1. Graylog概述与环境规划
Graylog是一个开源的日志管理和分析平台,用于收集、索引和分析日志数据。Graylog支持多种日志输入方式,提供了丰富的查询和分析功能。更多学习教程www.fgedu.net.cn
1.1 Graylog版本说明
Graylog目前主要版本为4.x系列,本教程以Graylog 4.3.9为例进行详细讲解。Graylog 4.x版本相比之前版本在性能、稳定性和功能方面都有显著提升,支持更多的日志处理特性。
$ rpm -qa | grep graylog
graylog-server-4.3.9-1.noarch
# 查看系统版本
$ cat /etc/os-release
NAME=”Oracle Linux Server”
VERSION=”8.9″
ID=”ol”
PRETTY_NAME=”Oracle Linux Server 8.9″
# 查看内核版本
$ uname -r
5.4.17-2136.302.7.2.el8uek.x86_64
# 查看Java版本
$ java -version
openjdk version “11.0.18” 2023-01-17
OpenJDK Runtime Environment (build 11.0.18+10-post-Oracle-10513082)
OpenJDK 64-Bit Server VM (build 11.0.18+10-post-Oracle-10513082, mixed mode, sharing)
1.2 环境规划
本次安装环境规划如下:
graylog01.fgedu.net.cn (192.168.1.103) – Graylog主服务器
graylog02.fgedu.net.cn (192.168.1.104) – Graylog备用服务器
Graylog版本:4.3.9
存储后端:Elasticsearch 7.17.6
消息队列:MongoDB 4.4.15
安装方式:RPM包安装
数据存储:Elasticsearch
2. 硬件环境要求
Graylog作为日志管理平台,对硬件资源要求根据日志量和查询频率而定。学习交流加群风哥微信: itpux-com
2.1 物理主机环境要求
– CPU:至少8核
– 内存:至少32GB
– 磁盘:系统盘120GB SSD + 数据盘1TB SSD
# Elasticsearch服务器要求
– CPU:至少16核
– 内存:至少64GB
– 磁盘:系统盘120GB SSD + 数据盘2TB SSD
# MongoDB服务器要求
– CPU:至少4核
– 内存:至少8GB
– 磁盘:系统盘120GB SSD + 数据盘500GB SSD
# 检查Graylog服务器资源
# free -h
total used free shared buff/cache available
Mem: 32G 8.4G 22G 512M 3.6G 23G
Swap: 8G 0B 8G
# 检查磁盘空间
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 120G 20G 100G 17% /
/dev/sdb1 1TB 50G 950G 5% /data
2.2 vSphere虚拟主机环境要求
– Graylog服务器:
– vCPU:8核
– 内存:32GB
– 磁盘:系统盘120GB SSD + 数据盘1TB SSD
– 网络:VMXNET3网卡,10Gbps网络
– Elasticsearch服务器:
– vCPU:16核
– 内存:64GB
– 磁盘:系统盘120GB SSD + 数据盘2TB SSD
– 网络:VMXNET3网卡,10Gbps网络
– MongoDB服务器:
– vCPU:4核
– 内存:8GB
– 磁盘:系统盘120GB SSD + 数据盘500GB SSD
– 网络:VMXNET3网卡,10Gbps网络
资源池配置:
– CPU预留:Graylog服务器4GHz,Elasticsearch服务器8GHz,MongoDB服务器2GHz
– 内存预留:Graylog服务器16GB,Elasticsearch服务器32GB,MongoDB服务器4GB
– 内存限制:Graylog服务器32GB,Elasticsearch服务器64GB,MongoDB服务器8GB
– CPU份额:正常
– 内存份额:正常
2.3 云平台主机环境要求
– Graylog服务器:
– 实例规格:ecs.g6.4xlarge或同等规格
– vCPU:16核
– 内存:64GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 1TB
– 网络带宽:10Gbps以上
– Elasticsearch服务器:
– 实例规格:ecs.g6.8xlarge或同等规格
– vCPU:32核
– 内存:128GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 2TB
– 网络带宽:10Gbps以上
– MongoDB服务器:
– 实例规格:ecs.g6.2xlarge或同等规格
– vCPU:8核
– 内存:16GB
– 系统盘:SSD云盘 120GB
– 数据盘:SSD云盘 500GB
– 网络带宽:10Gbps以上
存储配置:
– OSS对象存储:用于存储配置备份
– NAS文件存储:用于共享配置文件
– 云盘快照:定期备份数据
3. 操作系统环境准备
在安装Graylog之前,需要对操作系统进行必要的配置和优化。
3.1 操作系统版本检查
# cat /etc/os-release
NAME=”Oracle Linux Server”
