Graylog
Ggraylog是优秀的日志管理解决方案,相较于ELK更易于使用。Graylog使用MongoDB来存储配置信息,如用户信息等,使用ElasticSearch来存储和检索日志。
CentOS 8 系统手动安装
安装MongoDB
创建MongoDB repo文件
vim /etc/yum.repos.d/mongodb-org.repo配置repo文件
[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc安装MongoDB
sudo yum install mongodb-org -y启动和配置MongoDB跟随系统启动
sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl start mongod.service
sudo systemctl --type=service --state=active | grep mongod安装ElasticSearch
安装Elastic GPG key
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch创建ES repo文件
vim /etc/yum.repos.d/elasticsearch.repo配置repo文件
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md安装最新发布版本ES
sudo yum install elasticsearch-oss -y编辑ES配置文件
sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog
action.auto_create_index: false
EOT启动ES
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch安装Graylog
安装JDK(已经有的就不用再装了,graylog运行需要用)
wget http://111.230.38.23/jdk/jdk-8u241-linux-x64.rpm
rpm -ivh jdk-8u241-linux-x64.rpm安装pwgen(配置密码需要用)
sudo yum install pwgen -y安装graylog
sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.rpm
sudo yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins -y编辑graylog配置文件 /etc/graylog/server/server.conf
password_secret和root_password_sha2是强制修改的,不然启动不了
生成password_secret
pwgen -N 1 -s 96生成graylog超管密码,输入密码后回车即可
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1超管用户名
root_username = 超管用户名超管账号的时区
root_timezone = Asia/Shanghai搜索结果是否高亮
allow_highlighting = truehttp绑定的IP和端口
http_bind_address = 0.0.0.0:9000如果Graylog与MongoDB和ElasticSearch不在同一台服务器里,需要修改对应的连接地址
启动graylog并设置开机启动
systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service
systemctl --type=service --state=active | grep graylog开启端口后即可在浏览器中输入服务器的IP:9000 登录Graylog
配置输入
Docker方式安装 Graylog
在当前目录里创建docker-compose.yml文件
vim docker-compose.yml配置如下
version: '3'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongo:
image: mongo:4.2
networks:
- graylog
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
deploy:
resources:
limits:
memory: 1g
networks:
- graylog
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:4.2.5
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
- GRAYLOG_ROOT_TIMEZONE=Asia/Shanghai
entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 -- /docker-entrypoint.sh
networks:
- graylog
restart: always
depends_on:
- mongo
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
networks:
graylog:
driver: bridge后台启动graylog
docker-compose up -d在浏览器输入服务器IP:9000即可登录Graylog后台
配置输入
打开System -> Inputs,选GELF-UDP,Lanch new Input,勾选Global,输入title,其他保持不变,保存即可。
SpringBoot集成Graylog
添加pom依赖
<dependency>
<groupId>de.siegmar</groupId>
<artifactId>logback-gelf</artifactId>
<version>4.0.2</version>
</dependency>logback.xml里配置
<appender name="GELF" class="de.siegmar.logbackgelf.GelfUdpAppender">
<graylogHost>114.67.197.86</graylogHost>
<graylogPort>12201</graylogPort>
<maxChunkSize>508</maxChunkSize>
<useCompression>true</useCompression>
<messageIdSupplier class="de.siegmar.logbackgelf.MessageIdSupplier"/>
<encoder class="de.siegmar.logbackgelf.GelfEncoder">
<!-- <originHost>localhost</originHost>-->
<includeRawMessage>true</includeRawMessage>
<includeMarker>true</includeMarker>
<includeMdcData>true</includeMdcData>
<includeCallerData>false</includeCallerData>
<includeRootCauseData>false</includeRootCauseData>
<includeLevelName>true</includeLevelName>
<shortPatternLayout class="ch.qos.logback.classic.PatternLayout">
<pattern>[%d{yyyy-MM-dd HH:mm:ss:SSS}] %thread %level %logger{36} %L - %msg%n</pattern>
</shortPatternLayout>
<fullPatternLayout class="ch.qos.logback.classic.PatternLayout">
<pattern>[%d{yyyy-MM-dd HH:mm:ss:SSS}] %thread %level %logger{36} %L - %msg%n</pattern>
</fullPatternLayout>
<numbersAsString>false</numbersAsString>
<staticField>app_name:graylog-test</staticField>
<staticField>os_arch:${os.arch}</staticField>
<staticField>os_name:${os.name}</staticField>
<staticField>os_version:${os.version}</staticField>
</encoder>
</appender> <root level="info">
<appender-ref ref="GELF"/>
</root>可修改日志格式,配置graylog服务器ip等