1. Graylog简介与版本说明
Graylog是一个开源的日志管理平台,提供强大的日志收集、存储、搜索和分析功能。它基于Elasticsearch构建,支持多种日志输入方式,包括Syslog、GELF、Kafka等。更多学习教程www.fgedu.net.cn
Graylog最新版本:
Graylog 6.1.x(最新稳定版)- 发布于2025年,提供增强的安全性和性能优化
Graylog 6.0.x – 长期支持版本,适合生产环境
Graylog 5.2.x – 旧版稳定版本,维护支持中
Graylog 5.1.x – 传统稳定版本
Graylog架构组件:
Graylog Server:核心服务器,处理日志数据
Elasticsearch:数据存储和搜索引擎
MongoDB:存储配置和元数据
Graylog Sidecar:轻量级日志采集代理
2. Graylog下载方式
Graylog提供多种下载和安装方式,包括软件包安装、Docker容器部署和源码编译。学习交流加群风哥微信: itpux-com
方式一:官方仓库下载(推荐)
# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.rpm
# 导入GPG密钥
# rpm –import https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.rpm
# 查看可用版本
# yum list graylog-server –showduplicates
graylog-server.x86_64 6.1.0-1 graylog-6.1-stable
graylog-server.x86_64 6.1.1-1 graylog-6.1-stable
graylog-server.x86_64 6.1.2-1 graylog-6.1-stable
graylog-server.x86_64 6.0.5-1 graylog-6.0-stable
graylog-server.x86_64 6.0.6-1 graylog-6.0-stable
方式二:直接下载RPM包
# cd /fgedudb/graylog
# wget https://packages.graylog2.org/releases/graylog/graylog-6.1.2-1.x86_64.rpm
# 下载输出案例如下:
–2026-04-04 10:15:23– https://packages.graylog2.org/releases/graylog/graylog-6.1.2-1.x86_64.rpm
Resolving packages.graylog2.org… 151.101.1.217
Connecting to packages.graylog2.org|151.101.1.217|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 185678234 (177M) [application/x-rpm]
Saving to: ‘graylog-6.1.2-1.x86_64.rpm’
graylog-6.1.2-1.x86_64.rpm 100%[===============================================>] 177.08M 15.2MB/s in 12s
2026-04-04 10:15:35 URL:https://packages.graylog2.org/releases/graylog/graylog-6.1.2-1.x86_64.rpm [185678234/185678234] -> “graylog-6.1.2-1.x86_64.rpm” [1]
# 验证下载文件
# ls -lh graylog-6.1.2-1.x86_64.rpm
-rw-r–r– 1 root root 177M Apr 4 10:15 graylog-6.1.2-1.x86_64.rpm
方式三:Docker镜像下载
# docker pull graylog/graylog:6.1
# 下载输出案例如下:
6.1: Pulling from graylog/graylog
Digest: sha256:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2
Status: Downloaded newer image for graylog/graylog:6.1
docker.io/graylog/graylog:6.1
# 查看镜像大小
# docker images graylog/graylog:6.1
REPOSITORY TAG IMAGE ID CREATED SIZE
graylog/graylog 6.1 a1b2c3d4e5f6 2 days ago 568MB
# 拉取指定版本
# docker pull graylog/graylog:6.0.6
# docker pull graylog/graylog:5.2.15
方式四:下载Sidecar代理
# cd /fgedudb/graylog
# wget https://github.com/Graylog2/collector-sidecar/releases/download/1.5.0/graylog-sidecar-1.5.0-1.x86_64.rpm
# 下载输出案例如下:
–2026-04-04 10:20:15– https://github.com/Graylog2/collector-sidecar/releases/download/1.5.0/graylog-sidecar-1.5.0-1.x86_64.rpm
Resolving github.com… 140.82.121.4
Connecting to github.com|140.82.121.4|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset… [following]
Length: 12582912 (12M) [application/octet-stream]
Saving to: ‘graylog-sidecar-1.5.0-1.x86_64.rpm’
graylog-sidecar-1.5.0-1.x86_64.rpm 100%[===============================================>] 12.00M 8.5MB/s in 1.4s
2026-04-04 10:20:17 URL:https://objects.githubusercontent.com/… [12582912/12582912] -> “graylog-sidecar-1.5.0-1.x86_64.rpm” [1]
3. 系统环境准备
Graylog依赖Elasticsearch和MongoDB,需要先安装这些组件。学习交流加群风哥QQ113257174
步骤1:安装Java运行环境
# yum install -y java-17-openjdk java-17-openjdk-devel
# 验证Java版本
# java -version
openjdk version “17.0.13” 2024-10-15 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.13.0.11-1) (build 17.0.13+11-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.13.0.11-1) (build 17.0.13+11-LTS, mixed mode, sharing)
