graylog
graylog单机版部署
Graylog之基本使用
graylog5.0 集群部署
graylog docker compose
GELF 接收日志
graylog 密码生成
Graylog配置日志保留策略
本文档使用 MrDoc 发布
-
+
首页
graylog5.0 集群部署
# es mongo 集群部署 * 192.168.1.1 es mongo 01 * 192.168.1.2 es mongo 02 * 192.168.1.3 es mongo 03 ``` # disable selinux setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config getenforce ``` ## 系统初始化 ``` sysctl -w vm.max_map_count=262144 echo "vm.max_map_count=262144" >> /etc/sysctl.conf sysctl -p cat >>/etc/security/limits.conf<<EOF * soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535 EOF echo "session required pam_limits.so" >> /etc/pam.d/login swapoff -a sysctl -w net.ipv4.tcp_retries2=5 echo "net.ipv4.tcp_retries2=5" >> /etc/sysctl.conf useradd es mkdir /data vi /etc/fstab # 找到swap这一行前面使用#符号禁用掉 ``` ## mongo 集群 ### install mongo server 5.0 (rpm) ``` # install mongo server && mongo shell yum -y install epel-release.noarch && yum -y install wget cd /root wget https://repo.mongodb.org/yum/redhat/7/mongodb-org/5.0/x86_64/RPMS/mongodb-org-server-5.0.18-1.el7.x86_64.rpm wget https://repo.mongodb.org/yum/redhat/7/mongodb-org/5.0/x86_64/RPMS/mongodb-org-shell-5.0.18-1.el7.x86_64.rpm rpm -ivh mongodb-org-server-5.0.18-1.el7.x86_64.rpm rpm -ivh mongodb-org-shell-5.0.18-1.el7.x86_64.rpm ``` ### 主节点生成授权认证keyfile文件并拷贝到其它节点 ``` ## 拷贝完记得设置权限 openssl rand -base64 756 > /var/lib/mongo/access.keyfile chown mongod:mongod /var/lib/mongo/access.keyfile chmod 600 /var/lib/mongo/access.keyfile cd /var/lib/mongo ll #scp scp -rp /var/lib/mongo/access.keyfile root@graylog02:/var/lib/mongo/ scp -rp /var/lib/mongo/access.keyfile root@graylog03:/var/lib/mongo/ ``` ### 修改/etc/mongod.conf 以主节点为例,修改配置文件 ``` systemLog: destination: file logAppend: true path: /var/log/mongodb/mongod.log storage: dbPath: /var/lib/mongo journal: enabled: true processManagement: timeZoneInfo: /usr/share/zoneinfo net: port: 27017 bindIp: 0.0.0.0 security: keyFile: /var/lib/mongo/access.keyfile replication: replSetName: graylog-rs ``` ### 开启firewalld ``` firewall-cmd --add-port=27017/tcp --permanent --zone=public firewall-cmd --reload ``` ### 启动Mongo ``` systemctl daemon-reload systemctl enable mongod.service systemctl start mongod.service systemctl --type=service --state=active | grep mongod systemctl status mongod ``` ### 初始化集群 ``` # mongo 命令进入 mongodb ,需要安装 mongo shell # 记得修改id 为 replSetName use admin rs.initiate( { _id : "graylog-rs", members: [ { _id: 0, host: "192.168.1.1:27017" }, { _id: 1, host: "192.168.1.2:27017" }, { _id: 2, host: "192.168.1.3:27017" } ] }) rs.status() #查看集群状态 ``` ### 创建graylog数据库并设置密码 #### 修改admin用户密码 ``` use admin db.createUser({user: "admin", pwd: "Admin@2021", roles: ["root"]}) db.auth("admin","Admin@2021") ``` ### 创建graylog数据库并设置密码 ``` use graylog db.createUser({ user: "graylog", pwd: "Graylog2023", "roles" : [{ "role" : "dbOwner", "db" : "graylog" }, { "role" : "readWrite", "db" : "graylog" }] }) ``` ### 验证集群状态  ## es 集群 ### download es8.7 && install 不支持 ``` cd /root && \ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.7.0-linux-x86_64.tar.gz &&\ tar zxvf ./elasticsearch-8.7.0-linux-x86_64.tar.gz && \ mv ./elasticsearch-8.7.0 /data/elasticsearch && \ useradd es && \ chown -R es:es /data/elasticsearch ``` ### 7.10.2 ``` cd /root && \ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.2-linux-x86_64.tar.gz && \ tar zxvf ./elasticsearch-7.10.2-linux-x86_64.tar.gz && \ mv ./elasticsearch-7.10.2 /data/elasticsearch && \ useradd es && \ chown -R es:es /data/elasticsearch ``` ### config配置 #### jvm配置 ``` #vim /data/elasticsearch/config/jvm.options -Xms4g # 建议为内存的一半 -Xmx4g ``` #### es配置 ``` cluster.name: graylog-cluster node.name: graylog01 #每个不同 path.data: /data/elasticsearch/data path.logs: /data/elasticsearch/logs network.host: 0.0.0.0 http.port: 9200 transport.port: 9300 discovery.seed_hosts: ["192.168.1.1:9300", "192.168.1.2:9300","192.168.1.3:9300"] cluster.initial_master_nodes: ["graylog01", "graylog02","graylog03"] xpack.security.enabled: true xpack.security.enrollment.enabled: true xpack.security.http.ssl: enabled: true keystore.path: certs/http.p12 xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/transport.p12 truststore.path: certs/transport.p12 ``` ### ES 集群 xpack 配置 (很重要) 为 ES 集群创建节点认证中心 ``` ./bin/elasticsearch-certutil ca ``` 可以设置一个密码,也可以直接回车。 