VERSION=”8.9″
ID=”ol”
PRETTY_NAME=”Oracle Linux Server 8.9″
# 检查内核版本
# uname -r
5.4.17-2136.302.7.2.el8uek.x86_64
# 检查SELinux状态
# getenforce
Enforcing
# 检查防火墙状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running)
3.2 依赖服务安装
# dnf install -y wget curl tar gzip java-11-openjdk-devel
# 关闭防火墙
# systemctl stop firewalld
# systemctl disable firewalld
# 关闭SELinux
# setenforce 0
# sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/’ /etc/selinux/config
# 创建Graylog用户
# useradd -r -s /bin/false graylog
# 创建目录结构
# mkdir -p /data/graylog/{config,bin,data}
# chown -R graylog:graylog /data/graylog
3.3 安装MongoDB
# vi /etc/yum.repos.d/mongodb-org-4.4.repo
[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
# 安装MongoDB
# dnf install -y mongodb-org
# 启动MongoDB
# systemctl start mongod
# systemctl enable mongod
# 验证安装
# systemctl status mongod
# mongo –eval “db.version()”
3.4 安装Elasticsearch
# vi /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
# 安装Elasticsearch
# dnf install -y elasticsearch-7.17.6
# 配置Elasticsearch
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: [“192.168.1.103”, “192.168.1.104”]
cluster.initial_master_nodes: [“node-1”]
# 启动Elasticsearch
# systemctl start elasticsearch
# systemctl enable elasticsearch
# 验证安装
# systemctl status elasticsearch
# curl -X GET http://localhost:9200
4. Graylog安装配置
完成环境准备后,开始安装Graylog。
4.1 安装Graylog
# vi /etc/yum.repos.d/graylog.repo
[graylog]
name=Graylog 4.3 repository
baseurl=https://packages.graylog2.org/repo/el/stable/4.3/
gpgcheck=1
gpgkey=https://packages.graylog2.org/repo/el/stable/4.3/RPM-GPG-KEY-graylog
enabled=1
type=rpm-md
# 安装Graylog
# dnf install -y graylog-server
# 生成密码哈希
# echo -n “admin” | sha256sum
admin_hash=$(echo -n “admin” | sha256sum | cut -d ‘ ‘ -f 1)
# 配置Graylog
# vi /etc/graylog/server/server.conf
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = your_password_secret
root_username = admin
root_password_sha2 = $admin_hash
transport_email_enabled = false
elasticsearch_hosts = http://localhost:9200
mongodb_uri = mongodb://localhost:27017/graylog
http_bind_address = 0.0.0.0:9000
# 启动Graylog
# systemctl start graylog-server
# systemctl enable graylog-server
# 验证安装
# systemctl status graylog-server
# curl http://localhost:9000
4.2 访问Graylog Web界面
# 打开浏览器访问 http://graylog01.fgedu.net.cn:9000
# 登录Graylog
# 用户名:admin
# 密码:admin
# 验证登录
# 确认能够正常登录并访问Graylog Web界面
5. Graylog配置优化
为了提高Graylog的性能和稳定性,需要进行一些配置优化。
5.1 基本配置优化