# 配置JAVA_HOME
# vi /etc/profile.d/java.sh
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk
export PATH=$JAVA_HOME/bin:$PATH
# 使配置生效
# source /etc/profile.d/java.sh
步骤2:安装MongoDB
# vi /etc/yum.repos.d/mongodb-org-7.0.repo
[mongodb-org-7.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/7.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-7.0.asc
# 安装MongoDB
# yum install -y mongodb-org
# 启动MongoDB服务
# systemctl start mongod
# systemctl enable mongod
# 验证MongoDB状态
# systemctl status mongod
● mongod.service – MongoDB Database Server
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2026-04-04 10:25:30 CST; 5s ago
Docs: https://docs.mongodb.org/manual
Process: 15234 ExecStart=/usr/bin/mongod $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 15236 (mongod)
Tasks: 32
Memory: 156.5M
CGroup: /system.slice/mongod.service
└─15236 /usr/bin/mongod -f /etc/mongod.conf
Apr 04 10:25:30 fgedu.net.cn systemd[1]: Started MongoDB Database Server.
步骤3:安装Elasticsearch
# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-8.x]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
# 安装Elasticsearch
# yum install -y elasticsearch
# 配置Elasticsearch
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog-cluster
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.51
http.port: 9200
discovery.type: single-node
xpack.security.enabled: false
# 启动Elasticsearch
# systemctl start elasticsearch
# systemctl enable elasticsearch
# 验证Elasticsearch状态
# curl -X GET “http://192.168.1.51:9200”
{
“name” : “node-1”,
“cluster_name” : “graylog-cluster”,
“cluster_uuid” : “a1b2c3d4-e5f6-7890-abcd-ef1234567890”,
“version” : {
“number” : “8.12.0”,
“build_flavor” : “default”,
“build_type” : “rpm”,
“build_hash” : “a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0”,
“build_date” : “2024-01-15T10:30:45.123456789Z”,
“build_snapshot” : false,
“lucene_version” : “9.8.0”,
“minimum_wire_compatibility_version” : “7.17.0”,
“minimum_index_compatibility_version” : “7.0.0”
},
“tagline” : “You Know, for Search”
}
4. Graylog安装实战
完成依赖组件安装后,开始安装Graylog Server。更多学习教程公众号风哥教程itpux_com
步骤1:生成密码密钥
# < /dev/urandom tr -dc A-Za-z0-9 | head -c 96; echo; aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3aB4cD5eF6gH7iJ8kL9mN0oP1qR2sT3uV4wX5yZ6 # 生成root_password_sha2哈希值 # echo -n "Enter Password: " && head -1 >&2; read -s password && echo && echo -n “$password” | sha256sum | cut -d” ” -f1
Enter Password:
5e884898da28047d9f5dcb6c05e224a1a177e1d7c7e9c7d5b6a4c3b2a1d0e9f8c7b6a5d4e3f2c1b0a9d8e7c6b5
步骤2:安装Graylog Server
# yum install -y graylog-server
# 或使用下载的RPM包安装
# rpm -ivh graylog-6.1.2-1.x86_64.rpm
# 安装输出案例如下:
Preparing… ################################# [100%]
Updating / installing…
1:graylog-server-6.1.2-1 ################################# [100%]
# 查看安装文件
# rpm -ql graylog-server | head -20
/etc/graylog/server
/etc/graylog/server/log4j2.xml
/etc/graylog/server/server.conf
/etc/init.d/graylog-server
/etc/sysconfig/graylog-server
/usr/share/graylog-server
/usr/share/graylog-server/bin
/usr/share/graylog-server/bin/graylog-server
/usr/share/graylog-server/bin/graylog-server.sh
/usr/share/graylog-server/plugin
/var/log/graylog-server
步骤3:配置Graylog Server
# vi /etc/graylog/server/server.conf
# 配置关键参数
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = aB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3aB4cD5eF6gH7iJ8kL9mN0oP1qR2sT3uV4wX5yZ6
