文件名称:graylog2使用说明(docker)
文件大小:673KB
文件格式:PDF
更新时间:2021-08-13 03:54:23
docker graylog2 docker-compo
## 什么是graylog
Graylog 是一个简单易用、功能较全面的日志管理工具,相比 ELK 组合, 优点:
- 部署维护简单
- 查询语法简单易懂(对比ES的语法…)
- 内置简单的告警
- 可以将搜索结果导出为 json
- 提供简单的聚合统计功能
- UI 比较友好
- 当然, 拓展性上比 ELK 差很多。
整套依赖:
- Graylog 提供 graylog 对外接口
- Elasticsearch 日志文件的持久化存储和检索
- MongoDB 只是存储一些 Graylog 的配置
## 安装
> 可以是裸机安装,也可以是docker安装,这里用docker安装
环境要求:
- centos7.4
- cpu2个 内存2G
参考:
https://hub.docker.com/r/graylog2/graylog/
### 环境准备
```
mkdir /root/graylog && cd /root/graylog
//挂载目录
mkdir -p mongo_data graylog_journal es_data
//配置文件目录
mkdir -p ./graylog/config
cd ./graylog/config
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.0/config/graylog.conf
wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.0/config/log4j2.xml
//提前准备镜像
docker pull mongo:3
docker pull graylog/graylog:3.0
docker pull elasticsearch:5.6.9
```
### docker-compose.yml
```
version: '2'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongo:
image: mongo:3
volumes:
- ./mongo_data:/data/db
- /etc/localtime:/etc/localtime
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/docker.html
elasticsearch:
image: elasticsearch:5.6.9
volumes:
- ./es_data:/usr/share/elasticsearch/data
- /etc/localtime:/etc/localtime
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
# Disable X-Pack security: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/security-settings.html#general-security-settings
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:3.0
volumes:
- ./graylog_journal:/usr/share/graylog/data/journal
- ./graylog/config:/usr/share/graylog/data/config
- /etc/localtime:/etc/localtime
environment:
# CHANGE ME!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
# 这里需要修改为要暴露的机器的地址
- GRAYLOG_HTTP_EXTERNAL_URI=http://10.121.60.2:9000/
links:
- mongo
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 514:514
# Syslog UDP
- 514:514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
# GELF HTTP
- 12202:12202
```
### 启动
`docker-compose -f docker-compose.yml up -d`
通过http://10.121.60.2:9000/访问web,admin/admin
### 修改配置
- email相关(告警需要)
```
transport_email_enabled = true
transport_email_hostname = smtp.163.com
transport_email_port = 994
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = 17191093767@163.com
transport_email_auth_password = zhim123456
transport_email_subject_prefix = [graylog]
transport_email_from_email = 17191093767@163.com
transport_email_web_interface_url = http://10.121.60.2:9000
```
## 使用
### 配置添加Inputs
> Graylog 节点能够接受数据的类型称之为input,常见的有GELF TCP, GELF UDP, GELF HTTP.
说明:GELF TCP, GELF UDP可以使用同一个端口,HTTP需要另起端口,原因不解释。
- 添加三个input,过程略,tcp,udp端口使用默认的12201,http端口使用12202。
- 验证
```
// udp
echo -n '{ "version": "1.1", "host": "example.org", "short_message": "A short message info with udp", "level": 1, "_some_info": "foo", "_tag": "test11" }' | nc -w10 -u 10.121.60.2 12201
// tcp
echo -n -e '{ "version": "1.1", "host": "example.org", "short_message": "A short message with tcp", "level": 1, "_some_info": "foo" }'"\0" | nc -w10 10.121.60.2 12201
//http
curl -X POST -H 'Content-Type: application/json' -d '{ "version": "1.1", "host": "example.org", "short_message": "A short message with http", "level": 5, "_some_info": "foo" }' 'http://10.121.60.2:12202/gelf'
```
### docker 日志添加到graylog
```
docker run --log-driver=gelf \
--log-opt gelf-address=udp://10.121.60.2:12201 \
--log-opt tag=test1 \
-v /etc/localtime:/etc/localtime \
-it nginx /bin/bash
```
docker-compose.yaml
```
services:
mongo:
logging:
driver: "gelf"
options:
gelf-address: "udp://10.121.60.2:12201"
tag: mongo
volumes:
- /etc/localtime:/etc/localtime
```
### java日志直接发送到graylog
> 使用logback
```