# vi /etc/graylog/server/server.conf
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = your_password_secret
root_username = admin
root_password_sha2 = $admin_hash
transport_email_enabled = false
elasticsearch_hosts = http://192.168.1.103:9200,http://192.168.1.104:9200
mongodb_uri = mongodb://192.168.1.103:27017,192.168.1.104:27017/graylog?replicaSet=rs0
http_bind_address = 0.0.0.0:9000
processbuffer_processors = 16
outputbuffer_processors = 8
inputbuffer_processors = 8
# 重启Graylog
# systemctl restart graylog-server
5.2 高可用配置
# su – mongodb -c “mongo”
> rs.initiate()
> rs.add(“192.168.1.104:27017”)
> rs.status()
# 配置Graylog集群
# vi /etc/graylog/server/server.conf
is_master = false
node_id_file = /etc/graylog/server/node-id
password_secret = your_password_secret
root_username = admin
root_password_sha2 = $admin_hash
transport_email_enabled = false
elasticsearch_hosts = http://192.168.1.103:9200,http://192.168.1.104:9200
mongodb_uri = mongodb://192.168.1.103:27017,192.168.1.104:27017/graylog?replicaSet=rs0
http_bind_address = 0.0.0.0:9000
# 重启Graylog
# systemctl restart graylog-server
# 验证集群状态
# curl http://localhost:9000/api/system/cluster
5.3 内存配置
# vi /etc/sysconfig/graylog-server
GRAYLOG_SERVER_JAVA_OPTS=”-Xms8g -Xmx16g -XX:MaxMetaspaceSize=512m -XX:+UseG1GC -XX:MaxGCPauseMillis=200″
# 重启Graylog
# systemctl restart graylog-server
6. Graylog Inputs配置
Graylog Inputs用于接收来自不同来源的日志数据。
6.1 配置Syslog Input
# 1. 点击左侧菜单的”System” -> “Inputs”
# 2. 选择”Syslog UDP”
# 3. 点击”Launch new input”
# 4. 配置以下参数:
# – Title: Syslog UDP
# – Port: 514
# – Bind address: 0.0.0.0
# – Max message size: 2097152
# 5. 点击”Save”
# 验证Syslog Input
# echo “test message” | nc -w 1 -u localhost 514
# 查看Graylog Web界面,确认日志已接收
6.2 配置GELF Input
# 1. 点击左侧菜单的”System” -> “Inputs”
# 2. 选择”GELF UDP”
# 3. 点击”Launch new input”
# 4. 配置以下参数:
# – Title: GELF UDP
# – Port: 12201
# – Bind address: 0.0.0.0
# – Max message size: 2097152
# 5. 点击”Save”
# 验证GELF Input
# echo ‘{“version”: “1.1”, “host”: “test”, “short_message”: “test message”, “timestamp”: 1385053862.3072, “level”: 1, “_some_field”: “foo”}’ | nc -w 1 -u localhost 12201
# 查看Graylog Web界面,确认日志已接收
6.3 配置Beats Input
# 1. 点击左侧菜单的”System” -> “Inputs”
# 2. 选择”Beats”
# 3. 点击”Launch new input”
# 4. 配置以下参数:
# – Title: Beats
# – Port: 5044
# – Bind address: 0.0.0.0
# 5. 点击”Save”
# 配置Filebeat
# vi /etc/filebeat/filebeat.yml
filebeat.inputs:
– type: log
enabled: true
paths:
– /var/log/*.log
output.logstash:
hosts: [“graylog01.fgedu.net.cn:5044”]