root_password_sha2 = 5e884898da28047d9f5dcb6c05e224a1a177e1d7c7e9c7d5b6a4c3b2a1d0e9f8c7b6a5d4e3f2c1b0a9d8e7c6b5
root_timezone = Asia/Shanghai
# 配置HTTP接口
http_bind_address = 192.168.1.51:9000
http_publish_uri = http://192.168.1.51:9000/
http_external_uri = http://192.168.1.51:9000/
http_enable_cors = true
# 配置Elasticsearch连接
elasticsearch_hosts = http://192.168.1.51:9200
elasticsearch_index_prefix = graylog
# 配置MongoDB连接
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 100
mongodb_threads_allowed_to_block_multiplier = 5
# 配置日志保留策略
retention_strategy = closing
retention_rotation_period = P1D
retention_max_indices = 30
retention_max_docs_per_index = 20000000
步骤4:启动Graylog服务
# systemctl start graylog-server
# systemctl enable graylog-server
# 查看服务状态
# systemctl status graylog-server
● graylog-server.service – Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2026-04-04 10:35:45 CST; 10s ago
Docs: http://docs.graylog.org/
Process: 18234 ExecStart=/usr/share/graylog-server/bin/graylog-server (code=exited, status=0/SUCCESS)
Main PID: 18236 (graylog-server)
Tasks: 85
Memory: 1.2G
CGroup: /system.slice/graylog-server.service
└─18236 /usr/bin/java -Xms1g -Xmx1g -XX:+UseG1GC -server -jar /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf
Apr 04 10:35:50 fgedu.net.cn graylog-server[18236]: 2026-04-04 10:35:50,123 INFO : Graylog server up and running.
Apr 04 10:35:50 fgedu.net.cn systemd[1]: Started Graylog server.
# 查看启动日志
# tail -f /var/log/graylog-server/server.log
2026-04-04 10:35:45,123 INFO [server] – Starting Graylog server…
2026-04-04 10:35:46,234 INFO [node] – Version: 6.1.2, Build: 2024-01-15T10:30:45.123
2026-04-04 10:35:47,345 INFO [cluster] – Cluster name: graylog-cluster
2026-04-04 10:35:48,456 INFO [mongodb] – Connected to MongoDB
2026-04-04 10:35:49,567 INFO [elasticsearch] – Connected to Elasticsearch
2026-04-04 10:35:50,123 INFO [server] – Graylog server up and running.
5. Graylog配置实战
完成安装后,需要进行系统配置以优化性能和安全性。from:www.itpux.com
步骤1:配置JVM内存
# vi /etc/sysconfig/graylog-server
# 配置JVM堆内存(建议设置为物理内存的25%-50%)
GRAYLOG_SERVER_JAVA_OPTS=”-Xms4g -Xmx4g -XX:+UseG1GC -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/graylog-server”
# 配置其他参数
GRAYLOG_SERVER_ARGS=””
GRAYLOG_SERVER_WRAPPER=””
# 重启服务使配置生效
# systemctl restart graylog-server
步骤2:配置日志轮转
# vi /etc/graylog/server/server.conf
# 按时间轮转(每天一个索引)
elasticsearch_index_optimization_jobs = 20
elasticsearch_index_optimization_disabled = false
# 配置索引保留
retention_strategy = closing
retention_rotation_period = P1D
retention_max_indices = 30
# 配置索引分片
elasticsearch_shards = 4
elasticsearch_replicas = 0
步骤3:配置邮件告警
# vi /etc/graylog/server/server.conf
transport_email_enabled = true
transport_email_hostname = smtp.fgedu.net.cn
transport_email_port = 587
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = false
transport_email_auth_username = alert@fgedu.net.cn
transport_email_auth_password = your_password
transport_email_subject_prefix = [Graylog Alert]
transport_email_from_email = alert@fgedu.net.cn
transport_email_from_name = Graylog Alert
# 重启服务
# systemctl restart graylog-server
6. 日志输入配置实战
Graylog支持多种日志输入方式,以下是常用的输入配置。
步骤1:配置Syslog输入
