Graylog - 日志监控系统
Graylog 是一个开源的日志聚合、分析、审计、展现和预警工具。在功能上来说,和 ELK 类似,但又比 ELK 要简单很多。依靠着更加简洁,高效,部署使用简单的优势很快受到许多人的青睐。当然,在扩展性上面确实没有ELK好,但是其有商业版本可以选择。
Graylog - 工作流程介绍
部署 graylog 最简单的架构就是单机部署,复杂的也是部署集群模式,架构图如下所示。我们可以看到其中包含了三个组件,分别是 Elasticsearch、MongoDb 和 Graylog。其中,Elasticsearch 用来持久化存储和检索日志文件数据(IO 密集),MongoDb 用来存储关于 Graylog 的相关配置。 而Graylog 来提供 Web 界面和对外接口的(CPU 密集)。
言归正传,开始安装:
- 安装依赖包
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install apt-transport-https openjdk-18-jre-headless uuid-runtime pwgen
- 安装MongoDB
导入包管理系统使用的公钥
wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -
创建列表文件并更新资源库
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list
sudo apt update
安装libssl
sudo apt install curl
curl -LO http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb
sudo dpkg -i ./libssl1.1_1.1.1-1ubuntu2.1~18.04.20_amd64.deb
安装mongodb
sudo apt install -y mongodb-org
安装完成后启动mongodb并添加到随机开启中
sudo systemctl start mongod
sudo systemctl enable mongod
sudo systemctl status mongod
状态
● mongod.service - MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-11-03 17:40:36 CST; 7s ago
Docs: https://docs.mongodb.org/manual
Main PID: 68061 (mongod)
Memory: 62.9M
CPU: 173ms
CGroup: /system.slice/mongod.service
└─68061 /usr/bin/mongod --config /etc/mongod.conf
11月 03 17:40:36 Virtual-Machine systemd[1]: Started MongoDB Database Server.
- 安装Elasticsearch
首先安装Elastic GPG密钥,然后添加包含以下内容的存储库文件中,Garylog可以与elasticsearch 7.x版本一起使用,按照以下安装Elasticsearch的开源版本。
wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
sudo apt-key add myKey
echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch-oss
修改配置文件:
sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: false
EOT
安装配置完成后启动Elasticsearch并添加到随机开启中
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl status elasticsearch.service
状态
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-11-03 17:45:47 CST; 1s ago
Docs: https://www.elastic.co
Main PID: 70838 (java)
Tasks: 61 (limit: 9454)
Memory: 1.2G
CPU: 12.043s
CGroup: /system.slice/elasticsearch.service
└─70838 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -XX:+ShowCodeDetailsInExceptionMessages -Dio.netty.noUnsafe=true -Dio.netty.noKe>
11月 03 17:45:39 Virtual-Machine systemd[1]: Starting Elasticsearch...
11月 03 17:45:47 Virtual-Machine systemd[1]: Started Elasticsearch.
- 安装Graylog
现在使用以下命令安装Graylog存储库配置和Graylog本身:
wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
sudo dpkg -i graylog-4.3-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
安装完成后,首先生成password_secret密码
pwgen -N 1 -s 96
生成root_password_sha2密码 (后续Web登录时所需要使用的密码)
echo -n"Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
到配置文件*/etc/graylog/server/server.conf* 中,将生成的password_secret密码和root_password_sha2密码字符串,
然后修改web登陆接口,默认端口9000,可以修改。
完成修改后保存,然后启动Graylog
systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service
状态:
● graylog-server.service - Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-11-03 17:51:17 CST; 7s ago
Docs: http://docs.graylog.org/
Main PID: 74133 (graylog-server)
Tasks: 117 (limit: 9454)
Memory: 918.9M
CPU: 23.502s
CGroup: /system.slice/graylog-server.service
├─74133 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─74174 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=deb>
11月 03 17:51:17 Virtual-Machine systemd[1]: Started Graylog server.
11月 03 17:51:17Virtual-Machine graylog-server[74174]: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
最后可以使用浏览器登陆 http://ip:9000
默认管理员用户名:admin
密码:root_password_sha2配置设定的密码