# 启动Filebeat
# systemctl start filebeat
# systemctl enable filebeat
# 验证Beats Input
# 查看Graylog Web界面,确认日志已接收
7. Graylog Streams配置
Graylog Streams用于对日志数据进行分类和处理。
7.1 创建Stream
# 1. 点击左侧菜单的”Streams”
# 2. 点击”Create stream”
# 3. 配置以下参数:
# – Title: Application Logs
# – Description: Application logs stream
# 4. 点击”Create stream”
# 配置Stream规则
# 1. 点击新创建的Stream
# 2. 点击”Edit rules”
# 3. 点击”Add rule”
# 4. 配置规则:
# – Field: source
# – Type: matches exactly
# – Value: application-server
# 5. 点击”Save”
# 启用Stream
# 1. 点击”More actions”
# 2. 选择”Start stream”
7.2 配置Stream警报
# 1. 点击左侧菜单的”Streams”
# 2. 选择需要配置警报的Stream
# 3. 点击”Alerts”
# 4. 点击”Create condition”
# 5. 配置条件:
# – Condition type: Message count
# – Stream: Application Logs
# – Threshold: 100
# – Time range: 1 minute
# – Grace period: 5 minutes
# 6. 点击”Save”
# 配置通知
# 1. 点击”Manage notifications”
# 2. 点击”Add notification”
# 3. 选择通知类型(Email, HTTP, etc.)
# 4. 配置通知参数
# 5. 点击”Save”
8. Graylog Alerts配置
Graylog Alerts用于监控日志数据并在满足条件时发送通知。
8.1 配置Alert条件
# 1. 点击左侧菜单的”Alerts”
# 2. 点击”Create condition”
# 3. 选择条件类型:
# – Message count
# – Field content
# – Field value
# 4. 配置条件参数
# 5. 点击”Save”
# 配置通知
# 1. 点击”Manage notifications”
# 2. 点击”Add notification”
# 3. 选择通知类型:
# – Email
# – HTTP
# – Slack
# – PagerDuty
# 4. 配置通知参数
# 5. 点击”Save”
8.2 配置Alert仪表板
# 1. 点击左侧菜单的”Dashboards”
# 2. 点击”Create dashboard”
# 3. 输入仪表板名称
# 4. 点击”Create”
# 添加小部件
# 1. 点击”Add widget”
# 2. 选择小部件类型
# 3. 配置小部件参数
# 4. 点击”Add”
# 保存仪表板
# 1. 点击”Save”
# 2. 输入仪表板名称
# 3. 点击”Save”
9. Graylog安全配置
Graylog提供了多种安全功能,包括认证、授权、TLS加密等。
9.1 认证配置
# vi /etc/graylog/server/server.conf
root_username = admin
root_password_sha2 = $admin_hash
password_secret = your_password_secret
# 重启Graylog
# systemctl restart graylog-server
# 访问Graylog Web界面
# 打开浏览器访问 http://graylog01.fgedu.net.cn:9000
# 输入用户名和密码
9.2 TLS加密配置
# openssl req -newkey rsa:2048 -nodes -keyout /etc/graylog/server/key.pem -x509 -days 365 -out /etc/graylog/server/cert.pem
# 编辑Graylog配置
# vi /etc/graylog/server/server.conf
http_bind_address = 0.0.0.0:9000
http_enable_tls = true
http_tls_cert_file = /etc/graylog/server/cert.pem
http_tls_key_file = /etc/graylog/server/key.pem
# 重启Graylog
# systemctl restart graylog-server
# 访问Graylog Web界面
# 打开浏览器访问 https://graylog01.fgedu.net.cn:9000
9.3 角色与权限配置
# 1. 点击左侧菜单的”System” -> “Roles”
# 2. 点击”Create role”
# 3. 配置角色名称和权限
# 4. 点击”Save”
# 创建用户
# 1. 点击左侧菜单的”System” -> “Users”
# 2. 点击”Create user”
# 3. 配置用户信息和角色
# 4. 点击”Save”
10. Graylog性能优化
在生产环境中,需要对Graylog进行性能优化以提高日志处理效率。from:www.itpux.com
10.1 内存优化
# vi /etc/sysconfig/graylog-server
GRAYLOG_SERVER_JAVA_OPTS=”-Xms16g -Xmx32g -XX:MaxMetaspaceSize=1024m -XX:+UseG1GC -XX:MaxGCPauseMillis=100 -XX:ParallelGCThreads=8 -XX:ConcGCThreads=4″
# 重启Graylog
# systemctl restart graylog-server
10.2 Elasticsearch优化
# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: [“192.168.1.103”, “192.168.1.104”]
cluster.initial_master_nodes: [“node-1”]
# 编辑jvm.options
# vi /etc/elasticsearch/jvm.options
-Xms32g
-Xmx32g
-XX:MaxMetaspaceSize=512m
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200
# 重启Elasticsearch
# systemctl restart elasticsearch
10.3 输入处理优化
# vi /etc/graylog/server/server.conf
processbuffer_processors = 32
outputbuffer_processors = 16
inputbuffer_processors = 16
inputbuffer_ring_size = 65536
outputbuffer_ring_size = 65536
# 重启Graylog
# systemctl restart graylog-server
11. Graylog升级迁移
本节介绍Graylog的版本升级和数据迁移方法。
11.1 Graylog版本升级
# cp -r /etc/graylog /backup/graylog-config-$(date +%Y%m%d)
# 停止Graylog服务
# systemctl stop graylog-server
# 升级Graylog
# dnf update -y graylog-server
# 启动Graylog服务
# systemctl start graylog-server
# 验证升级
# rpm -qa | grep graylog
graylog-server-4.3.10-1.noarch
# 访问Graylog Web界面
# 打开浏览器访问 http://graylog01.fgedu.net.cn:9000
11.2 Graylog数据迁移