# 访问 http://192.168.1.51:9000
# 导航到 System -> Inputs
# 选择 “Syslog TCP” 或 “Syslog UDP”
# 点击 “Launch new input”
# 配置参数:
# Title: Syslog-TCP-514
# Bind address: 0.0.0.0
# Port: 514
# Protocol: TCP
# 或使用API配置
# curl -X POST -H “Content-Type: application/json” -u admin:password \
http://192.168.1.51:9000/api/system/inputs \
-d ‘{
“title”: “Syslog-TCP-514”,
“type”: “org.graylog2.inputs.syslog.tcp.SyslogTCPInput”,
“configuration”: {
“bind_address”: “0.0.0.0”,
“port”: 514,
“recv_buffer_size”: 1048576,
“tcp_keepalive”: true,
“use_null_delimiter”: false,
“number_worker_threads”: 4
},
“global”: true
}’
# 输出案例如下:
{
“id”: “64a1b2c3d4e5f6a7b8c9d0e1”,
“title”: “Syslog-TCP-514”,
“type”: “org.graylog2.inputs.syslog.tcp.SyslogTCPInput”,
“configuration”: {
“bind_address”: “0.0.0.0”,
“port”: 514,
“recv_buffer_size”: 1048576
},
“created_at”: “2026-04-04T10:45:00.000Z”,
“creator_user_id”: “admin”,
“global”: true,
“node_id”: “a1b2c3d4-e5f6-7890-abcd-ef1234567890”,
“state”: “RUNNING”
}
步骤2:配置GELF输入
# 适用于应用程序日志
# 通过API配置GELF TCP输入
# curl -X POST -H “Content-Type: application/json” -u admin:password \
http://192.168.1.51:9000/api/system/inputs \
-d ‘{
“title”: “GELF-TCP-12201”,
“type”: “org.graylog2.inputs.gelf.tcp.GELFTCPInput”,
“configuration”: {
“bind_address”: “0.0.0.0”,
“port”: 12201,
“recv_buffer_size”: 1048576,
“tcp_keepalive”: true,
“use_null_delimiter”: true,
“number_worker_threads”: 4,
“tls_enable”: false
},
“global”: true
}’
# 应用程序Logback配置示例
# vi /etc/app/logback.xml
步骤3:配置Beats输入
# curl -X POST -H “Content-Type: application/json” -u admin:password \
http://192.168.1.51:9000/api/system/inputs \
-d ‘{
“title”: “Beats-5044”,
“type”: “org.graylog.plugins.beats.BeatsInput”,
“configuration”: {
“bind_address”: “0.0.0.0”,
“port”: 5044,
“recv_buffer_size”: 1048576,
“tcp_keepalive”: true,
“number_worker_threads”: 4,
“tls_enable”: false
},
“global”: true
}’
# Filebeat配置示例
# vi /etc/filebeat/filebeat.yml
filebeat.inputs:
– type: log
enabled: true
paths:
– /var/log/*.log
– /var/log/messages
output.logstash:
hosts: [“192.168.1.51:5044”]
7. 生产环境最佳实践
在生产环境中部署Graylog需要考虑高可用、性能优化和安全加固。
高可用架构部署
# vi /etc/graylog/server/server.conf
# 节点1配置
is_master = true
node_id = node-1
http_bind_address = 192.168.1.51:9000
# 节点2配置
is_master = false
node_id = node-2
http_bind_address = 192.168.1.52:9000
# 节点3配置
is_master = false
node_id = node-3
http_bind_address = 192.168.1.53:9000
# Elasticsearch集群配置(所有节点)
elasticsearch_hosts = http://192.168.1.51:9200,http://192.168.1.52:9200,http://192.168.1.53:9200
# MongoDB副本集配置(所有节点)
mongodb_uri = mongodb://192.168.1.51:27017,192.168.1.52:27017,192.168.1.53:27017/graylog?replicaSet=graylog-rs
性能优化配置
# vi /etc/graylog/server/server.conf
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
# 配置处理线程
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
# 配置索引性能
elasticsearch_index_optimization_jobs = 20
elasticsearch_index_optimization_disabled = false
elasticsearch_disable_index_optimization = false
安全加固配置
# vi /etc/graylog/server/server.conf
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/certificates/graylog.crt
http_tls_key_file = /etc/graylog/server/certificates/graylog.key
# 配置访问控制
# 创建只读用户角色
# Web界面 -> System -> Users -> Create User
# 角色: Reader
# 配置API访问控制
rest_enable_cors = false
rest_transport_uri = http://127.0.0.1:9000/api/
# 配置审计日志
auditlog_enabled = true
auditlog_index_prefix = graylog_audit
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
