一、采集环境
客户环境版本为graylog3.3.8版本,所以测试环境也为部署为graylog3.3.8
部署环境:centos7.6
JDK:1.8
MongoDB:4.x
Elasticsearch:6.x
二、测试架构
三、部署graylog3.3.8
3.1安装jdk
yum install java-1.8.0-openjdk-headless.x86_64 -y
3.2安装pwgen
yum install epel-release -y
yum install pwgen -y
3.3 安装rsyslog
yum install rsyslog
vim /etc/rsyslog.conf
#配置文件,最后一行添加如下内容,如需转发tcp,则再加一个@
*.* @127.0.0.1:5140
#启动rsyslog
systemctl start rsyslog
3.4 安装mongodb
配置mongodb源:
vim /etc/yum.repos.d/mongodb-org.repo
#添加以下内容
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
#yum安装
yum install mongodb-org -y
#加入开机自启
systemctl daemon-reload
systemctl enable mongod.service
systemctl start mongod.service
3.5 安装es
配置es源:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vim /etc/yum.repos.d/elasticsearch.repo
#加入以下参数:
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
#yum安装
yum install elasticsearch-oss -y
#配置es参数:
vim /etc/elasticsearch/elasticsearch.yml
#加入以下参数:
cluster.name: graylog
network.host: 0.0.0.0
http.port: 9200
#加入开机自启:
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl restart elasticsearch.service
3.6 安装graylog
#配置graylog源:
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.rpm
yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins
#使用pwgen生成password_secret密码
pwgen -N 1 -s 96
#root_password_sha2密码字符串
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
#配置graylog配置文件,上面两个密码需要填入
vim /etc/graylog/server/server.conf
#加入配置参数项
root_timezone = Asia/Shanghai
http_bind_address = 0.0.0.0:9000
web_listen_uri = http://0.0.0.0:9000/
rest_listen_uri = http://0.0.0.0:12900/
rest_transport_uri = http://172.16.0.4:12900/
#加入开机自启
systemctl daemon-reload
systemctl enable graylog-server.service
systemctl start graylog-server.service
3.7 安装nginx
注:本地服务器可以不安装
#yum安装
yum install nginx
#修改配置参数
vim /etc/nginx/nginx.conf
server
{
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name 123.207.230.131;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/;
proxy_pass http://127.0.0.1:9000;
}
}
#启动
nginx
3.8 安装logstash
#yum安装
yum install logstash
#修改配置参数
vim /etc/logstash/logstash.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
gelf {
host => "172.16.0.4"
port_udp => "5130"
}
}
output {
stdout {
codec => rubydebug
}
}
#启动logstash:
/usr/share/logstash/bin/logstash -f /etc/logstash/logstash.conf
四、graylog配置截图与结果图