# su – mongodb -c “mongodump –db graylog –out /backup/graylog-mongo-$(date +%Y%m%d)”
# curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot” -H “Content-Type: application/json” -d ‘{“type”: “fs”, “settings”: {“location”: “/backup/graylog-es-$(date +%Y%m%d)”, “compress”: true}}’
# curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot/snapshot_1?wait_for_completion=true”
# 在新服务器上恢复数据
# su – mongodb -c “mongorestore –db graylog /backup/graylog-mongo-20230405”
# curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot” -H “Content-Type: application/json” -d ‘{“type”: “fs”, “settings”: {“location”: “/backup/graylog-es-20230405”, “compress”: true}}’
# curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot/snapshot_1/_restore?wait_for_completion=true”
# 安装Graylog
# 重复安装步骤
# 启动Graylog服务
# systemctl start graylog-server
# 验证迁移
# curl http://localhost:9000
12. Graylog备份恢复
本节介绍Graylog的备份和恢复方法。
12.1 Graylog备份
# vi /data/graylog/scripts/backup.sh
#!/bin/bash
BACKUP_DIR=”/backup/graylog”
DATE=$(date +%Y%m%d)
# 创建备份目录
mkdir -p $BACKUP_DIR
# 停止Graylog服务
systemctl stop graylog-server
# 备份配置文件
cp -r /etc/graylog $BACKUP_DIR/config-$DATE
# 备份MongoDB数据
su – mongodb -c “mongodump –db graylog –out $BACKUP_DIR/mongo-$DATE”
# 备份Elasticsearch数据
curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot” -H “Content-Type: application/json” -d ‘{“type”: “fs”, “settings”: {“location”: “‘$BACKUP_DIR’/es-‘$DATE'”, “compress”: true}}’
curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot/snapshot_1?wait_for_completion=true”
# 启动Graylog服务
systemctl start graylog-server
# 清理旧备份(保留7天)
find $BACKUP_DIR -type d -mtime +7 -exec rm -rf {} \;
# 添加执行权限
# chmod +x /data/graylog/scripts/backup.sh
# 添加定时任务
# crontab -e
0 0 * * * /data/graylog/scripts/backup.sh
12.2 Graylog恢复
# systemctl stop graylog-server
# 清理现有数据
# su – mongodb -c “mongo graylog –eval ‘db.dropDatabase()'”
# curl -X DELETE “http://localhost:9200/*”
# 恢复数据
# su – mongodb -c “mongorestore –db graylog /backup/graylog/mongo-20230405”
# curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot” -H “Content-Type: application/json” -d ‘{“type”: “fs”, “settings”: {“location”: “/backup/graylog/es-20230405”, “compress”: true}}’
# curl -X POST “http://localhost:9200/_snapshot/graylog_snapshot/snapshot_1/_restore?wait_for_completion=true”
# 恢复配置文件
# cp -r /backup/graylog/config-20230405/* /etc/graylog/
# 启动Graylog服务
# systemctl start graylog-server
# 验证恢复
# systemctl status graylog-server
# curl http://localhost:9000
12.3 Graylog监控脚本
# vi /data/graylog/scripts/monitor.sh
#!/bin/bash
LOG_FILE=”/var/log/graylog_monitor.log”
ALERT_EMAIL=”admin@fgedu.net.cn”
check_graylog_status() {
echo “$(date): Checking graylog status…” >> $LOG_FILE
status=$(systemctl status graylog-server | grep Active | awk ‘{print $2}’)
if [ “$status” != “active” ]; then
echo “$(date): Graylog is not running” >> $LOG_FILE
echo “Graylog is not running” | mail -s “Graylog Alert” $ALERT_EMAIL
systemctl start graylog-server
else
echo “$(date): Graylog is running” >> $LOG_FILE
fi
}
check_elasticsearch_status() {
echo “$(date): Checking elasticsearch status…” >> $LOG_FILE
status=$(curl -s -o /dev/null -w “%{http_code}” http://localhost:9200)
if [ “$status” = “200” ]; then
echo “$(date): Elasticsearch: OK” >> $LOG_FILE
else
echo “$(date): Elasticsearch: FAILED” >> $LOG_FILE
echo “Elasticsearch failed” | mail -s “Graylog Alert” $ALERT_EMAIL
fi
}
check_mongodb_status() {
echo “$(date): Checking mongodb status…” >> $LOG_FILE
status=$(systemctl status mongod | grep Active | awk ‘{print $2}’)
if [ “$status” != “active” ]; then
echo “$(date): MongoDB is not running” >> $LOG_FILE
echo “MongoDB is not running” | mail -s “Graylog Alert” $ALERT_EMAIL
systemctl start mongod
else
echo “$(date): MongoDB is running” >> $LOG_FILE
fi
}
main() {
check_graylog_status
check_elasticsearch_status
check_mongodb_status
}
main
# 添加执行权限
# chmod +x /data/graylog/scripts/monitor.sh
# 添加定时任务
# crontab -e
*/15 * * * * /data/graylog/scripts/monitor.sh
通过以上步骤,Graylog安装配置、性能优化、升级迁移、备份恢复等内容已全部完成。Graylog作为开源日志管理平台,能够高效地收集、索引和分析日志数据,是企业级日志管理的重要工具。
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
