Graylog搭建配置(centos7)
一、基础环境
1、需jdk环境:
[root@iz2zee3zwuvnmai605c99vz ~]# java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode)
没有的话则需要安装我这里使用yum安装:
[root@iz2zee3zwuvnmai605c99vz ~]#yum list java* ###查看可用java版本包
[root@cotroller ~]# yum -y install java-1.8.0* ###安装java1.8版本
[root@cotroller ~]# java -version ###查看java版本
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode)
2、如果您想pwgen稍后使用,则需要在系统上安装EPEL并安装包:
[root@cotroller ~]# yum install epel-release
[root@cotroller ~]# yum install pwgen
二、搭建graylog安装三个所需服务
1、安装MongoDB:
[root@cotroller ~]# vim /etc/yum.repos.d/mongodb-org-3.6.repo ###添加mongodb的yum源
[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
[root@cotroller ~]# yum install -y mongodb-org ###安装最新版本的MongoDB
[root@cotroller ~]# chkconfig --add mongod ###加入系统服务
[root@cotroller ~]# systemctl daemon-reload ###重新载入 systemd,扫描新的或有变动的单元
[root@cotroller ~]# systemctl enable mongod.service ###开机启动服务
[root@cotroller ~]# systemctl start mongod.service ###启动服务
[root@cotroller ~]# netstat -utpln |grep 27017 ###查看服务端口是否开启
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 2095/mongod
2、安装Elasticsearch :
注意:Gralasticog 2.4.x应与Elasticsearch 5.x一起使用
[root@cotroller ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch ###首先安装Elastic GPG密钥
[root@cotroller ~]# vim /etc/yum.repos.d/elasticsearch.repo ###添加es的yum源
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
[root@cotroller ~]# yum install elasticsearch ###安装最新版es
[root@cotroller ~]# vim /etc/elasticsearch/elasticsearch.yml ###修改es名称为graylog
cluster.name: graylog #第17行修改
[root@cotroller ~]# chkconfig --add elasticsearch ###加入系统服务
[root@cotroller ~]# systemctl daemon-reload ###重新载入 systemd,扫描新的或有变动的单元
[root@cotroller ~]# systemctl enable elasticsearch.service ###开机启动服务
[root@cotroller ~]# systemctl start elasticsearch.service ###启动服务
[root@cotroller ~]# netstat -utpln ###查看es服务端口9200和9300是否开启
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9200 0.0.0.0:* LISTEN 2237/java
tcp 0 0 127.0.0.1:9300 0.0.0.0:* LISTEN 2237/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1033/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1517/master
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 2095/mongod
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1562/mysqld
udp 0 0 0.0.0.0:68 0.0.0.0:* 1695/dhclient
udp 0 0 0.0.0.0:37164 0.0.0.0:* 1695/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 781/chronyd
[root@cotroller ~]# curl 127.0.0.1:9200 #测试es节点
{
"name" : "LLmDcwG",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "wKL4z-rZTGuauYctS-FX1A",
"version" : {
"number" : "5.6.10",
"build_hash" : "b727a60",
"build_date" : "2018-06-06T15:48:34.860Z",
"build_snapshot" : false,
"lucene_version" : "6.6.1"
},
"tagline" : "You Know, for Search"
}
3、安装graylog:
[root@cotroller ~]# rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm
[root@cotroller ~]# yum install graylog-server ###安装graylog
[root@cotroller ~]# vim /etc/graylog/server/server.conf ###配置文件修改
password_secret = LEetJba3xNy0TGMbqf1Hwxg26H9dZTb4tLlJ6l9T9t9aejiatr5MSlLmlPJq0UMS4gvDKDxLQIEW0yOU4W521hMYPWPrgNkd
### [root@cotroller ~]# pwgen -N 1 -s 96 ###使用pwgen生成 password_secret加密码
LEetJba3xNy0TGMbqf1Hwxg26H9dZTb4tLlJ6l9T9t9aejiatr5MSlLmlPJq0UMS4gvDKDxLQIEW0yOU4W521hMYPWPrgNkd
root_password_sha2 = 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
### [root@cotroller ~]# echo -n 123456 | sha256sum ###生成登陆密码
8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
rest_listen_uri = http://127.0.0.1:9000/api/ #必须制定本机IP不能用127.0.0.1因为会导致外部无法访问
web_listen_uri = http://127.0.0.1:9000/ #必须制定本机IP不能用127.0.0.1因为会导致外部无法访问
[root@cotroller ~]# chkconfig --add graylog-server
[root@cotroller ~]# systemctl daemon-reload
[root@cotroller ~]# systemctl enable graylog-server.service
[root@cotroller ~]# systemctl start graylog-server.service
三、配置nginx代理
添加server字段
server
{
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name graylog.example.org;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/api;
proxy_pass http://127.0.0.1:9000;
}
}
如果访问到时报错找不到12201 nginx添加代理字段:
location /api {
proxy_pass http://192.168.1.83:12201/api;
}
四、重启服务访问测试
[root@cotroller conf.d]# nginx -s stop
[root@cotroller conf.d]# nginx
[root@cotroller conf.d]# /etc/init.d/graylog-server restart
五、访问测试抓取http
默认账户:admin
密码:123456
访问添加http_input
推送一条消息:
curl -XPOST http://gray地址:12202/gelf -p0 -d '{"short_message":"这是一条消息", "host":"172.3.3.3", "facility":"test", "_foo":"bar"}'
graylog验证: