Deploy Graylog open source log management system under CentOS7
Graylog is an open source log aggregation, analysis, audit, presentation and warning tool.
Similar in function to ELK, but simpler than ELK. Relying on the advantages of being more concise, efficient, and simple to deploy and use, it is quickly favored by many people.
The architecture diagram is as follows
The following describes the deployment of Graylog under CentOS7
Before installing and starting any Graylog service
Please ensure that the following software is installed and configured under CentOS7:
1、 Java(> = 8)
2、 Elasticsearch (5.x or 6.x)
3、 MongoDB (3.6 or 4.0)
The simple deployment architecture is as follows
The high-availability deployment architecture diagram of the production environment is as follows
Start Graylog simple deployment below
1、 Install JDK1.8 and pwgen
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum install -y java-1.8.0-openjdk-headless.x86_64
yum install -y pwgen
2、 Install MongoDB
vi /etc/yum.repos.d/mongodb-org.repo
# Add the following line
[ mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
Then yum install mongodb
yum install mongodb-org
Since the official MongoDB mirror source is abroad, yum installation is slow, you can use the Alibaba Cloud MongoDB source
vi /etc/yum.repos.d/mongodb-org.repo
# Amend to the following line
[ mongodb-org]
name=MongoDB Repository
baseurl=https://mirrors.aliyun.com/mongodb/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
Then start the mongoDB service and set it to start at boot
systemctl daemon-reload
systemctl enable mongod.service
systemctl start mongod.service
systemctl --type=service --state=active | grep mongod
3、 Install Elasticsearch
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo
# Add the following line
[ elasticsearch-6.x]
name=Elasticsearch repository for6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
yum install elasticsearch-oss
Due to the slow domestic access to the official Elasticsearch source, you can download the rpm from Baidu and install it directly.
rpm -ivh elasticsearch-oss-6.8.8.rpm
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service
systemctl --type=service --state=active | grep elasticsearch
Modify Elasticsearch configuration file
vi /etc/elasticsearch/elasticsearch.yml
# Add the following line
cluster.name: graylog
action.auto_create_index:false
Then restart the elasticsearch service
systemctl restart elasticsearch.service
4、 Install Graylog
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.2-repository_latest.rpm
yum install graylog-server
If the official source domestic access is too slow, you can use other tools to download the rpm installation package, after uploading to the server, rpm -ivh local installation
rpm -ivh graylog-server-3.2.4-1.noarch.rpm
5、 Modify Graylog related configuration files
cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf_default
Use pwgen to generate password_secret password
pwgen -N 1-s 96
Use the following command to generate root_password_sha2 password string
echo -n "Enter Password: "&& head -1</dev/stdin | tr -d '\n'| sha256sum | cut -d" "-f1
Add the generated password_secret password and root_password_sha2 password strings to the configuration file /etc/graylog/server/server.conf and modify the following configurations
1、 Time zone of the admin account
2、 Highlight query results
3、 http binding IP and port
root_timezone = Asia/Shanghai
allow_highlighting =true
http_bind_address =0.0.0.0:9000
Next, start the graylog-server service and set it to start at boot
systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service
systemctl --type=service --state=active | grep graylog
6、 Web login to Graylog and use Graylog
http://192.168.31.80:9000, the default port is 9000
The default user name is admin, log in with the password just set
1、 For example, add a syslog INPUTS
1514 for UDP port
By default, syslog 514 will fail to start with a port number lower than 1024. For specific reasons, please refer to the official documentation
2、 Add log source vi /etc/rsyslog.conf
. @192.168.31.80:1514 Then restart the rsyslog service
service rsyslog restart
And try to trigger syslog system log
3、 Check the Search page on Graylog to see if the log is received
4、 Log keyword search
5、 Dashboard function
The Graylog construction process is briefly introduced here, there are many functions, please try it yourself
The link to the reference article in this article is as follows
-
https://testerhome.com/topics/3026?locale=zh-cn
-
https://zhuanlan.zhihu.com/p/78441710
-
https://docs.graylog.org/en/3.2/pages/installation/os/centos.html
Recommended Posts