默认文件会在 ES 根目录产生,名为 `elastic-stack-ca.p12`。 然后可以将文件 `elastic-stack-ca.p12` 复制到每个 ES 节点的根目录下。 为集群中的每个节点创建证书和私钥(每个节点都要执行以下内容) 生成证书和密钥。 ``` ./bin/elasticsearch-certutil cert --ca ./elastic-stack-ca.p12 ``` 可以设置密码,也可以直接回车。 默认会生成文件 `elastic-certificates.p12`。 将生成的文件复制到配置文件目录下: ``` mv ./elastic-certificates.p12 ./config/ ``` 修改 ES 配置文件 默认文件: ./config/elasticsearch.yml ``` xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 ``` 如果之前节点证书设置了密码,将密码添加到 keystore ``` ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password ``` ### 开启 firewalld ``` firewall-cmd --add-port=9300/tcp --permanent --zone=public firewall-cmd --add-port=9200/tcp --permanent --zone=public firewall-cmd --reload ``` ### 启动 ` 记得切换用户!` ``` su es /data/elasticsearch/bin/elasticsearch -d ``` ### 设置密码 执行./bin/elasticsearch-setup-passwords interactive 命令,修改每一个账户密码: (需要注意的是elastic和kibana账户;elastic用户相当于管理员账户,kibana账户顾名思义是kibana连接es的账户,生产连接es尽量使用elastic账户,否则会报403无权限错误。) 也可以执行./bin/elasticssearch-setup-passwords auto 系统帮你随机生成密码(生成之后最好记下来,因密码无规律,不建议采用这种方式)。 3、修改密码:可以使用es自带的restful接口修改密码,例如: curl -H “Content-Type:application/json” -XPOST -u elastic ‘http://127.0.0.1:9200/_xpack/security/user/elastic/_password’ -d ‘{ “password” : “123456” }’ ## graylog install ``` rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.1-repository_latest.rpm yum -y install graylog-server ``` ### graylog 日志 /var/log/graylog-server/server.log ### graylog 配置 ``` systemctl enable graylog-server systemctl start graylog-server cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf_default pwgen -N 1 -s 96 XC0Epiv5SnWFdm82nsUWAJN3t2MHaFEaSFHd6RLPf1nzxwnmubT0n7NQdrK8jCDEOS05DtrkGHDDE61490OUJKBOOXIAT4LI echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 Enter Password: Graylog@2021 10dfabb9595634675701865aa1c6e774d89d59f4a104ab128fbffcdaa3cf8f7b ``` ### 修改graylog的主配置文件server.conf ``` /etc/graylog/server/server.conf cat /etc/graylog/server/server.conf | grep -v "^#" | grep -v "^$" is_master = true node_id_file = /etc/graylog/server/node-id password_secret = XC0Epiv5SnWFdm82nsUWAJN3t2MHaFEaSFHd6RLPf1nzxwnmubT0n7NQdrK8jCDEOS05DtrkGHDDE61490OUJKBOOXIAT4LI root_password_sha2 = 10dfabb9595634675701865aa1c6e774d89d59f4a104ab128fbffcdaa3cf8f7b root_timezone = Asia/Shanghai bin_dir = /usr/share/graylog-server/bin data_dir = /var/lib/graylog-server plugin_dir = /usr/share/graylog-server/plugin http_bind_address = 192.168.31.211:9000 http_publish_uri = http://192.168.31.211:9000/ elasticsearch_hosts = http://elastic:password@192.168.1.231:9200,http://elastic:password@192.168.1.232:9200,http://elastic:password@192.168.1.233:9200 rotation_strategy = count elasticsearch_max_docs_per_index = 20000000 elasticsearch_max_number_of_indices = 20 retention_strategy = delete elasticsearch_shards = 4 elasticsearch_replicas = 0 elasticsearch_index_prefix = graylog allow_leading_wildcard_searches = false allow_highlighting = true elasticsearch_analyzer = standard output_batch_size = 500 output_flush_interval = 1 output_fault_count_threshold = 5 output_fault_penalty_seconds = 30 processbuffer_processors = 8 outputbuffer_processors = 16 processor_wait_strategy = blocking ring_size = 65536 inputbuffer_ring_size = 65536 inputbuffer_processors = 2 inputbuffer_wait_strategy = blocking message_journal_enabled = true message_journal_dir = /var/lib/graylog-server/journal lb_recognition_period_seconds = 3 mongodb_uri = mongodb://graylog:Graylog2021@graylog01:27017,graylog02:27017,graylog03:27017/graylog?replicaSet=graylog-rs mongodb_max_connections = 1000 mongodb_threads_allowed_to_block_multiplier = 5 proxied_requests_thread_pool_size = 32 ``` #坑 5.1 不支持es8
admin
2024年2月4日 21:17
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
分享
链接
类型
密码
更新密码