl status opensearch
|
- 发送请求验证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
[root@10-7-98-3 ~]# curl -X GET http://localhost:9200 -u 'admin:admin' --insecure
{
"name" : "10-7-98-3",
"cluster_name" : "opensearch",
"cluster_uuid" : "gGi1MQcZQWOcBfQrxmSaQA",
"version" : {
"distribution" : "opensearch",
"number" : "2.6.0",
"build_type" : "rpm",
"build_hash" : "7203a5af21a8a009aece1474446b437a3c674db6",
"build_date" : "2023-02-24T18:57:09.290618503Z",
"build_snapshot" : false,
"lucene_version" : "9.5.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
|
安装Graylog
- 简单安装
1
2
|
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.rpm
sudo yum install graylog-server
|
- 安装pwgen,用于生成密码
- 生成密码,用于配置项
password_secret
- 生成web登录密码,用于配置项
root_password_sha2
1
|
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
|
- 配置文件
1
2
3
4
5
6
|
vim /etc/graylog/server/server.conf
password_secret = xxx
root_password_sha2 = xxx
http_bind_address = 0.0.0.0:9000
mongodb_uri = mongodb://localhost/graylog
|
mongodb配置本地服务连接。
- 启动服务
1
2
3
4
|
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog
|
- 添加日志收集器
在浏览器中打开http://host:9000/,用admin用户登录,密码是生成配置项root_password_sha2的密码。
进入 System > Inputs > Inputs in Cluster > Raw/Plaintext TCP | Launch new input
取名"tcp 5555” 完成创建
创建完成后可看到5555端口已经启动监听
1
|
tcp6 0 0 :::5555 :::* LISTEN 1850857/java
|
然后向该端口建立tcp连接并发送日志
1
|
echo `date` | nc 127.0.0.1 5555
|
发送后即可在首页看到日志记录。
参考